[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: mod_dav_svn + automatic per-directory user authorization

From: David Chapman <dcchapman_at_acm.org>
Date: Sat, 12 Feb 2011 14:25:59 -0800

On 2/12/2011 1:11 PM, m irya wrote:
> Yep, i could manage to get to such configuration, but here's when it
> comes to the real difference with your setup: we need to manage a huge
> and frequently changing user database, with each user having a small
> repository.
>> Here's the big caveat: whenever a repository is added or removed (in your
>> case, every time a user is added or removed), httpd must be restarted
>> because a<Location> entry must be added or removed.
> And that's what i'm trying to solve: the users database is not so tiny, so
> 1) we can't afford restarting httpd on every user added or removed
> 2) we can't afford duplicating the rules in authz svn access file, i
> guess it may be handled inefficiently when it contains too much
> records (at least much less efficiently than just requesting the
> authorization from MySQL).

SVNParentPath will allow you to store multiple repositories under a
single master directory, and the Subversion book says this is a good way
to avoid restarting httpd when adding new repositories. I'd be very
leery of _removing_ repositories without restarting httpd, however -
what would happen if a transaction were being processed at the moment
you deleted the repository directory? You're expecting mod_dav_svn not
to crash in a way that brings down the server.

> I'll try to describe it the other way, one abstraction level upper:
> 1) the user goes to http://somehost/repo/$something
> 2) authenticates him/herself as $username:$password (suppose Basic
> auth, just will change it to https later)
> 3) Apache checks the credentials against MySQL database (mod_auth_mysql?)
> 4) If everything is ok, the user gets a WebDAV access to
> /var/repo/$username/$something (regardless of the method, read or
> write)
> The database may change frequently, adding the user will mean
> `svnadmin create /var/repo/$username`, removing will mean `rm -rf
> /var/repo/$username`, but i prefer that nothing is done beyond that,
> especially no httpd configuration changes and restart, all information
> is stored in DB and nothing else should be changed.

Repositories are meant to preserve data, implying they are relatively
long-lived. Are you suggesting that repositories will be deleted all
the time? If so, a master server-based configuration like httpd may not
be appropriate for you at all. You may need something more dynamic like
svnserve via inetd (look for that subject heading in the Subversion
book). I don't have any experience with that, however.

Your access requirements (many small repositories, many users,
fine-grained path-based authorization) don't sound like what Subversion
is designed for. It may not be an appropriate tool for you.

     David Chapman         dcchapman_at_acm.org
     Chapman Consulting -- San Jose, CA
Received on 2011-02-12 23:26:59 CET

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.