You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@subversion.apache.org by Justin Erenkrantz <je...@apache.org> on 2002/10/12 18:18:25 UTC
Adding ACL support was Re: SV: Accessing different revs via
Apache?
--On Thursday, October 10, 2002 11:26 AM +0300 Nuutti Kotivuori
<na...@iki.fi> wrote:
> The apache permission stuff is in fact coming later - right guys?
> :-)
Yes, the idea is to add WebDAV ACL support. Please read
notes/webdav-acl-notes. Comments and suggestions welcomed!
I would expect that most of the ACL changes are going to be in
mod_dav not SVN - you can view the ACLs as properties on the files,
so it is trivial to add from the Subversion side - mod_dav should be
where most of the heavy lifting occurs.
I have no real idea when my schedule will allow me to work on this,
but I've been inching closer and closer in my mind to how it would be
organized in code... -- justin
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: Adding ACL support was Re: SV: Accessing different revs via
Apache?
Posted by Greg Hudson <gh...@MIT.EDU>.
On Sat, 2002-10-12 at 14:18, Justin Erenkrantz wrote:
> I would expect that most of the ACL changes are going to be in
> mod_dav not SVN - you can view the ACLs as properties on the files,
> so it is trivial to add from the Subversion side - mod_dav should be
> where most of the heavy lifting occurs.
On the contrary, I would hope that the heavy lifting isn't restricted to
using DAV as a network layer.
(That doesn't mean the checking can't originate in ra_dav, but any
complicated logic should go into, say, libsvn_subr, so that it can be
used by ra_pipe or any other network layer which comes along.)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: Adding ACL support was Re: SV: Accessing different revs
via Apache?
Posted by Justin Erenkrantz <je...@apache.org>.
--On Saturday, October 12, 2002 9:24 PM +0100 "Dr. David Alan
Gilbert" <gi...@treblig.org> wrote:
> Is a property attached to an individual object or can it be
> attached to an entire subtree. In particular I'd want to create a
> read-only 'cp' of a repository (read tag) would I have to make a
> single change in the repository to one acl at the top of the new cp
> or have to change all of the acl's under it. There is a big
> difference in the cost!
In the WebDAV ACL draft, inheritance is explicit. Therefore, we'd
have to set it for each object in the tree. I think that is one of
the more debatable aspects of the WebDAV ACL draft - I think their
view is that they'd rather optimize the lookups (by having explicit
inheritance) rather than optimizing changes or storage of the ACL
entries. -- justin
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: Adding ACL support was Re: SV: Accessing different revs via Apache?
Posted by "Dr. David Alan Gilbert" <gi...@treblig.org>.
* Justin Erenkrantz (jerenkrantz@apache.org) wrote:
>
> Yes, the idea is to add WebDAV ACL support. Please read
> notes/webdav-acl-notes. Comments and suggestions welcomed!
I've had a quick flick through this and the webdav.org spec it
references and have one question.
Is a property attached to an individual object or can it be attached to
an entire subtree. In particular I'd want to create a read-only 'cp' of
a repository (read tag) would I have to make a single change in the
repository to one acl at the top of the new cp or have to change all of
the acl's under it. There is a big difference in the cost!
Dave
---------------- Have a happy GNU millennium! ----------------------
/ Dr. David Alan Gilbert | Running GNU/Linux on Alpha,68K| Happy \
\ gro.gilbert @ treblig.org | MIPS,x86,ARM, SPARC and HP-PA | In Hex /
\ _________________________|_____ http://www.treblig.org |_______/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: Adding ACL support was Re: SV: Accessing different revs via Apache?
Posted by Noel Yap <ya...@yahoo.com>.
> There are two types of ACLs:
>
> 1. ACLs of the versioned resource: Here I think of
> POSIX ACLs, or even
> extended attributes. These should be versioned. I do
> not remember having
> read anything about these on this list, only about
> X-flags.
I'm not sure how useful this would be since such
things are usually done upon install. OTOH, if
something like this were done, I would agree that
since these are attributes of the versioned object,
they should also be versioned.
> 2. ACLs controlling access to the repository: Some
> time ago there was a
> discussion on the list that came to the conclusion
> that versioning those
> would probably not make much sense, except maybe for
> a kind of group (as
> in project members) property which could be used as
> an identifier for
> non-versioned ACLs. Or did I get that wrong?
I would have no problems with versioning membership
information so long as the permissioning always uses
the latest version of the list.
OTOH, I seem to recall reading that permissioning
would be done using role-based access control (RBAC).
For example, the following info would be kept per
resource:
1. User u0 would have role r0 on element e0.
2. Role r0 would have certain defined permissions on
e0.
Am I recalling correctly? Or would it really be more
like POSIX ACLs?
Thanks,
Noel
__________________________________________________
Do you Yahoo!?
Faith Hill - Exclusive Performances, Videos & More
http://faith.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: Adding ACL support was Re: SV: Accessing different revs via Apache?
Posted by Stephan Feder <sf...@stephan-feder.de>.
Noel Yap wrote:
>
> --- Justin Erenkrantz <je...@apache.org> wrote:
> > Yes, the idea is to add WebDAV ACL support. Please
> > read
> > notes/webdav-acl-notes. Comments and suggestions
> > welcomed!
>
> I did a quick read of the above file.
>
> At first glance, I would think that versioning ACLs
> would be A Bad Thing since the following could occur:
> 1. Developer d0 has full privileges on resounce r0.
> 2. Someone revokes d0's privileges on r0.
>
> If ACLs were versioned, d0 would still have access to
> older versions of r0. Or am I misunderstanding
> something? Might there be some benefit of versioned
> ACLs I don't see that'll outweigh the consequences?
There are two types of ACLs:
1. ACLs of the versioned resource: Here I think of POSIX ACLs, or even
extended attributes. These should be versioned. I do not remember having
read anything about these on this list, only about X-flags.
2. ACLs controlling access to the repository: Some time ago there was a
discussion on the list that came to the conclusion that versioning those
would probably not make much sense, except maybe for a kind of group (as
in project members) property which could be used as an identifier for
non-versioned ACLs. Or did I get that wrong?
Regards,
Stephan
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: Adding ACL support was Re: SV: Accessing different revs via Apache?
Posted by Noel Yap <ya...@yahoo.com>.
--- Justin Erenkrantz <je...@apache.org> wrote:
> Yes, the idea is to add WebDAV ACL support. Please
> read
> notes/webdav-acl-notes. Comments and suggestions
> welcomed!
I did a quick read of the above file.
At first glance, I would think that versioning ACLs
would be A Bad Thing since the following could occur:
1. Developer d0 has full privileges on resounce r0.
2. Someone revokes d0's privileges on r0.
If ACLs were versioned, d0 would still have access to
older versions of r0. Or am I misunderstanding
something? Might there be some benefit of versioned
ACLs I don't see that'll outweigh the consequences?
Thanks,
Noel
__________________________________________________
Do you Yahoo!?
Faith Hill - Exclusive Performances, Videos & More
http://faith.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org