[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: svn:author with single kerberos account

From: Dennis Shpakov <dshpakov_at_fnal.gov>
Date: 2006-07-21 18:09:46 CEST

I finally figured it out: passing "--tunnel-user <kerberos_principal>"
to svnserve solved the problem.

Thanks,

       Dennis

Dennis Shpakov wrote:
> Ryan Schmidt wrote:
>>
>> On Jul 20, 2006, at 00:43, Dennis Shpakov wrote:
>>
>>> I am setting up a subversion repository on a server that only allows
>>> kerberized ssh access. In general, developers are not allowed to
>>> have real accounts on the server but are supposed to come in as a
>>> generic user called svnuser via the .k5login file mechanism.
>>>
>>> I replaced the login shell of the svnuser account by a script that
>>> eventually hands execution over to svnserve -t. To implement
>>> per-project access control under the condition that the hook scripts
>>> run in the sterile environment, I made the login shell script
>>> extract the kerberos principal name from the credentials cache file
>>> (a user without a forwardable ticket is therefore denied access) and
>>> store it in a file with a name based on a process id. The
>>> start-commit hook then checks for the parent process id, reads the
>>> principal name from the corresponding file, and checks it against an
>>> access control list.
>>>
>>> Everything looks fine except that the svn:author property is always
>>> set to svnuser (which is expected, of course), while one would
>>> naturally want to have it set to the kerberos principal name of the
>>> author committing the change. Is there a simple way to do it in one
>>> of the hook scripts using the same identification scheme as in
>>> start-commit?
>>
>> I don't know if the situation you're experiencing is the expected
>> one, because I've never tried to set Subversion up like that.
> It is expected because the unix user that owns the svnserve process is
> always svnuser.
>
>> But yes, you can modify revision properties in for example the
>> pre-commit or post-commit hook.
> How should I do that? If I run something like
>
> /usr/bin/svn propset svn:author dshpakov -r12 --revprop
>
> in post-commit, I get the error message saying "svn: '.' is not a
> working copy".
>
> Thanks again,
>
> Dennis
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Fri Jul 21 18:15:58 2006

This is an archived mail posted to the Subversion Users mailing list.