You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by "Gleason, Todd" <tg...@impac.com> on 2008/10/22 02:36:28 UTC
NTLM lookup within hook script
I'm trying to write a pre-commit hook script along the lines of
svnperms. The script needs to do an NTLM lookup on the user committing
the transaction, find the groups for the user, and determine whether the
user has write access to all the svn paths in the transaction based on a
config file. Has anyone done or seen anything like this? It seems like
most of the NTLM information I can find is centered around
authenticating, when you have a userid and password, but here all I
think I have is a userid, and I want to do the lookup using the account
that the svn server is running under.
The svn server is version 1.5.2 with Apache, running on a Windows
server. I'm hoping to implement the script in Python though I don't
mind if I have to call into something else for the NTLM lookup.
Please note that due to our network topology, we can't use LDAP, and we
would prefer not to deal with a hand-coded users/groups permissions
file.
--Todd
RE: NTLM lookup within hook script
Posted by km...@rockwellcollins.com.
"Gleason, Todd" <tg...@impac.com> wrote on 10/23/2008 09:32:27 AM:
> Thanks Kevin. Can you confirm what size repository you?re using?
Thousands
> of files? At least a few hundred revisions and no performance problems
with
> svn log (and not using any sort of log caching)?
Our largest repo (served from windows using mod_auth_sspi) is around 50G
on the server. It has around 20k revisions and 130k files. It also
uses an AuthzSVNAccessFile with 1300 lines...
A full "svn log" of all 20k revision on the root path took around 5
minutes
and created about 90Mb of output. Neither the client or the server used
much CPU.
> Also I?m confused by the SSPIPerRequestAuth. Looking at
http://svn-summit.
> open.collab.net/wiki/RoundTableFeedback I see this:
>
> ? SSPI reprompting for auth credentials too often. (Once per Apache
child?
> Subversion creates too many RA sessions?)
> ? SSPI re-authenticates automatically. The mod_auth_sspi module
has
> an option "SSPIPerRequestAuth on" that, if turned on reduces the re-
> authentication to once per session. If turned off (the default), it re-
> authenticates a lot more
> It sounds like the SSPIPerRequestAuth is more ?chatty? if turned off, so
it
> sounds like you would want it on. See also
>
> http://svn.haxx.se/tsvnusers/archive-2008-07/1073.shtml
>
> where it says
>
> >> this will make SSPI only require new authentication for every
request,
> >> not every datapacket sent.
>
> So I don?t see how having SSPIPerRequestAuth off could be a good thing.
I believe this was documented "backwards". In any case, things were
really slow until I turned it "off", so that is where I left it.
Kevin R.
> From: kmradke@rockwellcollins.com [mailto:kmradke@rockwellcollins.com]
> Sent: Wednesday, October 22, 2008 9:27 AM
> To: Gleason, Todd
> Cc: Miha Vitorovic; SubVersion Users
> Subject: RE: NTLM lookup within hook script
>
>
> "Gleason, Todd" <tg...@impac.com> wrote on 10/22/2008 06:33:44 AM:
> > Someone can correct me if I?m wrong, but I understood it to be the
case that
> > using Apache to do path-based security would cause extreme performance
> > problems with Subversion. Basically I thought that lookups would be
done on
> > every svn path for operations like svn log, update, and checkout,
which is a
> > dealbreaker since within a given repo we want uniform read access, and
high
> > performance. I thought this was one of the big reasons behind
svnperms. Did
> > I misunderstand?
>
> svnperms allows "action" based controls, such as add, but not delete,
etc.
> Path based only allows for R/O or R/W access.
>
> If you are on windows, you may also want to check out visualsvn server:
> http://www.visualsvn.com/server/
>
> It has a graphical management console to add/remove permissions on a
> per directory basis and will talk directly to your Active Directory
server.
> (Similar authentication to mod_auth_sspi)
>
> I haven't seen extreme performance problems using mod_auth_sspi.
> You will want to make sure to use "SSPIPerRequestAuth Off" in
> your config file though.
>
> Kevin R.
>
>
>
> > From: Miha Vitorovic [mailto:mvitorovic@nil.si]
> > Sent: Tuesday, October 21, 2008 11:26 PM
> > To: Gleason, Todd
> > Cc: SubVersion Users
> > Subject: Re: NTLM lookup within hook script
> >
> >
> > "Gleason, Todd" <tg...@impac.com> wrote on 22.10.2008 04:36:28:
> >
> > > I?m trying to write a pre-commit hook script along the lines of
> > > svnperms. The script needs to do an NTLM lookup on the user
> > >
> > > The svn server is version 1.5.2 with Apache, running on a Windows
> > > server. I?m hoping to implement the script in Python though I don?t
> > > mind if I have to call into something else for the NTLM lookup.
