[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: Documentation for authzSVN module?

From: Jonathan Ashley <jonathan.ashley_at_praxis-his.com>
Date: Mon, 25 Feb 2008 10:28:39 +0000

Yes, perfect sense.

To get the behaviour I wanted, I found I needed groups of:

everyone
not_int_and_not_dev
int_and_not_dev
int_and_dev

which is hardly intuitive, and asking for trouble when
maintaining.

What I eventually did, was write a file mapping users to the
two roles I had in mind, i.e. with lines that looked like

name1
name2 int
name3 dev
name3 int dev

Then I wrote a script to generate the authorisations file from
this. This now runs as a post-commit hook, which also detects
when certain paths are added to or removed from the repository.
Maybe a similar approach (autogeneration from a role-based
file) would solve your problem?

regards,

--
Jon Ashley
> -----Original Message-----
> From: Anders Palm [mailto:Anders.Palm_at_prevas.dk]
> Sent: 25 February 2008 10:11
> To: Jonathan Ashley
> Cc: users_at_subversion.tigris.org
> Subject: RE: RE: Documentation for authzSVN module?
>
> Hi
>
> Yes, we seem to have somewhat similar problems.
> I would expect the module to use the narrowest possible
> scope, but it seems that it doesn't.
>
> I have a *lot* of users, and like you, I authenticate them
> through SSPI. Most of these users has full rw access to all
> repositories, but a few of them (mostly clients who needs to
> be able to access their own code), should of course be
> limited to their repository.
>
> To handle this, I go a different way. I don't want to handle
> all my "regular" users in authz, so I take a blacklisting
> approach of sort, something like this:
>
> [groups]
> externals = <list of users>
>
> [/]
> * = rw
>
> [repos1:/]
> @externals =
>
> [repos2:/]
> @externals =
> someUser = rw
>
> This approach almost works, but of course requires me to
> handle all my repositories.
>
> What I would like to be able to do, is something like this:
>
> [/]
> * = rw
> @externals =
>
> [repos1:/]
>
> [repos2:/]
> someUser = rw
>
> Of course, all users are within the scope of "*", but my
> @externals group should generally not be able to read or
> write anything unless specifically told so.
>
> But when trying the second approach, the users in the
> @externals group has full rw-access, apparently because they
> are granted it by the "*"-clause.
>
> I would, like you, expect the module to match on the
> narrowest possible scope, apparently it doesn't.
>
> I hope that made some sense :)
>
> Cheers
> Anders
This email is confidential and intended solely for the use of the individual to whom it is addressed. If you are not the intended recipient, be advised that you have received this email in error and that any use, disclosure, copying or distribution or any action taken or omitted to be taken in reliance on it is strictly prohibited. If you have received this email in error please contact the sender. Any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Praxis. 
Although this email and any attachments are believed to be free of any virus or other defect, no responsibility is accepted by Praxis or any of its associated companies for any loss or damage arising in any way from the receipt or use thereof. The IT Department at Praxis can be contacted at it.support_at_praxis-his.com.
Praxis High Integrity Systems Ltd:
Company Number: 3302507, registered in England and Wales
Registered Address: 20 Manvers Street, Bath. BA1 1PX
VAT Registered in Great Britain: 682635707
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: users-help_at_subversion.tigris.org
Received on 2008-02-25 11:29:03 CET

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.