[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Add $authenticated to group definition

From: Branko Čibej <brane_at_wandisco.com>
Date: Fri, 16 Jan 2015 10:57:48 +0100

On 16.01.2015 08:06, Tom Ghyselinck wrote:
> Hi,
>
> We are using subversion 1.8.8 (r1568071) server on Ubuntu 14.04.
>
> I need to add "$authenticated" to the group since this is required for
> our company generic group definitions.

I'm having a hard time understanding this requirement. Any concrete user
or group you mention in a rule will only take effect for authenticated
connections anyway.

> We created an authz file with group definitions as follows:
>
> [groups]
> myreaders = $authenticated
>
> [/]
> * =
>
> [/path1]
> $authenticated = r
>
> [/path2]
> @myreaders = r
>
> [/path3]
> # I know, this is actually a user definition
> myreaders = r
>
>
> It looks like it is not possible or not allowed to add the
> "$authenticated" token to a group definition:
> - Using it in /path1 is fine (as documented)
> - I expect it also to work in /path2, but it's not.
>
> $ /usr/bin/svnauthz accessof --username=someuser --path=/path1
> ~/test.authz
> r
>
> $ /usr/bin/svnauthz accessof --username=someuser --path=/path2
> ~/test.authz
> no
>
> $ /usr/bin/svnauthz accessof --username=someuser --path=/path3
> ~/test.authz
> no
>
> $ /usr/bin/svnauthz accessof --username=myreaders --path=/path1
> ~/test.authz
> r
>
> $ /usr/bin/svnauthz accessof --username=myreaders --path=/path2
> ~/test.authz
> no
>
> $ /usr/bin/svnauthz accessof --username=myreaders --path=/path3
> ~/test.authz
> # (Here it matches the "user" myreaders)
> r
>
>
> I couldn't find any documentation whether or not it is possible and/or
> allowed.

If you read

http://svnbook.red-bean.com/en/1.7/svn.serverconfig.pathbasedauthz.html

you'll find that you can define groups that contain users, aliases and
other groups. $authenticated and $anonymous are magic tokens that do not
belong to any of those categories.

The point is that group memberships are completely defined when the
authz file is parsed, but $authenticated and $anonymous do not refer to
users but to connection states when the authorization check is being done.

> Can someone confirm if this is expected to work or not?

It is not expected to work.

> If not, is there a workaround to add "$authenticated" to a group?

You don't need a workaround. Just change your configuration like this,
for example:

        [/path2]
        @myreaders = r
        $authenticated = r

But, as I said above: this is redundant. The "@myreaders=r" entry only
takes effect if the connection is authenticated; if it's an anonymous
connection, there's no user name and therefore no group membership, so
you may as well omit the "@myreaders=r" entry from the authz rule.

-- Brane
Received on 2015-01-16 10:58:21 CET

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.