On 10/18/13 12:46 PM, Naumenko, Roman wrote:
> But there are still checks (or maybe this is just info log) against
> access-file for each path in repository.
> Is it something expected or enabled somewhere by default?
>
> [Fri Oct 18 15:35:52 2013] [info] [client 10.11.11.18] Access granted:
> 'user1' REPORT /trunk/very_long_path/Data.manifest
> [Fri Oct 18 15:35:52 2013] [debug]
> subversion/mod_authz_svn/mod_authz_svn.c(195): [client 10.11.11.18] Path
> to authz file is /path_to_access_file/svn_acc
>
> I mean if a user has access to a repository, why checking all paths
> under? Or its just info log about mod_authz_svn processing path
> directly, as you said?
The authz access file is only read once per connection.
But the checks will be run for each path accessed by the request. Some of the
requests over HTTP actually access multiple paths in the repository. For
instance a REPORT request might be doing what's referred to as a bulk update,
in which case it's asking for details on all the paths under a given path. The
update REPORT in this case will include file content for paths under the path.
Only the top level path will be in the URI. If you want to disallow access to
some paths under that root path of the request it is necessary to check all the
paths. Some other operations like COPY and MOVE also touch paths other than
the one in the URI for the request since the action requires two paths.
So what you're seeing is perfectly normal operation for the short_circuit
configuration. You can entirely disable the additional checks mentioned above
by setting "SVNPathAuthz off". However, I would not recommend that as it will
make some authz rules ineffective. The whole created by this in the update
report case can be closed by also setting "SVNAllowBulkUpdate off" but that
doesn't help the COPY or MOVE cases. So in general, there's really not a great
reason to use the off setting.
Received on 2013-10-18 23:12:46 CEST