You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Kevin Jones <ke...@develop.com> on 2004/10/08 10:42:49 UTC
Administering multiple repositories
Some background.
I'm mainly a Windows developer/user with some Linux knowledge/experience,
but not too much Linux admin experience.
I have a Linux box set next to me and I've installed Subversion on it. I
currently have it set up using WebDAV under Apache and after a little head
scratching it works. The way it is setup is to have SVNParentPath set to
point at a directory and to have multiple repositories under that directory.
I have a couple of questions (oh, and I have read the book :) )
i) I've set the owner/group of the repositories to 'apache'. Is this a good
way to do things or should I create a 'subversion' user and add that user to
the 'apache' group, or should I do something else completely (I know there
is no 'one true way' I just want to make sure I don't screw myself
completely in the future if/when I decide to change things)
ii) What are the implications of sticking with 'apache' as owner/group
iii) What are the implications of using a different user/group
iv) My real question. I have multiple repositories under SVNParentPath, can
I specify different subversion access permissions for those repositories or
should I go back to httpd.conf and add multiple <Location ...> entries with
different access permissions for each repo.
BTW. I have Googled around for answers to these questions but found nothing
definitive. In some cases I see advice to wrap Apache in a script and do a
umask 002 before executing it, in others (actually here on the list) I've
seen answers saying - 'if you use Apache and it's default user you'll be
fine' So I'm confused :)
Thanks,
Kevin Jones
http://kevinj.develop.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Administering multiple repositories
Posted by Peter Valdemar Mørch <sw...@sneakemail.com>.
Kevin Jones kevinj-at-develop.com |Lists| wrote:
> I just want to make sure I don't screw myself
> completely in the future if/when I decide to change things)
Keep in mind, that you can always later change the owner of every file
in the repository with:
chown -R newuser:newgroup /path/to/repos
, if you decide something else later. See 'man chown'.
So worry about how you want it now. There are no long-term implications.
Peter
P.S: If you want svn+ssh access at some point, keep in mind that these
svn+ssh users will get at the repository as each their own user. (What
we've done is to setup a 'subverison' group. Make the repository owned
by an owner of that group. Make sure that every user accessing the
repository is a member of that 'subversion' group and has a umask of
002. Last:
'chmod -R ug+wr /path/to/repository')
--
Peter Valdemar Mørch
http://www.morch.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Administering multiple repositories
Posted by Scott Lawrence <sl...@pingtel.com>.
On Fri, 2004-10-08 at 07:15, Konrad Rosenbaum wrote:
> Kevin Jones said:
> > I'm mainly a Windows developer/user with some Linux knowledge/experience,
> > but not too much Linux admin experience.
> > iv) My real question. I have multiple repositories under SVNParentPath,
> > can
> > I specify different subversion access permissions for those repositories
> > or
> > should I go back to httpd.conf and add multiple <Location ...> entries
> > with
> > different access permissions for each repo.
>
> Use authz. The same chapter as the description of the DAV installation. ;-)
>
> You can then specify different ACLs for each repository.
You don't need authz if you just need to control things at the
repository level - you can do it with Apache Location directives; that's
how we do it at SIPfoundry, and it works very smoothly.
--
Scott Lawrence
SIPfoundry server tools maintainer
lawrence@sipfoundry.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Administering multiple repositories
Posted by Konrad Rosenbaum <ko...@silmor.de>.
Kevin Jones said:
> I'm mainly a Windows developer/user with some Linux knowledge/experience,
> but not too much Linux admin experience.
So there is hope... ;-)
> ii) What are the implications of sticking with 'apache' as owner/group
Everything else that runs with your apache user (eg. any scripts on the
web server) can read/write the repository and potentially mess it up
> iii) What are the implications of using a different user/group
Apache (and SVN WebDAV) cannot write it (except if the permissions are
broad enough).
You should stick with apache running SVN, but take some care what else
runs there.
