[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: Better approach for path-based authorization

From: Alfredo Anderson <alfredo_e_anderson_at_hotmail.com>
Date: 2006-07-27 22:11:50 CEST

I hope that now the message gets displayed properly ...
Regards

From: "Alfredo Anderson" <alfredo_e_anderson@hotmail.com>
To: users@subversion.tigris.org
Subject: Better approach for path-based authorization
Date: Tue, 25 Jul 2006 19:44:37 +0000

Hi, we are faced with the following problem:

We have one repository with multiple projects.
We have two development teams and a QA Team.
The development team A has read/write access to all the repository.
The development team B has read/write access to only one project (and
doesn't have access to anything else).
The QA team has read/write access to the directory trunk/doc of every
project (and doesn't have access to anything else).

Currently our AuthzSVNAccessFile look like this

[/]
@A = rw
@B = r # So they can see the list of projects in the repo
@QA = r # So they can see the list of projects in the repo

# For every project ProjectX there's an entry like the following
[/ProjectX]
@B =
[/ProjectX/branches]
@QA =
[/ProjectX/tags]
@QA =
[/ProjectX/trunk/design]
@QA =
[/ProjectX/trunk/doc]
@QA = rw
[/ProjectX/trunk/src]
@QA =

This solution, cover our needs but

* Implies considerable administrative work (modifying the AuthzSVNAccessFile
)
* Our security requirements can be broken (if someone creates a project but
doesn’t modify the AuthzSVNAccessFile the project is accessible by QA and B)
* With so much typing and the growing size of the AuthzSVNAccessFile is easy
to mistype something ... giving access to unauthorized places.

Does anyone know a better aproach ?

For example Wildcards to do something like this

[/*]
@ATG =
[/*/branches]
@QA =
[/*/tags]
@QA =
[/*/trunk/design]
@QA =
[/*/trunk/doc]
@QA = rw
[/*/trunk/src]
@QA =

Regards

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Thu Jul 27 22:13:17 2006

This is an archived mail posted to the Subversion Users mailing list.