RE: Documentation for authzSVN module?
From: Jonathan Ashley <jonathan.ashley_at_praxis-his.com>
Date: Mon, 25 Feb 2008 10:28:39 +0000
Yes, perfect sense.
To get the behaviour I wanted, I found I needed groups of:
which is hardly intuitive, and asking for trouble when
What I eventually did, was write a file mapping users to the
Then I wrote a script to generate the authorisations file from
-- Jon Ashley > -----Original Message----- > From: Anders Palm [mailto:Anders.Palm_at_prevas.dk] > Sent: 25 February 2008 10:11 > To: Jonathan Ashley > Cc: users_at_subversion.tigris.org > Subject: RE: RE: Documentation for authzSVN module? > > Hi > > Yes, we seem to have somewhat similar problems. > I would expect the module to use the narrowest possible > scope, but it seems that it doesn't. > > I have a *lot* of users, and like you, I authenticate them > through SSPI. Most of these users has full rw access to all > repositories, but a few of them (mostly clients who needs to > be able to access their own code), should of course be > limited to their repository. > > To handle this, I go a different way. I don't want to handle > all my "regular" users in authz, so I take a blacklisting > approach of sort, something like this: > > [groups] > externals = <list of users> > > [/] > * = rw > > [repos1:/] > @externals = > > [repos2:/] > @externals = > someUser = rw > > This approach almost works, but of course requires me to > handle all my repositories. > > What I would like to be able to do, is something like this: > > [/] > * = rw > @externals = > > [repos1:/] > > [repos2:/] > someUser = rw > > Of course, all users are within the scope of "*", but my > @externals group should generally not be able to read or > write anything unless specifically told so. > > But when trying the second approach, the users in the > @externals group has full rw-access, apparently because they > are granted it by the "*"-clause. > > I would, like you, expect the module to match on the > narrowest possible scope, apparently it doesn't. > > I hope that made some sense :) > > Cheers > Anders This email is confidential and intended solely for the use of the individual to whom it is addressed. If you are not the intended recipient, be advised that you have received this email in error and that any use, disclosure, copying or distribution or any action taken or omitted to be taken in reliance on it is strictly prohibited. If you have received this email in error please contact the sender. Any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Praxis. Although this email and any attachments are believed to be free of any virus or other defect, no responsibility is accepted by Praxis or any of its associated companies for any loss or damage arising in any way from the receipt or use thereof. The IT Department at Praxis can be contacted at it.support_at_praxis-his.com. Praxis High Integrity Systems Ltd: Company Number: 3302507, registered in England and Wales Registered Address: 20 Manvers Street, Bath. BA1 1PX VAT Registered in Great Britain: 682635707 --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org For additional commands, e-mail: users-help_at_subversion.tigris.orgReceived on 2008-02-25 11:29:03 CET
This is an archived mail posted to the Subversion Users mailing list.