You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by David Aldrich <Da...@EMEA.NEC.COM> on 2013/09/26 16:50:17 UTC
Recommendation for path-based authorisation auditing tool?
Hi
We use path-based authorisation to control access to our svn repositories. The authorisation rules can be quite complex as we apply different authorisations across various branches and directories of our projects. It is quite hard to be sure that the required permissions structure is correctly implemented.
Therefore, we are looking for a tool to help audit the permissions. I am aware that there are various commercial tools available. The ones I have seen are part of larger svn tool suites and not available separately. They are therefore expensive.
I am wondering whether anyone would recommend a suitable tool for controlling or auditing path-based permissions?
Best regards
David
Re: Recommendation for path-based authorisation auditing tool?
Posted by Stefan Sperling <st...@elego.de>.
On Mon, Sep 30, 2013 at 12:08:39PM +0200, Thorsten Schöning wrote:
> Guten Tag Stefan Sperling,
> am Montag, 30. September 2013 um 11:57 schrieben Sie:
>
> >> https://ctf.open.collab.net/sf/discussion/do/listPosts/projects.svnedge/discussion.user_questions.topc7106
>
> > I get "A TeamForge system error has occurred" when I try to visit this link.
>
> It may be enough to simply reload the page, solved the problem for me
> when it occurred in some browsers. Looks like missing cookies.
Ah, indeed. Strange.
Anyway, I agree this looks like a huge improvement over the current
plain-text editor window. It's great to see such enhancements being
contributed by users.
Re: Recommendation for path-based authorisation auditing tool?
Posted by Thorsten Schöning <ts...@am-soft.de>.
Guten Tag Stefan Sperling,
am Montag, 30. September 2013 um 11:57 schrieben Sie:
>> https://ctf.open.collab.net/sf/discussion/do/listPosts/projects.svnedge/discussion.user_questions.topc7106
> I get "A TeamForge system error has occurred" when I try to visit this link.
It may be enough to simply reload the page, solved the problem for me
when it occurred in some browsers. Looks like missing cookies.
Mit freundlichen Grüßen,
Thorsten Schöning
--
Thorsten Schöning E-Mail:Thorsten.Schoening@AM-SoFT.de
AM-SoFT IT-Systeme http://www.AM-SoFT.de/
Telefon...........05151- 9468- 55
Fax...............05151- 9468- 88
Mobil..............0178-8 9468- 04
AM-SoFT GmbH IT-Systeme, Brandenburger Str. 7c, 31789 Hameln
AG Hannover HRB 207 694 - Geschäftsführer: Andreas Muchow
RE: Recommendation for path-based authorisation auditing tool?
Posted by David Aldrich <Da...@EMEA.NEC.COM>.
Hi Joseba
Thanks for your reply and for making this code contribution. It looks very useful.
BTW the link works ok for me.
Best regards
David
> -----Original Message-----
> From: Stefan Sperling [mailto:stsp@elego.de]
> Sent: 30 September 2013 10:57
> To: Joseba Ercilla Olabarri
> Cc: David Aldrich; 'users@subversion.apache.org'
> (users@subversion.apache.org)
> Subject: Re: Recommendation for path-based authorisation auditing tool?
>
> On Mon, Sep 30, 2013 at 06:58:56AM +0200, Joseba Ercilla Olabarri wrote:
> > Hi David,
> > Not sure if your needs could be covered by a 'better UI' for authz
> > file but, just in case, take a look to this contribution we made some days ago
> > to the Svnedge projec (and open source project from Collabnet):
> > https://ctf.open.collab.net/sf/discussion/do/listPosts/projects.svnedg
> > e/discussion.user_questions.topc7106
> >
> > Just click in the 'Repositories -> Access Rules' option and see if it
> > meet your needs.
>
> I get "A TeamForge system error has occurred" when I try to visit this link.
>
> Could you provide a link that works without being logged in, or share more
> information about your contribution on this list? It sounds very promising.
>
>
> Click
> https://www.mailcontrol.com/sr/nSjeRrepNHXGX2PQPOmvUkjDae7bB5IgfvIJ2A
> iC9cpjuzoiUw1M+Vp7j3JRijX9n4RmOMcnjarBcfXS4znW5Q== to report this
> email as spam.
