[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Better approach for path-based authorization

From: Sean Kelley <sean.sweng_at_gmail.com>
Date: 2006-08-22 21:28:54 CEST

The path based permissions supported by SVN through Apache leave much
to be desired. It can make it hard to sell Subversion to your company
with a lack of easy to manage permissions control.

I am in the same situation as yourself. It requires a lot of trial
and error to mix and match various groups. Imagine in my case if you
have 100 devs on different teams, which in turn have members split up
working on different projects with different access levels. That gets
really ugly fast.

Sean

On 7/25/06, Alfredo Anderson <alfredo_e_anderson@hotmail.com> wrote:
>
> Hi, we are faced with the following problem:
>
> We have one repository with multiple projects.
> We have two development teams and a QA Team.
> The development team A has read/write access to all the repository.
> The development team B has read/write access to only one project (and
> doesn't have access to anything else).
> The QA team has read/write access to the directory trunk/doc of every
> project (and doesn't have access to anything else).
>
> Currently our AuthzSVNAccessFile look like this
>
> [/]
> @A = rw
> @B = r # So they can see the list of projects in the repo
> @QA = r # So they can see the list of projects in the repo
>
> # For every project ProjectX there's an entry like the following
> [/ProjectX]
> @B =
> [/ProjectX/branches]
> @QA =
> [/ProjectX/tags]
> @QA =
> [/ProjectX/trunk/design]
> @QA =
> [/ProjectX/trunk/doc]
> @QA = rw
> [/ProjectX/trunk/src]
> @QA =
>
> This solution, cover our needs but
>
> * Implies considerable administrative work (modifying the AuthzSVNAccessFile
> )
> * Our security requirements can be broken (if someone creates a project but
> doesn't modify the AuthzSVNAccessFile the project is accessible by QA and B)
> * With so much typing and the growing size of the AuthzSVNAccessFile is easy
> to mistype something ... giving access to unauthorized places.
>
> Does anyone know a better aproach ?
>
> For example Wildcards to do something like this
>
> [/*]
> @ATG =
> [/*/branches]
> @QA =
> [/*/tags]
> @QA =
> [/*/trunk/design]
> @QA =
> [/*/trunk/doc]
> @QA = rw
> [/*/trunk/src]
> @QA =
>
> Regards
>
>
> ________________________________
> ComunĂ­cate al instante con Windows Live Messenger Windows Live Messenger
Received on Tue Aug 22 21:30:25 2006

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.