> >
> > Todd,
> >
> > since you're on Apache, aren't you basically trying to reinvent the
wheel (
> > http://sourceforge.net/projects/mod-auth-sspi)?
> >
> > Br,
> > ---
> > Miha Vitorovic
> > Inženir v tehničnem področju
> > Customer Support Engineer
> >
> > NIL Data Communications, Tivolska cesta 48, 1000 Ljubljana,
Slovenia
> > Phone +386 1 4746 500 Fax +386 1 4746 501 http://www.NIL.si
RE: NTLM lookup within hook script
Posted by "Gleason, Todd" <tg...@impac.com>.
Thanks Kevin. Can you confirm what size repository you're using? Thousands of files? At least a few hundred revisions and no performance problems with svn log (and not using any sort of log caching)?
Also I'm confused by the SSPIPerRequestAuth. Looking at http://svn-summit.open.collab.net/wiki/RoundTableFeedback I see this:
* SSPI reprompting for auth credentials too often. (Once per Apache child? Subversion creates too many RA sessions?)
* SSPI re-authenticates automatically. The mod_auth_sspi module has an option "SSPIPerRequestAuth on" that, if turned on reduces the re-authentication to once per session. If turned off (the default), it re-authenticates a lot more
It sounds like the SSPIPerRequestAuth is more "chatty" if turned off, so it sounds like you would want it on. See also
http://svn.haxx.se/tsvnusers/archive-2008-07/1073.shtml
where it says
>> this will make SSPI only require new authentication for every request,
>> not every datapacket sent.
So I don't see how having SSPIPerRequestAuth off could be a good thing.
--Todd
________________________________
From: kmradke@rockwellcollins.com [mailto:kmradke@rockwellcollins.com]
Sent: Wednesday, October 22, 2008 9:27 AM
To: Gleason, Todd
Cc: Miha Vitorovic; SubVersion Users
Subject: RE: NTLM lookup within hook script
"Gleason, Todd" <tg...@impac.com> wrote on 10/22/2008 06:33:44 AM:
> Someone can correct me if I'm wrong, but I understood it to be the case that
> using Apache to do path-based security would cause extreme performance
> problems with Subversion. Basically I thought that lookups would be done on
> every svn path for operations like svn log, update, and checkout, which is a
> dealbreaker since within a given repo we want uniform read access, and high
> performance. I thought this was one of the big reasons behind svnperms. Did
> I misunderstand?
svnperms allows "action" based controls, such as add, but not delete, etc.
Path based only allows for R/O or R/W access.
If you are on windows, you may also want to check out visualsvn server:
http://www.visualsvn.com/server/
It has a graphical management console to add/remove permissions on a
per directory basis and will talk directly to your Active Directory server.
(Similar authentication to mod_auth_sspi)
I haven't seen extreme performance problems using mod_auth_sspi.
You will want to make sure to use "SSPIPerRequestAuth Off" in
your config file though.
Kevin R.
> From: Miha Vitorovic [mailto:mvitorovic@nil.si]
> Sent: Tuesday, October 21, 2008 11:26 PM
> To: Gleason, Todd
> Cc: SubVersion Users
> Subject: Re: NTLM lookup within hook script
>
>
> "Gleason, Todd" <tg...@impac.com> wrote on 22.10.2008 04:36:28:
>
> > I'm trying to write a pre-commit hook script along the lines of
> > svnperms. The script needs to do an NTLM lookup on the user
> >
> > The svn server is version 1.5.2 with Apache, running on a Windows
> > server. I'm hoping to implement the script in Python though I don't
> > mind if I have to call into something else for the NTLM lookup.
>
> Todd,
>
> since you're on Apache, aren't you basically trying to reinvent the wheel (
> http://sourceforge.net/projects/mod-auth-sspi)?
>
> Br,
> ---
> Miha Vitorovic
> Inženir v tehničnem področju
> Customer Support Engineer
>
> NIL Data Communications, Tivolska cesta 48, 1000 Ljubljana, Slovenia
> Phone +386 1 4746 500 Fax +386 1 4746 501 http://www.NIL.si
RE: NTLM lookup within hook script
Posted by km...@rockwellcollins.com.