Re: Recommendation for path-based authorisation auditing tool?
Posted by Stefan Sperling <st...@elego.de>.
On Mon, Sep 30, 2013 at 06:58:56AM +0200, Joseba Ercilla Olabarri wrote:
> Hi David,
> Not sure if your needs could be covered by a 'better UI' for authz file
> but, just in case, take a look to this contribution we made some days ago
> to the Svnedge projec (and open source project from Collabnet):
> https://ctf.open.collab.net/sf/discussion/do/listPosts/projects.svnedge/discussion.user_questions.topc7106
>
> Just click in the 'Repositories -> Access Rules' option and see if it meet
> your needs.
I get "A TeamForge system error has occurred" when I try to visit this link.
Could you provide a link that works without being logged in, or share more
information about your contribution on this list? It sounds very promising.
Re: Recommendation for path-based authorisation auditing tool?
Posted by Joseba Ercilla Olabarri <jo...@gmail.com>.
Hi David,
Not sure if your needs could be covered by a 'better UI' for authz file
but, just in case, take a look to this contribution we made some days ago
to the Svnedge projec (and open source project from Collabnet):
https://ctf.open.collab.net/sf/discussion/do/listPosts/projects.svnedge/discussion.user_questions.topc7106
Just click in the 'Repositories -> Access Rules' option and see if it meet
your needs.
By the way, just advise this contribution is currently waiting to be
reviewed and approved, so is not included in the current release, but we
hope it would be soon.
Best regards,
______________________
Joseba Ercilla Olabarri
+34 902 002 293
www.gailen.es
______________________
On Fri, Sep 27, 2013 at 2:40 AM, Geoff Field <Ge...@aapl.com.au>wrote:
> Hi David,
>
> I hate to sound like I'm stating the bleeding obvious, but what about just
> looking at the authz file with a text editor?
>
> It's not hard to interpret if your usernames are sensible. I've recently
> spent a little while making sure the projects are sorted in a sensible
> order, so finding particular projects is quite easy (apart from just using
> the built-in search functions).
>
> Having said that, we use a home-grown tool (written by a long-gone
> colleague in C# and backed by an SQL database for administration items) for
> some network administration tasks. Mostly, this is useful as a lazy way of
> adding or deleting projects. I still use the text editor for modifying
> user permissions (because it's faster and easier).
>
> Regards,
>
> Geoff
>
> From: David Aldrich
> Sent: Friday, 27 September 2013 1:08 AM
>
> Hi Mark
>
> Thanks, that's a very helpful suggestion.
>
> Best regards
>
> David
>
>
>
> From: Mark Phippard
> Sent: 26 September 2013 16:06
>
> On Thu, Sep 26, 2013 at 11:02 AM, David Aldrich wrote:
>
> Hi Mark
>
> Thanks for replying. By auditing, I mean the ability to
> easily see who has access to a specified folder. I think we already have
> the recording of changes covered. svnauthz_accessof looks interesting, but
> it reports whether a specified user has access. I would prefer to ask 'who
> has access?' to a specified folder.
>
> OK. I am not aware of any tools commercial or otherwise that
> provide the information that way. If you use groups and have a finite
> number of them, it seems like it would be a fairly simple script to check
> each group against the path using the command line tool and report which
> ones have access.
>
> --
> Thanks
>
> Mark Phippard
> http://markphip.blogspot.com/
>
> --
> Apologies for the auto-generated legal boilerplate added by our IT
> department:
>
>
> - The contents of this email, and any attachments, are strictly private
> and confidential.
> - It may contain legally privileged or sensitive information and is
> intended
> solely for the individual or entity to which it is addressed.
> - Only the intended recipient may review, reproduce, retransmit, disclose,
> disseminate or otherwise use or take action in reliance upon the
> information
> contained in this email and any attachments, with the permission of
> Australian Arrow Pty. Ltd.
> - If you have received this communication in error, please reply to the
> sender
> immediately and promptly delete the email and attachments, together with
> any copies, from all computers.
> - It is your responsibility to scan this communication and any attached
> files
> for computer viruses and other defects and we recommend that it be
> subjected to your virus checking procedures prior to use.
