You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Andy Levy <an...@gmail.com> on 2012/01/30 21:45:01 UTC
Re: Limited subdirectory access
On Mon, Jan 30, 2012 at 15:39, K F <cm...@yahoo.com> wrote:
> We have repo ABC with 40+ subdirectories. Current svn security allows developers rw permissions and qa read only to ABC. We would like to have a subgroup of dev to have access to subdirectory DEF (ABC/DEF). Is there a way of doing this, or does the parent directory access take precedent?
The most specific path matches first. Just add a rule for that
subgroup to have access to ABC/DEF and they'll be set.
RE: Limited subdirectory access
Posted by Bob Archer <Bo...@amsi.com>.
> --- On Tue, 1/31/12, Bob Archer <Bo...@amsi.com> wrote:
>
> > From: Bob Archer <Bo...@amsi.com>
> > Subject: RE: Limited subdirectory access
> > To: "K F" <cm...@yahoo.com>, "users@subversion.apache.org"
> > <us...@subversion.apache.org>, "Thorsten Schöning"
> > <ts...@am-soft.de>
> > Date: Tuesday, January 31, 2012, 3:24 PM
> > > I tried your suggestion of
> > >
> > > [/]
> > > *=r
> > >
> > > and I can still commit. So does that point to an error
> > in svnserve.conf?
> > >
> >
> > Yes, something is not configured properly. You are using the svn://
> > protocol to access your repository?
> >
> > BOb
> >
> >
> > > --- On Tue, 1/31/12, Bob Archer <Bo...@amsi.com>
> > wrote:
> > >
> > > > From: Bob Archer <Bo...@amsi.com>
> > > > Subject: RE: Limited subdirectory access
> > > > To: "K F" <cm...@yahoo.com>,
> > "users@subversion.apache.org"
> > > > <us...@subversion.apache.org>,
> > "Thorsten Schöning"
> > > > <ts...@am-soft.de>
> > > > Date: Tuesday, January 31, 2012, 2:46 PM
> > > > > I had already tried
> > > > >
> > > > > [/DEF]
> > > > > @dev = r
> > > > > @dev1 = rw
> > > > >
> > > > > and that did not work.
> > > >
> > > > Did you step back further. 1st, svn is case
> > sensitive, so is the path
> > > > in question actually all upper case?
> > > >
> > > > Even further back than that... did you try to just
> > give all users read
> > > > only access to root to ensure your path auth is
> > working at all?
> > > > Something like:
> > > >
> > > > [/]
> > > > *=r
> > > >
> > > > Maybe even turn of anon access to ensure your
> > authentication is
> > > > working as well.
> > > >
> > > > Add stuff one step at a time.
> > > >
> > > > BOb
> > > >
> > > >
>
> If I understand the question, yes. For the dir in question it is
>
> svn://subversion/svnrepo/sandbox/DEF
Ok... so you are using svnserve. For some reason your auth file isn't being read. What does your config file look like?
BOb
Re: Limited subdirectory access
Posted by Daniel Shahaf <d....@daniel.shahaf.name>.
Bob Archer wrote on Tue, Jan 31, 2012 at 10:50:45 -0500:
> Are you restarting svnserver after you make config/auth file changes?
> Previous emails you talked about restarting apache.. but if you use
> the svn:// protocol you are NOT using Apache.
Last I checked it wasn't necessary to restart svnserve to effect config
file changes.
(I don't recall whether that applies both to the config file and to
referenced files such as the authz file.)
RE: Limited subdirectory access
Posted by Bob Archer <Bo...@amsi.com>.
> --- On Tue, 1/31/12, Bob Archer <Bo...@amsi.com> wrote:
>
> > From: Bob Archer <Bo...@amsi.com>
> > Subject: RE: Limited subdirectory access
> > To: "K F" <cm...@yahoo.com>, "users@subversion.apache.org"
> > <us...@subversion.apache.org>, "Thorsten Schöning"
> > <ts...@am-soft.de>
> > Date: Tuesday, January 31, 2012, 3:24 PM
> > > I tried your suggestion of
> > >
> > > [/]
> > > *=r
> > >
> > > and I can still commit. So does that point to an error
> > in svnserve.conf?
> > >
> >
> > Yes, something is not configured properly. You are using the svn://
> > protocol to access your repository?
> >
> > BOb
> >
> >
> > > --- On Tue, 1/31/12, Bob Archer <Bo...@amsi.com>
> > wrote:
> > >
> > > > From: Bob Archer <Bo...@amsi.com>
> > > > Subject: RE: Limited subdirectory access
> > > > To: "K F" <cm...@yahoo.com>,
> > "users@subversion.apache.org"
> > > > <us...@subversion.apache.org>,
> > "Thorsten Schöning"
> > > > <ts...@am-soft.de>
> > > > Date: Tuesday, January 31, 2012, 2:46 PM
> > > > > I had already tried
> > > > >
> > > > > [/DEF]
> > > > > @dev = r
> > > > > @dev1 = rw
> > > > >
> > > > > and that did not work.
