Better approach for path-based authorization
From: Alfredo Anderson <alfredo_e_anderson_at_hotmail.com>
Date: 2006-07-25 21:44:37 CEST
Hi, we are faced with the following problem:We have one repository with multiple projects.We have two development teams and a QA Team.The development team A has read/write access to all the repository.The development team B has read/write access to only one project (and doesn't have access to anything else).The QA team has read/write access to the directory trunk/doc of every project (and doesn't have access to anything else).Currently our AuthzSVNAccessFile look like this[/]@A = rw@B = r # So they can see the list of projects in the repo@QA = r # So they can see the list of projects in the repo# For every project ProjectX there's an entry like the following[/ProjectX]@B =[/ProjectX/branches]@QA =[/ProjectX/tags]@QA =[/ProjectX/trunk/design]@QA =[/ProjectX/trunk/doc]@QA = rw[/ProjectX/trunk/src]@QA =This solution, cover our needs but * Implies considerable administrative work (modifying the AuthzSVNAccessFile )* Our security requirements can be broken (if someone creates a project but doesn’t modify the AuthzSVNAccessFile the project is accessible by QA and B)* With so much typing and the growing size of the AuthzSVNAccessFile is easy to mistype something ... giving access to unauthorized places.Does anyone know a better aproach ?For example Wildcards to do something like this[/*]@ATG =[/*/branches]@QA =[/*/tags]@QA =[/*/trunk/design]@QA =[/*/trunk/doc]@QA = rw[/*/trunk/src]@QA =Regards
This is an archived mail posted to the Subversion Users mailing list.