RE: Documentation for authzSVN module?

Hi Jon

Yes, that makes sense (at least according to the twisted logic of authz ;) But as you say, maintenance is going to be hell this way. I have 500+ users that need access, and I would hate to have to maintain the authz-file like that.

I thought about rewriting authz to fit my needs (which would probably take me just as long as writing a script to do it the broken way).

But it would only give me extra maintenance-problems in case the module is one day updated.

So I think I'll post this on dev, and see what they say about changing authz, then perhaps we can find a solution that works better for everyone.

Cheers
Anders
_____________________________________

Anders Palm

Software Developer

Prevas A/S

Frederikskaj 6

DK-2450 København SV

Phone +45 33159090

Mobile +45 26823952

Anders.Palm_at_prevas.dk

www.prevas.dk

-----Original Message-----
From: Jonathan Ashley [mailto:jonathan.ashley_at_praxis-his.com]
Sent: 25. februar 2008 11:29
To: Anders Palm
Cc: users_at_subversion.tigris.org
Subject: RE: Documentation for authzSVN module?

Yes, perfect sense.

To get the behaviour I wanted, I found I needed groups of:

everyone
not_int_and_not_dev
int_and_not_dev
int_and_dev

which is hardly intuitive, and asking for trouble when
maintaining.

What I eventually did, was write a file mapping users to the
two roles I had in mind, i.e. with lines that looked like

name1
name2 int
name3 dev
name3 int dev

Then I wrote a script to generate the authorisations file from
this. This now runs as a post-commit hook, which also detects
when certain paths are added to or removed from the repository.
Maybe a similar approach (autogeneration from a role-based
file) would solve your problem?

regards,

--
Jon Ashley
> -----Original Message-----
> From: Anders Palm [mailto:Anders.Palm_at_prevas.dk]
> Sent: 25 February 2008 10:11
> To: Jonathan Ashley
> Cc: users_at_subversion.tigris.org
> Subject: RE: RE: Documentation for authzSVN module?
>
> Hi
>
> Yes, we seem to have somewhat similar problems.
> I would expect the module to use the narrowest possible
> scope, but it seems that it doesn't.
>
> I have a *lot* of users, and like you, I authenticate them
> through SSPI. Most of these users has full rw access to all
> repositories, but a few of them (mostly clients who needs to
> be able to access their own code), should of course be
> limited to their repository.
>
> To handle this, I go a different way. I don't want to handle
> all my "regular" users in authz, so I take a blacklisting
> approach of sort, something like this:
>
> [groups]
> externals = <list of users>
>
> [/]
> * = rw
>
> [repos1:/]
> @externals =
>
> [repos2:/]
> @externals =
> someUser = rw
>
> This approach almost works, but of course requires me to
> handle all my repositories.
>
> What I would like to be able to do, is something like this:
>
> [/]
> * = rw
> @externals =
>
> [repos1:/]
>
> [repos2:/]
> someUser = rw
>
> Of course, all users are within the scope of "*", but my
> @externals group should generally not be able to read or
> write anything unless specifically told so.
>
> But when trying the second approach, the users in the
> @externals group has full rw-access, apparently because they
> are granted it by the "*"-clause.
>
> I would, like you, expect the module to match on the
> narrowest possible scope, apparently it doesn't.
>
> I hope that made some sense :)
>
> Cheers
> Anders
This email is confidential and intended solely for the use of the individual to whom it is addressed. If you are not the intended recipient, be advised that you have received this email in error and that any use, disclosure, copying or distribution or any action taken or omitted to be taken in reliance on it is strictly prohibited. If you have received this email in error please contact the sender. Any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Praxis. 
Although this email and any attachments are believed to be free of any virus or other defect, no responsibility is accepted by Praxis or any of its associated companies for any loss or damage arising in any way from the receipt or use thereof. The IT Department at Praxis can be contacted at it.support_at_praxis-his.com.
Praxis High Integrity Systems Ltd:
Company Number: 3302507, registered in England and Wales
Registered Address: 20 Manvers Street, Bath. BA1 1PX
VAT Registered in Great Britain: 682635707
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: users-help_at_subversion.tigris.org