> > > >
> > > > Did you step back further. 1st, svn is case
> > sensitive, so is the path
> > > > in question actually all upper case?
> > > >
> > > > Even further back than that... did you try to just
> > give all users read
> > > > only access to root to ensure your path auth is
> > working at all?
> > > > Something like:
> > > >
> > > > [/]
> > > > *=r
> > > >
> > > > Maybe even turn of anon access to ensure your
> > authentication is
> > > > working as well.
> > > >
> > > > Add stuff one step at a time.
> > > >
> > > > BOb
> > > >
> > > >
>
> If I understand the question, yes. For the dir in question it is
>
> svn://subversion/svnrepo/sandbox/DEF
Are you restarting svnserver after you make config/auth file changes? Previous emails you talked about restarting apache.. but if you use the svn:// protocol you are NOT using Apache.
BOb
RE: Limited subdirectory access
Posted by K F <cm...@yahoo.com>.
--- On Tue, 1/31/12, K F <cm...@yahoo.com> wrote:
> From: K F <cm...@yahoo.com>
> Subject: RE: Limited subdirectory access
> To: "users@subversion.apache.org" <us...@subversion.apache.org>, "Thorsten Schöning" <ts...@am-soft.de>, "Bob Archer" <Bo...@amsi.com>
> Date: Tuesday, January 31, 2012, 3:29 PM
>
>
> --- On Tue, 1/31/12, Bob Archer <Bo...@amsi.com>
> wrote:
>
> > From: Bob Archer <Bo...@amsi.com>
> > Subject: RE: Limited subdirectory access
> > To: "K F" <cm...@yahoo.com>,
> "users@subversion.apache.org"
> <us...@subversion.apache.org>,
> "Thorsten Schöning" <ts...@am-soft.de>
> > Date: Tuesday, January 31, 2012, 3:24 PM
> > > I tried your suggestion of
> > >
> > > [/]
> > > *=r
> > >
> > > and I can still commit. So does that point to an
> error
> > in svnserve.conf?
> > >
> >
> > Yes, something is not configured properly. You are
> using the
> > svn:// protocol to access your repository?
> >
> > BOb
> >
> >
> > > --- On Tue, 1/31/12, Bob Archer <Bo...@amsi.com>
> > wrote:
> > >
> > > > From: Bob Archer <Bo...@amsi.com>
> > > > Subject: RE: Limited subdirectory access
> > > > To: "K F" <cm...@yahoo.com>,
> > "users@subversion.apache.org"
> > > > <us...@subversion.apache.org>,
> > "Thorsten Schöning"
> > > > <ts...@am-soft.de>
> > > > Date: Tuesday, January 31, 2012, 2:46 PM
> > > > > I had already tried
> > > > >
> > > > > [/DEF]
> > > > > @dev = r
> > > > > @dev1 = rw
> > > > >
> > > > > and that did not work.
> > > >
> > > > Did you step back further. 1st, svn is case
> > sensitive, so is the path
> > > > in question actually all upper case?
> > > >
> > > > Even further back than that... did you try to
> just
> > give all users read
> > > > only access to root to ensure your path auth
> is
> > working at all?
> > > > Something like:
> > > >
> > > > [/]
> > > > *=r
> > > >
> > > > Maybe even turn of anon access to ensure
> your
> > authentication is
> > > > working as well.
> > > >
> > > > Add stuff one step at a time.
> > > >
> > > > BOb
> > > >
> > > >
>
> If I understand the question, yes. For the dir in question
> it is
>
> svn://subversion/svnrepo/sandbox/DEF
>
I discovered what MY issue was. In the svnserve.conf file there were duplicate entries for
anon-access =
auth-access =
Once I removed the duplicate entries and just had
anon-access = none
auth-access = write
it started working as it should have. Thank you all for your patience and help. The whole thing was a learning process for me.
Rich
RE: Limited subdirectory access
Posted by K F <cm...@yahoo.com>.
--- On Tue, 1/31/12, Bob Archer <Bo...@amsi.com> wrote:
> From: Bob Archer <Bo...@amsi.com>
> Subject: RE: Limited subdirectory access
> To: "K F" <cm...@yahoo.com>, "users@subversion.apache.org" <us...@subversion.apache.org>, "Thorsten Schöning" <ts...@am-soft.de>
> Date: Tuesday, January 31, 2012, 3:24 PM
> > I tried your suggestion of
> >
> > [/]
> > *=r
> >
> > and I can still commit. So does that point to an error
> in svnserve.conf?
> >
>
> Yes, something is not configured properly. You are using the
> svn:// protocol to access your repository?
