[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: how to add a group and exclude the group in path-based authorization?

From: Geir Engebakken <geir.engebakken_at_edb.com>
Date: Thu, 18 Jun 2009 10:41:23 +0200

1 Yes, some, I just cut out the relevant part that shows how we restrict accesses to paths, the same would apply to all other repos as well. We don't use "global accesses"

2. Thats right, add rights for a group, and admin, limit for all others. It works, but I never really figured out exactly how the access system works, seems a bit strange to me. It would be very nice to get this explained by someone who knows, but I have seen on the list that many are struggling with it, and no one has ever bothered to explain it thoroughly........

Geir
From: baz themail [mailto:bazthemail_at_gmail.com]
Sent: 17. juni 2009 18:59
To: Engebakken Geir
Subject: Re: how to add a group and exclude the group in path-based authorization?

Engebakken,

Thank you very much for your reply.

I understand what you are doing in your svnaccessfile. Here are my questions to Engebakken and the group:

1. Do you have more than one repo? I see only repo called "java".
2. Like what I said in my post, seems like you only start the restriction in the repo level.

[/]

* = rw
@contractors_group1 =

[repo1:/src/trunk]

@contractors_group2 =

Can somebody tell me why the above wont work? contractors_group1 will still have access to repo1:/src/trunk (thats not what i expected) and contractors_group2 will not have access to repo1:/src/trunk (this is what i expected).

Thanks.

A.

On Wed, Jun 17, 2009 at 1:44 AM, Engebakken Geir <geir.engebakken_at_edb.com<mailto:geir.engebakken_at_edb.com>> wrote:

Seems the access rules are a bit confusing, what I eventually ended up with was something like this :

[java:/]

*=r

@admin=rw

 [java:/business/path1]

@admin=rw

@path1=rw

~path1 =

[java:/business/somearea2]

@admin=rw

@somearea2=rw

~somearea2 =

I found that the notation ~group, sets accesses to all other users than members of the group, effectively giving them no access. I also found that all users needed r access to the root of the repos to be able to tag!

This scheme seems to work, but someone with the knowledge should write a more definite guide on these accesses, they are not easily understood!

(also I just noticed the ~notation by reading through the code to try and understand more of access rights, couldn't find it documented elsewhere)

Geir

From: baz themail [mailto:bazthemail_at_gmail.com<mailto:bazthemail_at_gmail.com>]
Sent: 17. juni 2009 03:25
To: users_at_subversion.tigris.org<mailto:users_at_subversion.tigris.org>
Subject: how to add a group and exclude the group in path-based authorization?

Hi,

If I have two existing repos in my svn server that is already managed using path-based authorization. If I want to add a group and then restrict the group 's access to certain part of the repo1, then what should i do? I listed the exsiting contents of svnaccessfile.

I tried to put "@contractors = " in [/] section under "* = rw" but it will not work, why? I thought this is the right location since i would like to shut off all access for group contractors to all repos.

I tried to put "@contractors = " in a new section called [repo1:/], it works. Is this restriction only apply to local "section"? If i have 100 repos, then is that mean i have to do them all?

Thanks. A.

[groups]

admins = admin1, admin2
contractors = contractor1, contractor2

[/]

* = rw

[repo1:/src/branches]

* = r
@admins = rw

------------------------------------------------------
http://subversion.tigris.org/ds/viewMessage.do?dsForumId=1065&dsMessageId=2363096

To unsubscribe from this discussion, e-mail: [users-unsubscribe_at_subversion.tigris.org].
Received on 2009-06-18 10:42:54 CEST

This is an archived mail posted to the Subversion Users mailing list.