[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Multiple access files when using SVNParentPath

From: Gustavo Leite de Mendonça Chaves <gustavo_at_gnustavo.com>
Date: Fri, 8 Aug 2008 01:24:33 -0300

I'd like to re-submit a request made by Carlos Alberto Costa Beppler
on dev@ at the end of 2005 under this same subject:

Essentially, he suggested that there should be a way to specify one
authz file per repository when one uses the SVNParentPath directive
from mod_authz_svn.

I argue that this would be very useful in a context where one have
hundreds of repositories under a single Apache server and in which the
access control configuration can't be centralized by the server
administrator, but needs to be delegated to the "repository
administrators". (By the latter I mean the person responsible for
defining the access rights for a repository. Usually a developer and
not the Subversion administrator.)

Currently, in a situation like this I can't use a single Location with
a SVNParentPath directive, because then I would have to have a single
global authz file and I wouldn't be able to delegate its configuration
to a whole lot of people. I'm forced, then, to have hundreds of
Location contexts using SVNPath directives, which is harder to
maintain, poses more stress on Apache and forces me to reload Apache
after each repository addition.

In the original dev@ thread there were some suggestions about how to
offer this new configuration option. I'm not particularly keen to any
one of those, but it seems that the preferred option would be to have
a new directive, alternative to AuthzSVNAccessFile, that would specify
a file that would be located at the conf directory under each
repository. Something like this:
  <Location ...>
    SVNParentPath /path/to/parent
    AuthzSVNPerRepoAccessFile authz

This would be very much like what one can accomplish by using a single
svnserve daemon with a --root option pointing to the parent path of
the repositories.

Someone in the original thread suggested that perhaps instead of
implementing this feature it would suffice to implement some king of
#include directive for the access files. The idea being to have a
single master SVNAccessFile that would include the conf/authz files
from every directory. This wouldn't work, because there would be
clashes of group definitions, and because nothing would stop a
malicious repository admin to insert in his access files clauses
referencing other repositories.

However, an include feature would complement very well the
AuthzSVNPerRepoAccessFile directive. Realize that it's common for a
repository admin to be responsible for several repositories. In our
case, we have 300+ repositories and about 15 repository admins. They
would love to be able to consolidate all the group definitions in a
single file that they could include in the authz files local to each
repository under their control.

I hope the use cases for this request is clear. What do you think?


To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: users-help_at_subversion.tigris.org
Received on 2008-08-08 16:50:49 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.