>
> BOb
>
>
> > --- On Tue, 1/31/12, Bob Archer <Bo...@amsi.com>
> wrote:
> >
> > > From: Bob Archer <Bo...@amsi.com>
> > > Subject: RE: Limited subdirectory access
> > > To: "K F" <cm...@yahoo.com>,
> "users@subversion.apache.org"
> > > <us...@subversion.apache.org>,
> "Thorsten Schöning"
> > > <ts...@am-soft.de>
> > > Date: Tuesday, January 31, 2012, 2:46 PM
> > > > I had already tried
> > > >
> > > > [/DEF]
> > > > @dev = r
> > > > @dev1 = rw
> > > >
> > > > and that did not work.
> > >
> > > Did you step back further. 1st, svn is case
> sensitive, so is the path
> > > in question actually all upper case?
> > >
> > > Even further back than that... did you try to just
> give all users read
> > > only access to root to ensure your path auth is
> working at all?
> > > Something like:
> > >
> > > [/]
> > > *=r
> > >
> > > Maybe even turn of anon access to ensure your
> authentication is
> > > working as well.
> > >
> > > Add stuff one step at a time.
> > >
> > > BOb
> > >
> > >
If I understand the question, yes. For the dir in question it is
svn://subversion/svnrepo/sandbox/DEF
RE: Limited subdirectory access
Posted by Bob Archer <Bo...@amsi.com>.
> I tried your suggestion of
>
> [/]
> *=r
>
> and I can still commit. So does that point to an error in svnserve.conf?
>
Yes, something is not configured properly. You are using the svn:// protocol to access your repository?
BOb
> --- On Tue, 1/31/12, Bob Archer <Bo...@amsi.com> wrote:
>
> > From: Bob Archer <Bo...@amsi.com>
> > Subject: RE: Limited subdirectory access
> > To: "K F" <cm...@yahoo.com>, "users@subversion.apache.org"
> > <us...@subversion.apache.org>, "Thorsten Schöning"
> > <ts...@am-soft.de>
> > Date: Tuesday, January 31, 2012, 2:46 PM
> > > I had already tried
> > >
> > > [/DEF]
> > > @dev = r
> > > @dev1 = rw
> > >
> > > and that did not work.
> >
> > Did you step back further. 1st, svn is case sensitive, so is the path
> > in question actually all upper case?
> >
> > Even further back than that... did you try to just give all users read
> > only access to root to ensure your path auth is working at all?
> > Something like:
> >
> > [/]
> > *=r
> >
> > Maybe even turn of anon access to ensure your authentication is
> > working as well.
> >
> > Add stuff one step at a time.
> >
> > BOb
> >
> >
> > >
> > > --- On Tue, 1/31/12, Thorsten Schöning <ts...@am-soft.de>
> > wrote:
> > >
> > > > From: Thorsten Schöning <ts...@am-soft.de>
> > > > Subject: Re: Limited subdirectory access
> > > > To: users@subversion.apache.org
> > > > Date: Tuesday, January 31, 2012, 8:04 AM Guten Tag
> > K F, am Montag, 30.
> > > > Januar 2012 um 23:20 schrieben Sie:
> > > >
> > > > > [ABC:/DEF]
> > > > > @dev = r
> > > > > @dev1 = rw
> > > >
> > > > > Do I need the ABC in the front?
> > > >
> > > > If it's just one repository your configuring your
> > authz file for,your
> > > > shouldn't need to specify ABC, so try without. If
> > this doesn't work,
> > > > you really should provide the whole authz file
> > with access rules for
> > > > all paths, groups, members and describe with which
> > user you login and
> > > > can commit to which folder.
> > > >
> > > > Mit freundlichen Grüßen,
> > > >
> > > > Thorsten Schöning
> > > >
> > > > --
> > > > Thorsten Schöning E-Mail:Thorsten.Schoening@AM-SoFT.de
> > > > AM-SoFT IT-Systeme http://www.AM-SoFT.de/
> > > >
> > > > Telefon.............030-2 1001-310
> > > > Fax...............05151- 9468- 88
> > > > Mobil..............0178-8 9468- 04
> > > >
> > > > AM-SoFT GmbH IT-Systeme, Brandenburger Str. 7c,
> > 31789 Hameln AG
> > > > Hanover HRB 207 694 - Geschäftsführer: Andreas
> > Muchow
> > > >
> > > >
> >
RE: Limited subdirectory access
Posted by K F <cm...@yahoo.com>.
I tried your suggestion of
[/]
*=r
and I can still commit. So does that point to an error in svnserve.conf?
--- On Tue, 1/31/12, Bob Archer <Bo...@amsi.com> wrote:
> From: Bob Archer <Bo...@amsi.com>
> Subject: RE: Limited subdirectory access
> To: "K F" <cm...@yahoo.com>, "users@subversion.apache.org" <us...@subversion.apache.org>, "Thorsten Schöning" <ts...@am-soft.de>
> Date: Tuesday, January 31, 2012, 2:46 PM
> > I had already tried
> >
> > [/DEF]
> > @dev = r
> > @dev1 = rw
> >
> > and that did not work.
