Authentication/authorization mixed mode

From: Marco Tedone <marco.tedone_at_virtual-universe.net>
Date: 2006-12-13 15:50:47 CET

Hi guys,

We are passing to SVN and I'm designing our security architecture as
regards authentication/authorization. Our decision is to expose the SVN
repos through Apache HTTP. I'd like to use mod_dav_svn for
authentication and mod_authz_svn for authorization. We'll have a
user/password file generated with the Apache HTTP command (with
encryption and all that) for authentication; then I'd like to have a
unique file where to define users, groups and projects' access for
authorization.

The <Location> entry in the HTTPd file could look like:

<Location /repos>
DAV svn
SVNParentPath /usr/local/svn

# our access control policy
AuthzSVNAccessFile /path/to/access/file

# only authenticated users may access the repository
Require valid-user

  # how to authenticate a user
  AuthType Basic
  AuthName "Subversion repository"
  AuthUserFile /path/to/users/file
</Location>

Am I correct in saying that when a user will try to access a protected
repository and will enter the credentials, these will be verified
against the authentication file defined by 'AuthUserFile', whereas the
user's rights on the project (r/rw/etc) will be defined in the file
defined by AuthzSVNAccessFile? And if this is true, since I'd like to
define the authorization file so that groups of users will have access
to projects, shall I define the users AND/OR the passwords also in the
authorization file (since I have already defined these in the
authentication file)?

This is as of now the only node remained before building for live.

Thanks.

Marco

Virtual Universe Ltd, Amplefuture House, The Quadrant, 135 Salusbury Road, London NW6 6RJ

Tel: +44 (0) 870 788 6000

Fax: +44 (0) 870 788 6689

Web: www.virtual-universe.net

-----------------------------------------------------------------------------------------

CONFIDENTIALITY NOTICE

This e-mail may contain information which is confidential and privileged. If you are not the named addressee of this e-mail, you may not copy or use it, or forward or otherwise disclose it to anyone else. If you have received this e-mail in error, please e-mail the sender by replying to this message and then fully delete it from your system.

Any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of Amplefuture Group. Amplefuture Group reserves the right to monitor e-mail communications from both external and internal sources for the purposes of ensuring correct and appropriate use of our communication equipment.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Wed Dec 13 15:52:03 2006

This message: [ Message body ]
Next message: Gervazio: "SVN::Client lock files"
Previous message: Johnathan Gifford: "Re: FSFS : Malformed representation header"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]