You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@subversion.apache.org by Charles Fry <cf...@ece.cmu.edu> on 2004/10/01 04:45:26 UTC
AuthzSVNAccessFile groups
I may just be the victim of minimal AuthzSVNAccessFile documentation,
but I am currently pained by the disconnect between AuthzSVNAccessFile,
and AuthGroupFile (and its Digest and DBM variants).
AuthzSVNAccessFile uses usernames that are defined in AuthFile or
AuthDigestFile, however it forces groups that may already be defined in
AuthGroupFile, AuthDigestGroupFile, or AuthDBMGroupFile to be redefined.
This opens the door for group membership inconsistencies when the same
groups need to be used in both places.
It would be most helpful if AuthzSVNAccessFile could import
AuthGroupFile and AuthDBMGroupFile format groups files.
Charles
--
His
Tomato
Was the mushy type
Until his beard
Grew over-ripe
Burma-Shave
http://frogcircus.org/burmashave/1952/his
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: AuthzSVNAccessFile groups
Posted by Ben Collins-Sussman <su...@collab.net>.
On Oct 3, 2004, at 5:52 PM, Sander Striker wrote:
> Since there is no API that allows for resolving in which
> groups a user is in httpd 2.0
Yikes. So maybe this will be remedied in the httpd-2.2 authn/authz
rewrite?
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: AuthzSVNAccessFile groups
Posted by Sander Striker <st...@apache.org>.
On Fri, 2004-10-01 at 15:03, Ben Collins-Sussman wrote:
> On Oct 1, 2004, at 1:41 AM, Timothee Besset wrote:
>
> > Agreed. I am suffering from this as well.
> >
> >
>
> Perhaps an enhancement request should be filed?
>
> Sander Striker: is this enhancement even doable? I don't know enough
> about the apache API.
Not currently possible, no. There are three phases in httpd
authentication:
- access_checker, typically used for host/ip based authorization
- check_user_id, typically used to authenticate a user
- auth_checker, typically used to verify if a user is in a certain
group, and/or, if the user/group has access to the resource being
accessed.
Now, mod_authz_svn uses both access_checker and auth_checker.
access_checker is used to determine if anonymous access is allowed.
auth_checker is used to determine whether r->user is allowed
access. Since there is no API that allows for resolving in which
groups a user is in httpd 2.0, and whatever was done with respect
to groups in a previous auth_checker hook isn't stored anywhere,
it is fairly hard to implement without doing a crude copy 'n
paste from another auth_module.
Sander
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: AuthzSVNAccessFile groups
Posted by Erik Huelsmann <eh...@gmail.com>.
On Fri, 1 Oct 2004 08:03:37 -0500, Ben Collins-Sussman
<su...@collab.net> wrote:
>
> On Oct 1, 2004, at 1:41 AM, Timothee Besset wrote:
>
> > Agreed. I am suffering from this as well.
> >
> >
>
> Perhaps an enhancement request should be filed?
>
> Sander Striker: is this enhancement even doable? I don't know enough
> about the apache API.
Perhaps we don't need to import those, but use the apache group the
user authenticated into to determine the users access rights if the
group is not defined in the mod_dav_svn's user file.
bye,
Erik.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: AuthzSVNAccessFile groups
Posted by Ben Collins-Sussman <su...@collab.net>.
On Oct 1, 2004, at 1:41 AM, Timothee Besset wrote:
> Agreed. I am suffering from this as well.
>
>
Perhaps an enhancement request should be filed?
Sander Striker: is this enhancement even doable? I don't know enough
about the apache API.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: AuthzSVNAccessFile groups
Posted by Timothee Besset <tt...@idsoftware.com>.
Agreed. I am suffering from this as well.
TTimo
On Fri, 1 Oct 2004 00:45:26 -0400
Charles Fry <cf...@ece.cmu.edu> wrote:
> I may just be the victim of minimal AuthzSVNAccessFile documentation,
> but I am currently pained by the disconnect between AuthzSVNAccessFile,
> and AuthGroupFile (and its Digest and DBM variants).
>
> AuthzSVNAccessFile uses usernames that are defined in AuthFile or
> AuthDigestFile, however it forces groups that may already be defined in
> AuthGroupFile, AuthDigestGroupFile, or AuthDBMGroupFile to be redefined.
> This opens the door for group membership inconsistencies when the same
> groups need to be used in both places.
>
> It would be most helpful if AuthzSVNAccessFile could import
> AuthGroupFile and AuthDBMGroupFile format groups files.
>
> Charles
>
> --
> His
> Tomato
> Was the mushy type
> Until his beard
> Grew over-ripe
> Burma-Shave
> http://frogcircus.org/burmashave/1952/his
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: dev-help@subversion.tigris.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org