>
> Did you step back further. 1st, svn is case sensitive, so is
> the path in question actually all upper case?
>
> Even further back than that... did you try to just give all
> users read only access to root to ensure your path auth is
> working at all? Something like:
>
> [/]
> *=r
>
> Maybe even turn of anon access to ensure your authentication
> is working as well.
>
> Add stuff one step at a time.
>
> BOb
>
>
> >
> > --- On Tue, 1/31/12, Thorsten Schöning <ts...@am-soft.de>
> wrote:
> >
> > > From: Thorsten Schöning <ts...@am-soft.de>
> > > Subject: Re: Limited subdirectory access
> > > To: users@subversion.apache.org
> > > Date: Tuesday, January 31, 2012, 8:04 AM Guten Tag
> K F, am Montag, 30.
> > > Januar 2012 um 23:20 schrieben Sie:
> > >
> > > > [ABC:/DEF]
> > > > @dev = r
> > > > @dev1 = rw
> > >
> > > > Do I need the ABC in the front?
> > >
> > > If it's just one repository your configuring your
> authz file for,your
> > > shouldn't need to specify ABC, so try without. If
> this doesn't work,
> > > you really should provide the whole authz file
> with access rules for
> > > all paths, groups, members and describe with which
> user you login and
> > > can commit to which folder.
> > >
> > > Mit freundlichen Grüßen,
> > >
> > > Thorsten Schöning
> > >
> > > --
> > > Thorsten Schöning E-Mail:Thorsten.Schoening@AM-SoFT.de
> > > AM-SoFT IT-Systeme http://www.AM-SoFT.de/
> > >
> > > Telefon.............030-2 1001-310
> > > Fax...............05151- 9468- 88
> > > Mobil..............0178-8 9468- 04
> > >
> > > AM-SoFT GmbH IT-Systeme, Brandenburger Str. 7c,
> 31789 Hameln AG
> > > Hanover HRB 207 694 - Geschäftsführer: Andreas
> Muchow
> > >
> > >
>
RE: Limited subdirectory access
Posted by Bob Archer <Bo...@amsi.com>.
> I had already tried
>
> [/DEF]
> @dev = r
> @dev1 = rw
>
> and that did not work.
Did you step back further. 1st, svn is case sensitive, so is the path in question actually all upper case?
Even further back than that... did you try to just give all users read only access to root to ensure your path auth is working at all? Something like:
[/]
*=r
Maybe even turn of anon access to ensure your authentication is working as well.
Add stuff one step at a time.
BOb
>
> --- On Tue, 1/31/12, Thorsten Schöning <ts...@am-soft.de> wrote:
>
> > From: Thorsten Schöning <ts...@am-soft.de>
> > Subject: Re: Limited subdirectory access
> > To: users@subversion.apache.org
> > Date: Tuesday, January 31, 2012, 8:04 AM Guten Tag K F, am Montag, 30.
> > Januar 2012 um 23:20 schrieben Sie:
> >
> > > [ABC:/DEF]
> > > @dev = r
> > > @dev1 = rw
> >
> > > Do I need the ABC in the front?
> >
> > If it's just one repository your configuring your authz file for,your
> > shouldn't need to specify ABC, so try without. If this doesn't work,
> > you really should provide the whole authz file with access rules for
> > all paths, groups, members and describe with which user you login and
> > can commit to which folder.
> >
> > Mit freundlichen Grüßen,
> >
> > Thorsten Schöning
> >
> > --
> > Thorsten Schöning E-Mail:Thorsten.Schoening@AM-SoFT.de
> > AM-SoFT IT-Systeme http://www.AM-SoFT.de/
> >
> > Telefon.............030-2 1001-310
> > Fax...............05151- 9468- 88
> > Mobil..............0178-8 9468- 04
> >
> > AM-SoFT GmbH IT-Systeme, Brandenburger Str. 7c, 31789 Hameln AG
> > Hanover HRB 207 694 - Geschäftsführer: Andreas Muchow
> >
> >
Re: Limited subdirectory access
Posted by K F <cm...@yahoo.com>.
I had already tried
[/DEF]
@dev = r
@dev1 = rw
and that did not work.
--- On Tue, 1/31/12, Thorsten Schöning <ts...@am-soft.de> wrote:
> From: Thorsten Schöning <ts...@am-soft.de>
> Subject: Re: Limited subdirectory access
> To: users@subversion.apache.org
> Date: Tuesday, January 31, 2012, 8:04 AM
> Guten Tag K F,
> am Montag, 30. Januar 2012 um 23:20 schrieben Sie:
>
> > [ABC:/DEF]
> > @dev = r
> > @dev1 = rw
>
> > Do I need the ABC in the front?
>
> If it's just one repository your configuring your authz file
> for,your
> shouldn't need to specify ABC, so try without. If this
> doesn't work,
> you really should provide the whole authz file with access
> rules for
> all paths, groups, members and describe with which user you
> login and
> can commit to which folder.
