On 2013/10/18 5:09 PM, Ben Reser wrote:
On 10/18/13 12:46 PM, Naumenko, Roman wrote:
But there are still checks (or maybe this is just info log) against
access-file for each path in repository.
Is it something expected or enabled somewhere by default?
[Fri Oct 18 15:35:52 2013] [info] [client 10.11.11.18] Access granted:
'user1' REPORT /trunk/very_long_path/Data.manifest
[Fri Oct 18 15:35:52 2013] [debug]
subversion/mod_authz_svn/mod_authz_svn.c(195): [client 10.11.11.18] Path
to authz file is /path_to_access_file/svn_acc
I mean if a user has access to a repository, why checking all paths
under? Or its just info log about mod_authz_svn processing path
directly, as you said?
The authz access file is only read once per connection.
But the checks will be run for each path accessed by the request. Some of the
requests over HTTP actually access multiple paths in the repository. For
instance a REPORT request might be doing what's referred to as a bulk update,
in which case it's asking for details on all the paths under a given path. The
update REPORT in this case will include file content for paths under the path.
Only the top level path will be in the URI. If you want to disallow access to
some paths under that root path of the request it is necessary to check all the
paths. Some other operations like COPY and MOVE also touch paths other than
the one in the URI for the request since the action requires two paths.
So what you're seeing is perfectly normal operation for the short_circuit
configuration. You can entirely disable the additional checks mentioned above
by setting "SVNPathAuthz off". However, I would not recommend that as it will
make some authz rules ineffective. The whole created by this in the update
report case can be closed by also setting "SVNAllowBulkUpdate off" but that
doesn't help the COPY or MOVE cases. So in general, there's really not a great
reason to use the off setting.
I'd like to thank you, Ben.
With short_circuit (and LDAP caching mentioned below in the thread), svn experience is much better.
--Roman
_______________________________________________________________________
This email is intended only for the use of the individual(s) to whom it is addressed and may be privileged and confidential.
Unauthorised use or disclosure is prohibited. If you receive This e-mail in error, please advise immediately and delete the original message.
This message may have been altered without your or our knowledge and the sender does not accept any liability for any errors or omissions in the message.
Ce courriel est confidentiel et protégé. L'expéditeur ne renonce pas aux droits et obligations qui s'y rapportent.
Toute diffusion, utilisation ou copie de ce message ou des renseignements qu'il contient par une personne autre que le (les) destinataire(s) désigné(s) est interdite.
Si vous recevez ce courriel par erreur, veuillez m'en aviser immédiatement, par retour de courriel ou par un autre moyen.
Received on 2013-10-23 20:41:09 CEST