[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: RE: Better approach for path-based authorization

From: Joshua Hastings <jhastings_at_ruralins.com>
Date: 2006-07-27 22:54:14 CEST

Not knowing how you are set up, have you thought about using Active
Directory user groups for authentication?

Josh

-----Original Message-----
From: Alfredo Anderson [mailto:alfredo_e_anderson@hotmail.com]
Sent: Thursday, July 27, 2006 3:12 PM
To: users@subversion.tigris.org
Subject: RE: Better approach for path-based authorization

I hope that now the message gets displayed properly ...
Regards

From: "Alfredo Anderson" <alfredo_e_anderson@hotmail.com>
To: users@subversion.tigris.org
Subject: Better approach for path-based authorization
Date: Tue, 25 Jul 2006 19:44:37 +0000

Hi, we are faced with the following problem:

We have one repository with multiple projects.
We have two development teams and a QA Team.
The development team A has read/write access to all the repository. The
development team B has read/write access to only one project (and
doesn't have access to anything else).
The QA team has read/write access to the directory trunk/doc of every
project (and doesn't have access to anything else).

Currently our AuthzSVNAccessFile look like this

[/]
@A = rw
@B = r # So they can see the list of projects in the repo
@QA = r # So they can see the list of projects in the repo

# For every project ProjectX there's an entry like the following
[/ProjectX] @B = [/ProjectX/branches] @QA = [/ProjectX/tags] @QA =
[/ProjectX/trunk/design] @QA = [/ProjectX/trunk/doc] @QA = rw
[/ProjectX/trunk/src] @QA =

This solution, cover our needs but

* Implies considerable administrative work (modifying the
AuthzSVNAccessFile
)
* Our security requirements can be broken (if someone creates a project
but
doesn't modify the AuthzSVNAccessFile the project is accessible by QA
and B)
* With so much typing and the growing size of the AuthzSVNAccessFile is
easy
to mistype something ... giving access to unauthorized places.

Does anyone know a better aproach ?

For example Wildcards to do something like this

[/*]
@ATG =
[/*/branches]
@QA =
[/*/tags]
@QA =
[/*/trunk/design]
@QA =
[/*/trunk/doc]
@QA = rw
[/*/trunk/src]
@QA =

Regards

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Thu Jul 27 22:56:59 2006

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.