>
> Mit freundlichen Grüßen,
>
> Thorsten Schöning
>
> --
> Thorsten Schöning E-Mail:Thorsten.Schoening@AM-SoFT.de
> AM-SoFT IT-Systeme http://www.AM-SoFT.de/
>
> Telefon.............030-2 1001-310
> Fax...............05151- 9468- 88
> Mobil..............0178-8 9468- 04
>
> AM-SoFT GmbH IT-Systeme, Brandenburger Str. 7c, 31789
> Hameln
> AG Hanover HRB 207 694 - Geschäftsführer: Andreas Muchow
>
>
Re: Limited subdirectory access
Posted by Thorsten Schöning <ts...@am-soft.de>.
Guten Tag K F,
am Montag, 30. Januar 2012 um 23:20 schrieben Sie:
> [ABC:/DEF]
> @dev = r
> @dev1 = rw
> Do I need the ABC in the front?
If it's just one repository your configuring your authz file for,your
shouldn't need to specify ABC, so try without. If this doesn't work,
you really should provide the whole authz file with access rules for
all paths, groups, members and describe with which user you login and
can commit to which folder.
Mit freundlichen Grüßen,
Thorsten Schöning
--
Thorsten Schöning E-Mail:Thorsten.Schoening@AM-SoFT.de
AM-SoFT IT-Systeme http://www.AM-SoFT.de/
Telefon.............030-2 1001-310
Fax...............05151- 9468- 88
Mobil..............0178-8 9468- 04
AM-SoFT GmbH IT-Systeme, Brandenburger Str. 7c, 31789 Hameln
AG Hanover HRB 207 694 - Geschäftsführer: Andreas Muchow
Re: Limited subdirectory access
Posted by Daniel Shahaf <d....@daniel.shahaf.name>.
Johan Corveleyn wrote on Mon, Jan 30, 2012 at 23:13:17 +0100:
> Can you check if order of the rules matters? Either putting this rule
> with [ABC:/DEF] before or after the other one (for [ABC:/]). I'm not
> sure, but I vaguely remember some prior discussion about this ...
Aren't they parsed into a hash?
Anyway: [foo:/bar] has priority over [/bar].
Re: Limited subdirectory access
Posted by K F <cm...@yahoo.com>.
--- On Mon, 1/30/12, Johan Corveleyn <jc...@gmail.com> wrote:
> From: Johan Corveleyn <jc...@gmail.com>
> Subject: Re: Limited subdirectory access
> To: "K F" <cm...@yahoo.com>
> Cc: "Stefan Sperling" <st...@elego.de>, "Andy Levy" <an...@gmail.com>, users@subversion.apache.org
> Date: Monday, January 30, 2012, 10:13 PM
> On Mon, Jan 30, 2012 at 10:55 PM, K F
> <cm...@yahoo.com>
> wrote:
> >
> >
> > --- On Mon, 1/30/12, Stefan Sperling <st...@elego.de>
> wrote:
> >
> >> From: Stefan Sperling <st...@elego.de>
> >> Subject: Re: Limited subdirectory access
> >> To: "K F" <cm...@yahoo.com>
> >> Cc: "Andy Levy" <an...@gmail.com>,
> users@subversion.apache.org
> >> Date: Monday, January 30, 2012, 9:32 PM
> >> On Mon, Jan 30, 2012 at 01:14:53PM
> >> -0800, K F wrote:
> >> > --- On Mon, 1/30/12, Andy Levy <an...@gmail.com>
> >> wrote:
> >> > > have it setup in the authz file now:
> >> > > > [/]
> >> > > > @dev = rw
> >> > > > @qa = r
> >> > > >
> >> > > > [/ABC/DEF]
> >> > > > @dev1 = rw
> >> > > >
> >> > > > Do I need to be more specific?
> >> > > >
> >> > >
> >> > > What exactly isn't working?
> >> > >
> >> > > Is dev1 a group, or an individual?
> >> > >
> >> > > Do you have the case of the path matched
> exactly?
> >> The rules
> >> > > are case-sensitive.
> >> > >
> >> >
> >> > I am able to commit with a login that is in
> the dev
> >> group that is not in the dev1 group.
> >> >
> >> > The actual path is /svnrepo/ABC/DEF so I
> tried
> >> >
> >> > [/svnrepo/sandbox/tags]
> >> > @dev1 = rw
> >> >
> >> > and that doesn't work either. Based on the
> example in
> >> the file I also tried
> >> >
> >> > [repository:/svnrepo/sandbox/tags]
> >> > @dev1 = rw
> >> >
> >> > with no luck. Any ideas as to what I am doing
> wrong?
> >>
> >> You'll need to tighten permissions for the 'dev'
> group in
> >> /ABC/DEF also.