"Gleason, Todd" <tg...@impac.com> wrote on 10/22/2008 06:33:44 AM:
> Someone can correct me if I?m wrong, but I understood it to be the case
that
> using Apache to do path-based security would cause extreme performance
> problems with Subversion. Basically I thought that lookups would be
done on
> every svn path for operations like svn log, update, and checkout, which
is a
> dealbreaker since within a given repo we want uniform read access, and
high
> performance. I thought this was one of the big reasons behind
svnperms. Did
> I misunderstand?
svnperms allows "action" based controls, such as add, but not delete, etc.
Path based only allows for R/O or R/W access.
If you are on windows, you may also want to check out visualsvn server:
http://www.visualsvn.com/server/
It has a graphical management console to add/remove permissions on a
per directory basis and will talk directly to your Active Directory
server.
(Similar authentication to mod_auth_sspi)
I haven't seen extreme performance problems using mod_auth_sspi.
You will want to make sure to use "SSPIPerRequestAuth Off" in
your config file though.
Kevin R.
> From: Miha Vitorovic [mailto:mvitorovic@nil.si]
> Sent: Tuesday, October 21, 2008 11:26 PM
> To: Gleason, Todd
> Cc: SubVersion Users
> Subject: Re: NTLM lookup within hook script
>
>
> "Gleason, Todd" <tg...@impac.com> wrote on 22.10.2008 04:36:28:
>
> > I?m trying to write a pre-commit hook script along the lines of
> > svnperms. The script needs to do an NTLM lookup on the user
> >
> > The svn server is version 1.5.2 with Apache, running on a Windows
> > server. I?m hoping to implement the script in Python though I don?t
> > mind if I have to call into something else for the NTLM lookup.
>
> Todd,
>
> since you're on Apache, aren't you basically trying to reinvent the
wheel (
> http://sourceforge.net/projects/mod-auth-sspi)?
>
> Br,
> ---
> Miha Vitorovic
> Inženir v tehničnem področju
> Customer Support Engineer
>
> NIL Data Communications, Tivolska cesta 48, 1000 Ljubljana, Slovenia
> Phone +386 1 4746 500 Fax +386 1 4746 501 http://www.NIL.si
RE: NTLM lookup within hook script
Posted by "Gleason, Todd" <tg...@impac.com>.
Someone can correct me if I'm wrong, but I understood it to be the case that using Apache to do path-based security would cause extreme performance problems with Subversion. Basically I thought that lookups would be done on every svn path for operations like svn log, update, and checkout, which is a dealbreaker since within a given repo we want uniform read access, and high performance. I thought this was one of the big reasons behind svnperms. Did I misunderstand?
--Todd
________________________________
From: Miha Vitorovic [mailto:mvitorovic@nil.si]
Sent: Tuesday, October 21, 2008 11:26 PM
To: Gleason, Todd
Cc: SubVersion Users
Subject: Re: NTLM lookup within hook script
"Gleason, Todd" <tg...@impac.com> wrote on 22.10.2008 04:36:28:
> I'm trying to write a pre-commit hook script along the lines of
> svnperms. The script needs to do an NTLM lookup on the user
>
> The svn server is version 1.5.2 with Apache, running on a Windows
> server. I'm hoping to implement the script in Python though I don't
> mind if I have to call into something else for the NTLM lookup.
Todd,
since you're on Apache, aren't you basically trying to reinvent the wheel (http://sourceforge.net/projects/mod-auth-sspi)? <http://sourceforge.net/projects/mod-auth-sspi>
Br,
---
Miha Vitorovic
Inženir v tehničnem področju
Customer Support Engineer
NIL Data Communications, Tivolska cesta 48, 1000 Ljubljana, Slovenia
Phone +386 1 4746 500 Fax +386 1 4746 501 http://www.NIL.si <http://www.nil.si/>
Re: NTLM lookup within hook script
Posted by Miha Vitorovic <mv...@nil.si>.
"Gleason, Todd" <tg...@impac.com> wrote on 22.10.2008 04:36:28:
> I’m trying to write a pre-commit hook script along the lines of
> svnperms. The script needs to do an NTLM lookup on the user
>
> The svn server is version 1.5.2 with Apache, running on a Windows
> server. I’m hoping to implement the script in Python though I don’t
> mind if I have to call into something else for the NTLM lookup.
Todd,
since you're on Apache, aren't you basically trying to reinvent the wheel
(http://sourceforge.net/projects/mod-auth-sspi)?
Br,
---
Miha Vitorovic
Inženir v tehničnem področju
Customer Support Engineer
NIL Data Communications, Tivolska cesta 48, 1000 Ljubljana, Slovenia
Phone +386 1 4746 500 Fax +386 1 4746 501 http://www.NIL.si