[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: authz via properties?

From: Alexey Neyman <stilor_at_att.net>
Date: Thu, 17 Oct 2013 21:05:27 -0700

On Friday, October 18, 2013 02:46:39 AM Branko Čibej wrote:

On 17.10.2013 20:00, Alexey Neyman wrote:

Hi all,

We are actively using authz path-based authentication rules: due to some legal
requirements, some parts of our product source code are not accessible to a
part of the developer team. Currently authz does not support wildcards (there
is an issue about that [1] discussed since 2006). Because of this, each time a
branch is created, authz rules have to be copied and modified for the new
branch.

This leads to a proliferation of authz rules; our authz is currently about
2000 lines and growing. I am currently implementing a post-commit script so
that we would be able to record authz rules on files/directories, and authz
would be appended with new rules every time these files/directories are
copied.

First, I am wondering how well such 'authz' approach would scale. Has anyone
run scalability tests on authz?

Second, I thought that if I am using properties to track authz-controlled
files, SVN server would probably do that more effectively than a post-commit
script. As an added value, property-based authz would allow versioning in
path-based auth configuration that current mechanism does not allow. E.g.,
currently one could either configure path /foo as either R/O, R/W or
unaccessible to user U; it is not possible to configure the path to be
unaccessible before/after a certain revision.

Thoughts? Ideas? Properties are not suitable for storing ACLs because they are
immutable; i.e., you cannot change properties on committed files and directories.
You need a different kind of structure, one that the Subversion repository does not
have yet.
Well, technically you can dump & reload... But that's hardly maintainable, I agree. Are
those ACLs you're describing going to be version-specific? In other words, will it be
possible to specify that /foo/bar_at_2345 is r/w for user harry, but not accessible
starting with revision 2346?

Thanks for a pointer to that 1.8 feature, I forgot about that. That might make my
task a bit easier.
Regards,Alexey. 

-- 
Branko Čibej | *Director of Subversion* WANdisco // /Non-Stop Data/ 
e. brane_at_wandisco.com[1] 
--------
[1] mailto:brane_at_wandisco.com
Received on 2013-10-18 06:06:29 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.