> >> [/]
> >> @dev = rw
> >> @qa = r
> >>
> >> [/ABC/DEF]
> >> @dev = r
> >> @dev1 = rw
> >>
> >> See this snippet from
> >> http://svnbook.red-bean.com/en/1.7/svn.serverconfig.pathbasedauthz.html
> >> "Of course, permissions are inherited from
> parent to
> >> child directory.
> >> That means we can specify a subdirectory with a
> >> different access policy
> >> for Sally:
> >>
> >> [calc:/branches/calc/bug-142]
> >> harry = rw
> >> sally = r
> >>
> >> # give sally write access only to the 'testing'
> >> subdir
> >> [calc:/branches/calc/bug-142/testing]
> >> sally = rw
> >>
> >> Now Sally can write to the testing subdirectory
> of
> >> the branch, but can
> >> still only read other parts. Harry, meanwhile,
> >> continues to have
> >> complete read/write access to the whole
> branch."
> >>
> >> The same applies when restricting access, rather
> than
> >> expanding it.
> >>
> >
> > I realize my explanation is wrong, my apologies. It is
> actually repo ABC with 40+ folders under it. I want to limit
> who has access to one of the folders (DEF). After looking at
> the svnbook, I thought the following would work but it is
> still not working:
> >
> > [ABC:/DEF]
> > @dev = r
> > @dev1 = rw
>
> Can you check if order of the rules matters? Either putting
> this rule
> with [ABC:/DEF] before or after the other one (for [ABC:/]).
> I'm not
> sure, but I vaguely remember some prior discussion about
> this ...
>
> --
> Johan
>
I tried swapping the order and that didn't work either. Am I stating it correctly?
[ABC:/DEF]
@dev = r
@dev1 = rw
Do I need the ABC in the front?
Re: Limited subdirectory access
Posted by Johan Corveleyn <jc...@gmail.com>.
On Mon, Jan 30, 2012 at 10:55 PM, K F <cm...@yahoo.com> wrote:
>
>
> --- On Mon, 1/30/12, Stefan Sperling <st...@elego.de> wrote:
>
>> From: Stefan Sperling <st...@elego.de>
>> Subject: Re: Limited subdirectory access
>> To: "K F" <cm...@yahoo.com>
>> Cc: "Andy Levy" <an...@gmail.com>, users@subversion.apache.org
>> Date: Monday, January 30, 2012, 9:32 PM
>> On Mon, Jan 30, 2012 at 01:14:53PM
>> -0800, K F wrote:
>> > --- On Mon, 1/30/12, Andy Levy <an...@gmail.com>
>> wrote:
>> > > have it setup in the authz file now:
>> > > > [/]
>> > > > @dev = rw
>> > > > @qa = r
>> > > >
>> > > > [/ABC/DEF]
>> > > > @dev1 = rw
>> > > >
>> > > > Do I need to be more specific?
>> > > >
>> > >
>> > > What exactly isn't working?
>> > >
>> > > Is dev1 a group, or an individual?
>> > >
>> > > Do you have the case of the path matched exactly?
>> The rules
>> > > are case-sensitive.
>> > >
>> >
>> > I am able to commit with a login that is in the dev
>> group that is not in the dev1 group.
>> >
>> > The actual path is /svnrepo/ABC/DEF so I tried
>> >
>> > [/svnrepo/sandbox/tags]
>> > @dev1 = rw
>> >
>> > and that doesn't work either. Based on the example in
>> the file I also tried
>> >
>> > [repository:/svnrepo/sandbox/tags]
>> > @dev1 = rw
>> >
>> > with no luck. Any ideas as to what I am doing wrong?
>>
>> You'll need to tighten permissions for the 'dev' group in
>> /ABC/DEF also.
>> [/]
>> @dev = rw
>> @qa = r
>>
>> [/ABC/DEF]
>> @dev = r
>> @dev1 = rw
>>
>> See this snippet from
>> http://svnbook.red-bean.com/en/1.7/svn.serverconfig.pathbasedauthz.html
>> "Of course, permissions are inherited from parent to
>> child directory.
>> That means we can specify a subdirectory with a
>> different access policy
>> for Sally:
>>
>> [calc:/branches/calc/bug-142]
>> harry = rw
>> sally = r
>>
>> # give sally write access only to the 'testing'
>> subdir
>> [calc:/branches/calc/bug-142/testing]
>> sally = rw
>>
>> Now Sally can write to the testing subdirectory of
>> the branch, but can
>> still only read other parts. Harry, meanwhile,
>> continues to have
>> complete read/write access to the whole branch."
>>
>> The same applies when restricting access, rather than
>> expanding it.
>>
>
> I realize my explanation is wrong, my apologies. It is actually repo ABC with 40+ folders under it. I want to limit who has access to one of the folders (DEF). After looking at the svnbook, I thought the following would work but it is still not working:
>
> [ABC:/DEF]
> @dev = r
> @dev1 = rw
Can you check if order of the rules matters? Either putting this rule
with [ABC:/DEF] before or after the other one (for [ABC:/]). I'm not
sure, but I vaguely remember some prior discussion about this ...