> iv) My real question. I have multiple repositories under SVNParentPath,
> can
> I specify different subversion access permissions for those repositories
> or
> should I go back to httpd.conf and add multiple <Location ...> entries
> with
> different access permissions for each repo.
Use authz. The same chapter as the description of the DAV installation. ;-)
You can then specify different ACLs for each repository.
Konrad
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Administering multiple repositories
Posted by Ron Bieber <ro...@bieberlabs.com>.
yup ... my bad. As I look at our configuration file, we are using the
[rep:/path] syntax. For some reason my brain was stuck in pre-1.0.
Sorry for the confusion.
-- Ron
On Fri, 2004-10-08 at 07:40, Konrad Rosenbaum wrote:
> Ron Bieber said:
> > On Fri, 2004-10-08 at 05:42, Kevin Jones wrote:
> >> iv) My real question. I have multiple repositories under SVNParentPath,
> >> can
> >> I specify different subversion access permissions for those repositories
> >> or
> >> should I go back to httpd.conf and add multiple <Location ...> entries
> >> with
> >> different access permissions for each repo.
> >
> > I tend to use separate <Location> directives to do this, but that is
> > just a quirk I have about being very specific. I do not believe though
> > that you can have multiple svn_authz configuration files using
> > SVNParentPath, so if you want to give different users access to
> > different repositories, you will need to use separate location blocks.
> > All of my developers have access to all repositories, so again, I just
> > use separate location directives so that everything is laid out
> > specifically.
>
> You don't need separate access files for different repositories.
>
> Instead of using the path-only syntax ([/path]) you use the rep+path
> syntax ([rep:/path]). See the manuals section about authz for details.
>
> If you want different admins setting the ACLs to different repositories,
> just wrap the file by a script. If you need an example, you can find my
> PHP scripts here: http://silmor.de/11
>
>
> Konrad
>
>
>
>
RE: Administering multiple repositories
Posted by Kevin Jones <ke...@develop.com>.
Thanks to everybody for replying. I feel much happier now :)
Kevin Jones
http://kevinj.develop.com
> -----Original Message-----
> From: Konrad Rosenbaum [mailto:konrad@silmor.de]
> Sent: 08 October 2004 13:40
> To: ron@bieberlabs.com
> Cc: users@subversion.tigris.org
> Subject: Re: Administering multiple repositories
>
> Ron Bieber said:
> > On Fri, 2004-10-08 at 05:42, Kevin Jones wrote:
> >> iv) My real question. I have multiple repositories under
> >> SVNParentPath, can I specify different subversion access
> permissions
> >> for those repositories or should I go back to httpd.conf and add
> >> multiple <Location ...> entries with different access
> permissions for
> >> each repo.
> >
> > I tend to use separate <Location> directives to do this, but that is
> > just a quirk I have about being very specific. I do not
> believe though
> > that you can have multiple svn_authz configuration files using
> > SVNParentPath, so if you want to give different users access to
> > different repositories, you will need to use separate
> location blocks.
> > All of my developers have access to all repositories, so
> again, I just
> > use separate location directives so that everything is laid out
> > specifically.
>
> You don't need separate access files for different repositories.
>
> Instead of using the path-only syntax ([/path]) you use the
> rep+path syntax ([rep:/path]). See the manuals section about
> authz for details.
>
> If you want different admins setting the ACLs to different
> repositories, just wrap the file by a script. If you need an
> example, you can find my PHP scripts here: http://silmor.de/11
>
>
> Konrad
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Administering multiple repositories
Posted by Konrad Rosenbaum <ko...@silmor.de>.
Ron Bieber said:
> On Fri, 2004-10-08 at 05:42, Kevin Jones wrote:
>> iv) My real question. I have multiple repositories under SVNParentPath,
>> can
>> I specify different subversion access permissions for those repositories
>> or
>> should I go back to httpd.conf and add multiple <Location ...> entries
>> with
>> different access permissions for each repo.
