[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Issue with authorization and slow logs

From: Tony Butt <tjb_at_cea.com.au>
Date: 2007-09-21 04:13:59 CEST

On Wed, 2007-09-19 at 10:26 -0400, Priest, James (NIH/NIEHS) [C] wrote:
> Recently we moved from a text file authorization to authenticating
> against Kerberos. Since we have done that - running 'svn log' has slowed
> down to the point it's really unusable.
> I've dug around through the web and the mailing list archives and found
> references to adding a "SVNPathAuthz Off" line - but most of these posts
> were old (2004) and it seemed to be a compromise and was wondering if
> this was still the best solution??
> If this is the only solution we'll probably have to make some changes to
> our repository organization to group the repos that need security vs.
> speed.
> Thanks,
> Jim
I found that some changes to your krb5.conf can help.

What really helped us was to replace any hostnames in krb5.conf with IP

The mod_auth_krb implementation is fairly stateless - it doesn't
remember that you authenticated for a particular file in the same
transaction, and re-checks the kerberos tickets each time. Some sort of
authentication cache would really help this (similar to mod_auth_ldap).

This means that each file accessed via subversion requires checking the
kerberos authentication. If you have hostnames in krb5.conf, then the
dns lookups are also redone. This meant about 3 network transmit/receive
pairs in addition to the actual file/data transfer to/from subversion.

We went from Win 2000 domain controllers to 2003 controllers earlier
this year, and something changed with the AD kerberos processing there -
things became so slow that we had to give up mod_auth_krb, and use
mod_pam instead :-( If you are using Active Directory, you can also try
winbind - seems to run OK.

Tony Butt
CEA Technologies

To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Fri Sep 21 04:14:41 2007

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.