--
Johan
Re: Limited subdirectory access
Posted by K F <cm...@yahoo.com>.
--- On Mon, 1/30/12, Stefan Sperling <st...@elego.de> wrote:
> From: Stefan Sperling <st...@elego.de>
> Subject: Re: Limited subdirectory access
> To: "K F" <cm...@yahoo.com>
> Cc: "Andy Levy" <an...@gmail.com>, users@subversion.apache.org
> Date: Monday, January 30, 2012, 9:32 PM
> On Mon, Jan 30, 2012 at 01:14:53PM
> -0800, K F wrote:
> > --- On Mon, 1/30/12, Andy Levy <an...@gmail.com>
> wrote:
> > > have it setup in the authz file now:
> > > > [/]
> > > > @dev = rw
> > > > @qa = r
> > > >
> > > > [/ABC/DEF]
> > > > @dev1 = rw
> > > >
> > > > Do I need to be more specific?
> > > >
> > >
> > > What exactly isn't working?
> > >
> > > Is dev1 a group, or an individual?
> > >
> > > Do you have the case of the path matched exactly?
> The rules
> > > are case-sensitive.
> > >
> >
> > I am able to commit with a login that is in the dev
> group that is not in the dev1 group.
> >
> > The actual path is /svnrepo/ABC/DEF so I tried
> >
> > [/svnrepo/sandbox/tags]
> > @dev1 = rw
> >
> > and that doesn't work either. Based on the example in
> the file I also tried
> >
> > [repository:/svnrepo/sandbox/tags]
> > @dev1 = rw
> >
> > with no luck. Any ideas as to what I am doing wrong?
>
> You'll need to tighten permissions for the 'dev' group in
> /ABC/DEF also.
> [/]
> @dev = rw
> @qa = r
>
> [/ABC/DEF]
> @dev = r
> @dev1 = rw
>
> See this snippet from
> http://svnbook.red-bean.com/en/1.7/svn.serverconfig.pathbasedauthz.html
> "Of course, permissions are inherited from parent to
> child directory.
> That means we can specify a subdirectory with a
> different access policy
> for Sally:
>
> [calc:/branches/calc/bug-142]
> harry = rw
> sally = r
>
> # give sally write access only to the 'testing'
> subdir
> [calc:/branches/calc/bug-142/testing]
> sally = rw
>
> Now Sally can write to the testing subdirectory of
> the branch, but can
> still only read other parts. Harry, meanwhile,
> continues to have
> complete read/write access to the whole branch."
>
> The same applies when restricting access, rather than
> expanding it.
>
I realize my explanation is wrong, my apologies. It is actually repo ABC with 40+ folders under it. I want to limit who has access to one of the folders (DEF). After looking at the svnbook, I thought the following would work but it is still not working:
[ABC:/DEF]
@dev = r
@dev1 = rw
Re: Limited subdirectory access
Posted by Stefan Sperling <st...@elego.de>.
On Mon, Jan 30, 2012 at 01:14:53PM -0800, K F wrote:
> --- On Mon, 1/30/12, Andy Levy <an...@gmail.com> wrote:
> > have it setup in the authz file now:
> > > [/]
> > > @dev = rw
> > > @qa = r
> > >
> > > [/ABC/DEF]
> > > @dev1 = rw
> > >
> > > Do I need to be more specific?
> > >
> >
> > What exactly isn't working?
> >
> > Is dev1 a group, or an individual?
> >
> > Do you have the case of the path matched exactly? The rules
> > are case-sensitive.
> >
>
> I am able to commit with a login that is in the dev group that is not in the dev1 group.
>
> The actual path is /svnrepo/ABC/DEF so I tried
>
> [/svnrepo/sandbox/tags]
> @dev1 = rw
>
> and that doesn't work either. Based on the example in the file I also tried
>
> [repository:/svnrepo/sandbox/tags]
> @dev1 = rw
>
> with no luck. Any ideas as to what I am doing wrong?
You'll need to tighten permissions for the 'dev' group in /ABC/DEF also.
[/]
@dev = rw
@qa = r
[/ABC/DEF]
@dev = r
@dev1 = rw
See this snippet from
http://svnbook.red-bean.com/en/1.7/svn.serverconfig.pathbasedauthz.html
"Of course, permissions are inherited from parent to child directory.
That means we can specify a subdirectory with a different access policy
for Sally:
[calc:/branches/calc/bug-142]
harry = rw
sally = r
# give sally write access only to the 'testing' subdir
[calc:/branches/calc/bug-142/testing]
sally = rw
Now Sally can write to the testing subdirectory of the branch, but can
still only read other parts. Harry, meanwhile, continues to have
complete read/write access to the whole branch."
The same applies when restricting access, rather than expanding it.
Re: Limited subdirectory access
Posted by K F <cm...@yahoo.com>.