>
> I tend to use separate <Location> directives to do this, but that is
> just a quirk I have about being very specific. I do not believe though
> that you can have multiple svn_authz configuration files using
> SVNParentPath, so if you want to give different users access to
> different repositories, you will need to use separate location blocks.
> All of my developers have access to all repositories, so again, I just
> use separate location directives so that everything is laid out
> specifically.
You don't need separate access files for different repositories.
Instead of using the path-only syntax ([/path]) you use the rep+path
syntax ([rep:/path]). See the manuals section about authz for details.
If you want different admins setting the ACLs to different repositories,
just wrap the file by a script. If you need an example, you can find my
PHP scripts here: http://silmor.de/11
Konrad
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Administering multiple repositories
Posted by Ron Bieber <ro...@bieberlabs.com>.
On Fri, 2004-10-08 at 05:42, Kevin Jones wrote:
> Some background.
>
> I'm mainly a Windows developer/user with some Linux knowledge/experience,
> but not too much Linux admin experience.
>
> I have a Linux box set next to me and I've installed Subversion on it. I
> currently have it set up using WebDAV under Apache and after a little head
> scratching it works. The way it is setup is to have SVNParentPath set to
> point at a directory and to have multiple repositories under that directory.
> I have a couple of questions (oh, and I have read the book :) )
>
> i) I've set the owner/group of the repositories to 'apache'. Is this a good
> way to do things or should I create a 'subversion' user and add that user to
> the 'apache' group, or should I do something else completely (I know there
> is no 'one true way' I just want to make sure I don't screw myself
> completely in the future if/when I decide to change things)
I see no reason using apache as the user would cause any problems. For
our setup, I have created a user called 'buildmaster' who is under the
'build' group and Apache runs as this user. The buildmaster user has a
shell account to which we can run the automated build (CruiseControl)
under, and is the user that we log in as for all repository maintenance
functions (dumps, password/user additions, authorization changes etc).
All build related emails come from this user as well. This isn't
necessarily the right way to do it (I don't think there is one) but it
gives the administrators an idea of what they should be doing when
they're logged in, and gives the developers an idea of where all these
commit emails and build emails are coming from. It also allows us to
filter build related emails off to a subfolder in our mail system.
>
> ii) What are the implications of sticking with 'apache' as owner/group
None that I know of, except that I believe the apache user is normally
set up with a non-shell account.
>
> iii) What are the implications of using a different user/group
See answer to i above.
>
> iv) My real question. I have multiple repositories under SVNParentPath, can
> I specify different subversion access permissions for those repositories or
> should I go back to httpd.conf and add multiple <Location ...> entries with
> different access permissions for each repo.
I tend to use separate <Location> directives to do this, but that is
just a quirk I have about being very specific. I do not believe though
that you can have multiple svn_authz configuration files using
SVNParentPath, so if you want to give different users access to
different repositories, you will need to use separate location blocks.
All of my developers have access to all repositories, so again, I just
use separate location directives so that everything is laid out
specifically.
>
>
> BTW. I have Googled around for answers to these questions but found nothing
> definitive. In some cases I see advice to wrap Apache in a script and do a
> umask 002 before executing it, in others (actually here on the list) I've
> seen answers saying - 'if you use Apache and it's default user you'll be
> fine' So I'm confused :)
As I said earlier, our buildmaster user is the user Apache runs as, and
also the owner of the partition under which the repositories are
stored. All repositories are created by this user, so he owns them by
default. The limited few who are able to log into this box have sudo
access to su to this user to do any maintenance that needs to occur (new
passwords, new authorization rights, etc) It's worked flawlessly for
us and has really cut down on the confusion. We've used this user
even back in the CVS days, so when we cut over to Subversion nothing
really changed. This is one of the reasons that I had decided way
back not to have application specific user names.
I hope this helps.
-- Ron
>
> Thanks,
>
> Kevin Jones
> http://kevinj.develop.com
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
>
>