> - Australian Arrow Pty. Ltd. does not accept liability for any loss or
> damage
> of any nature, howsoever caused, which may result
> directly or indirectly from this communication or any attached files.
>
>
>
RE: Recommendation for path-based authorisation auditing tool?
Posted by Geoff Field <Ge...@aapl.com.au>.
Hi David,
I hate to sound like I'm stating the bleeding obvious, but what about just looking at the authz file with a text editor?
It's not hard to interpret if your usernames are sensible. I've recently spent a little while making sure the projects are sorted in a sensible order, so finding particular projects is quite easy (apart from just using the built-in search functions).
Having said that, we use a home-grown tool (written by a long-gone colleague in C# and backed by an SQL database for administration items) for some network administration tasks. Mostly, this is useful as a lazy way of adding or deleting projects. I still use the text editor for modifying user permissions (because it's faster and easier).
Regards,
Geoff
From: David Aldrich
Sent: Friday, 27 September 2013 1:08 AM
Hi Mark
Thanks, that's a very helpful suggestion.
Best regards
David
From: Mark Phippard
Sent: 26 September 2013 16:06
On Thu, Sep 26, 2013 at 11:02 AM, David Aldrich wrote:
Hi Mark
Thanks for replying. By auditing, I mean the ability to easily see who has access to a specified folder. I think we already have the recording of changes covered. svnauthz_accessof looks interesting, but it reports whether a specified user has access. I would prefer to ask 'who has access?' to a specified folder.
OK. I am not aware of any tools commercial or otherwise that provide the information that way. If you use groups and have a finite number of them, it seems like it would be a fairly simple script to check each group against the path using the command line tool and report which ones have access.
--
Thanks
Mark Phippard
http://markphip.blogspot.com/
--
Apologies for the auto-generated legal boilerplate added by our IT department:
- The contents of this email, and any attachments, are strictly private
and confidential.
- It may contain legally privileged or sensitive information and is intended
solely for the individual or entity to which it is addressed.
- Only the intended recipient may review, reproduce, retransmit, disclose,
disseminate or otherwise use or take action in reliance upon the information
contained in this email and any attachments, with the permission of
Australian Arrow Pty. Ltd.
- If you have received this communication in error, please reply to the sender
immediately and promptly delete the email and attachments, together with
any copies, from all computers.
- It is your responsibility to scan this communication and any attached files
for computer viruses and other defects and we recommend that it be
subjected to your virus checking procedures prior to use.
- Australian Arrow Pty. Ltd. does not accept liability for any loss or damage
of any nature, howsoever caused, which may result
directly or indirectly from this communication or any attached files.
RE: Recommendation for path-based authorisation auditing tool?
Posted by David Aldrich <Da...@EMEA.NEC.COM>.
Hi Mark
Thanks, that's a very helpful suggestion.
Best regards
David
From: Mark Phippard [mailto:markphip@gmail.com]
Sent: 26 September 2013 16:06
To: David Aldrich
Cc: 'users@subversion.apache.org' (users@subversion.apache.org)
Subject: Re: Recommendation for path-based authorisation auditing tool?
On Thu, Sep 26, 2013 at 11:02 AM, David Aldrich <Da...@emea.nec.com>> wrote:
Hi Mark
Thanks for replying. By auditing, I mean the ability to easily see who has access to a specified folder. I think we already have the recording of changes covered. svnauthz_accessof looks interesting, but it reports whether a specified user has access. I would prefer to ask 'who has access?' to a specified folder.
OK. I am not aware of any tools commercial or otherwise that provide the information that way. If you use groups and have a finite number of them, it seems like it would be a fairly simple script to check each group against the path using the command line tool and report which ones have access.
--
Thanks
Mark Phippard
http://markphip.blogspot.com/
Click here<https://www.mailcontrol.com/sr/D8nXeCAIogfGX2PQPOmvUiQSa3+T5MHvHfzOz+TEk5kDT59leSYV069gQeHxHhY7B08qPzQHNPIAXoNDtAu6BA==> to report this email as spam.
Re: Recommendation for path-based authorisation auditing tool?
Posted by Mark Phippard <ma...@gmail.com>.