--- On Mon, 1/30/12, Andy Levy <an...@gmail.com> wrote:
> From: Andy Levy <an...@gmail.com>
> Subject: Re: Limited subdirectory access
> To: "K F" <cm...@yahoo.com>
> Cc: users@subversion.apache.org
> Date: Monday, January 30, 2012, 8:57 PM
> On Mon, Jan 30, 2012 at 15:52, K F
> <cm...@yahoo.com>
> wrote:
> >
> >
> > --- On Mon, 1/30/12, Andy Levy <an...@gmail.com>
> wrote:
> >
> >> From: Andy Levy <an...@gmail.com>
> >> Subject: Re: Limited subdirectory access
> >> To: "K F" <cm...@yahoo.com>
> >> Cc: users@subversion.apache.org
> >> Date: Monday, January 30, 2012, 8:45 PM
> >> On Mon, Jan 30, 2012 at 15:39, K F
> >> <cm...@yahoo.com>
> >> wrote:
> >> > We have repo ABC with 40+ subdirectories.
> Current svn
> >> security allows developers rw permissions and qa
> read only
> >> to ABC. We would like to have a subgroup of dev to
> have
> >> access to subdirectory DEF (ABC/DEF). Is there a
> way of
> >> doing this, or does the parent directory access
> take
> >> precedent?
> >>
> >> The most specific path matches first. Just add a
> rule for
> >> that
> >> subgroup to have access to ABC/DEF and they'll be
> set.
> >>
> >
> > OK, then I must be doing something wrong. This is how I
> have it setup in the authz file now:
> > [/]
> > @dev = rw
> > @qa = r
> >
> > [/ABC/DEF]
> > @dev1 = rw
> >
> > Do I need to be more specific?
> >
>
> What exactly isn't working?
>
> Is dev1 a group, or an individual?
>
> Do you have the case of the path matched exactly? The rules
> are case-sensitive.
>
I am able to commit with a login that is in the dev group that is not in the dev1 group.
The actual path is /svnrepo/ABC/DEF so I tried
[/svnrepo/sandbox/tags]
@dev1 = rw
and that doesn't work either. Based on the example in the file I also tried
[repository:/svnrepo/sandbox/tags]
@dev1 = rw
with no luck. Any ideas as to what I am doing wrong?
Re: Limited subdirectory access
Posted by Andy Levy <an...@gmail.com>.
On Mon, Jan 30, 2012 at 15:52, K F <cm...@yahoo.com> wrote:
>
>
> --- On Mon, 1/30/12, Andy Levy <an...@gmail.com> wrote:
>
>> From: Andy Levy <an...@gmail.com>
>> Subject: Re: Limited subdirectory access
>> To: "K F" <cm...@yahoo.com>
>> Cc: users@subversion.apache.org
>> Date: Monday, January 30, 2012, 8:45 PM
>> On Mon, Jan 30, 2012 at 15:39, K F
>> <cm...@yahoo.com>
>> wrote:
>> > We have repo ABC with 40+ subdirectories. Current svn
>> security allows developers rw permissions and qa read only
>> to ABC. We would like to have a subgroup of dev to have
>> access to subdirectory DEF (ABC/DEF). Is there a way of
>> doing this, or does the parent directory access take
>> precedent?
>>
>> The most specific path matches first. Just add a rule for
>> that
>> subgroup to have access to ABC/DEF and they'll be set.
>>
>
> OK, then I must be doing something wrong. This is how I have it setup in the authz file now:
> [/]
> @dev = rw
> @qa = r
>
> [/ABC/DEF]
> @dev1 = rw
>
> Do I need to be more specific?
>
What exactly isn't working?
Is dev1 a group, or an individual?
Do you have the case of the path matched exactly? The rules are case-sensitive.
Re: Limited subdirectory access
Posted by K F <cm...@yahoo.com>.
--- On Mon, 1/30/12, Andy Levy <an...@gmail.com> wrote:
> From: Andy Levy <an...@gmail.com>
> Subject: Re: Limited subdirectory access
> To: "K F" <cm...@yahoo.com>
> Cc: users@subversion.apache.org
> Date: Monday, January 30, 2012, 8:45 PM
> On Mon, Jan 30, 2012 at 15:39, K F
> <cm...@yahoo.com>
> wrote:
> > We have repo ABC with 40+ subdirectories. Current svn
> security allows developers rw permissions and qa read only
> to ABC. We would like to have a subgroup of dev to have
> access to subdirectory DEF (ABC/DEF). Is there a way of
> doing this, or does the parent directory access take
> precedent?
>
> The most specific path matches first. Just add a rule for
> that
> subgroup to have access to ABC/DEF and they'll be set.
>
OK, then I must be doing something wrong. This is how I have it setup in the authz file now:
[/]
@dev = rw
@qa = r
[/ABC/DEF]
@dev1 = rw
Do I need to be more specific?