On Thu, Sep 26, 2013 at 11:02 AM, David Aldrich
<Da...@emea.nec.com>wrote:
> Hi Mark****
>
> ** **
>
> Thanks for replying. By auditing, I mean the ability to easily see who
> has access to a specified folder. I think we already have the recording of
> changes covered. svnauthz_accessof looks interesting, but it reports
> whether a specified user has access. I would prefer to ask ‘who has
> access?’ to a specified folder.****
>
> **
>
OK. I am not aware of any tools commercial or otherwise that provide the
information that way. If you use groups and have a finite number of them,
it seems like it would be a fairly simple script to check each group
against the path using the command line tool and report which ones have
access.
--
Thanks
Mark Phippard
http://markphip.blogspot.com/
RE: Recommendation for path-based authorisation auditing tool?
Posted by David Aldrich <Da...@EMEA.NEC.COM>.
Hi Mark
Thanks for replying. By auditing, I mean the ability to easily see who has access to a specified folder. I think we already have the recording of changes covered. svnauthz_accessof looks interesting, but it reports whether a specified user has access. I would prefer to ask 'who has access?' to a specified folder.
David
From: Mark Phippard [mailto:markphip@gmail.com]
Sent: 26 September 2013 15:56
To: David Aldrich
Cc: 'users@subversion.apache.org' (users@subversion.apache.org)
Subject: Re: Recommendation for path-based authorisation auditing tool?
On Thu, Sep 26, 2013 at 10:50 AM, David Aldrich <Da...@emea.nec.com>> wrote:
We use path-based authorisation to control access to our svn repositories. The authorisation rules can be quite complex as we apply different authorisations across various branches and directories of our projects. It is quite hard to be sure that the required permissions structure is correctly implemented.
Therefore, we are looking for a tool to help audit the permissions. I am aware that there are various commercial tools available. The ones I have seen are part of larger svn tool suites and not available separately. They are therefore expensive.
I am wondering whether anyone would recommend a suitable tool for controlling or auditing path-based permissions? --
Define what you mean by auditing? I am not aware of any commercial tools that do this. There are certainly tools that provide their own UI for defining the permissions and probably leave an audit trail of who made the changes, but that does not seem like what you want.
With SVN 1.8 you can store the authz files in the repository -- so that would give an audit trail.
Also, there is a command line tool that can be used to validate the file as well as run checks on the rules. See:
http://subversion.apache.org/docs/release-notes/1.8.html#svnauthz_accessof
Thanks
Mark Phippard
http://markphip.blogspot.com/
Click here<https://www.mailcontrol.com/sr/V0PBIBeSTzjGX2PQPOmvUgItITKVa7z0Xk0fQOMfCUIfDOMoOhGZTkGhdk3mmYAyB08qPzQHNPJIWrzEXY2ZCw==> to report this email as spam.
Re: Recommendation for path-based authorisation auditing tool?
Posted by Mark Phippard <ma...@gmail.com>.
On Thu, Sep 26, 2013 at 10:50 AM, David Aldrich
<Da...@emea.nec.com>wrote:
> We use path-based authorisation to control access to our svn
> repositories. The authorisation rules can be quite complex as we apply
> different authorisations across various branches and directories of our
> projects. It is quite hard to be sure that the required permissions
> structure is correctly implemented.
>
> **
>
> ** **
>
> Therefore, we are looking for a tool to help audit the permissions. I am
> aware that there are various commercial tools available. The ones I have
> seen are part of larger svn tool suites and not available separately. They
> are therefore expensive.****
>
> ** **
>
> I am wondering whether anyone would recommend a suitable tool for
> controlling or auditing path-based permissions? --
>
Define what you mean by auditing? I am not aware of any commercial tools
that do this. There are certainly tools that provide their own UI for
defining the permissions and probably leave an audit trail of who made the
changes, but that does not seem like what you want.
With SVN 1.8 you can store the authz files in the repository -- so that
would give an audit trail.
Also, there is a command line tool that can be used to validate the file as
well as run checks on the rules. See:
http://subversion.apache.org/docs/release-notes/1.8.html#svnauthz_accessof
Thanks
Mark Phippard
http://markphip.blogspot.com/