You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@subversion.apache.org by "C. Michael Pilato" <cm...@collab.net> on 2008/06/30 18:08:35 UTC

Review requested: documenting the 'aliases' authz feature

Hey, folks.  I'm dropping a last-minute addition into the svnbook to 
describe the new 'aliases' authz-file feature.  Can someone read over this 
and sanity-check it?  Thanks.

------------------------------------------------------------------------
Subversion 1.5 brings another useful feature to the access file syntax: 
username aliases. Some authentication systems expect and carry relatively 
short usernames of the sorts we've been describing here—harry, sally, joe, 
etc. But other systems may carry much more complex usernames. For example, 
Harry's username in an LDAP-protected system might be /O=Red 
Bean/OU=Engineers/DC=com/DC=red-bean/CN=Harold Hacker. With usernames like 
that, the access file can become quite bloated with complex username strings 
that are easy to mistype. Fortunately, username aliases allow you to only 
have to type the correct complex username once, in a statement which assigns 
to it a more easily digestable alias.

[aliases]
harry = /O=Red Bean/OU=Engineers/DC=com/DC=red-bean/CN=Harold Hacker
sally = /O=Red Bean/OU=Engineers/DC=com/DC=red-bean/CN=Sally Swatterbug
joe   = /O=Red Bean/OU=Engineers/DC=com/DC=red-bean/CN=Gerald I. Joseph
…

Once you've defined a set of aliases, you can refer to the users elsewhere 
in the access file via their aliases in all the same places you could have 
instead used their actual usernames. Simply prepend an ampersand to the 
alias to distinguish it from a regular username:

[groups]
calc-developers = &harry, &sally, &joe
paint-developers = &frank, &sally, &jane
everyone = @calc-developers, @paint-developers

You might also choose to use aliases if your users' usernames change 
frequently. Doing so allows you to need to update only the aliases table 
when these username changes occur, instead of doing 
global-search-and-replace operations on the whole access file.

-- 
C. Michael Pilato <cm...@collab.net>
CollabNet   <>   www.collab.net   <>   Distributed Development On Demand

Re: Review requested: documenting the 'aliases' authz feature

Posted by Sander Striker <s....@striker.nl>.

On Mon, Jun 30, 2008 at 9:21 PM, C. Michael Pilato <cm...@collab.net> wrote:
> Blair Zajac wrote:
>>
>> C. Michael Pilato wrote:
>>>
>>> Hey, folks.  I'm dropping a last-minute addition into the svnbook to
>>> describe the new 'aliases' authz-file feature.  Can someone read over this
>>> and sanity-check it?  Thanks.

+1.

>> Looks good.  I haven't tested the feature, but the write-up is a good one.
>
> Actually, it was brought to my attention to the sample "LDAP" entries I gave
> weren't really LDAPpish at all, but more like SSL client cert DNs.

Which it works well for... :)

> So I've changed the examples to look like:
>
>   [aliases]
>   harry = CN=Harold Hacker,OU=Engineers,DC=red-bean,DC=com
>   sally = CN=Sally Swatterbug,OU=Engineers,DC=red-bean,DC=com
>   joe = CN=Gerald I. Joseph,OU=Engineers,DC=red-bean,DC=com

Cheers,

Sander

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Re: Review requested: documenting the 'aliases' authz feature

Posted by "C. Michael Pilato" <cm...@collab.net>.

Blair Zajac wrote:
> C. Michael Pilato wrote:
>> Hey, folks.  I'm dropping a last-minute addition into the svnbook to 
>> describe the new 'aliases' authz-file feature.  Can someone read over 
>> this and sanity-check it?  Thanks.
> 
> Looks good.  I haven't tested the feature, but the write-up is a good one.

Actually, it was brought to my attention to the sample "LDAP" entries I gave 
weren't really LDAPpish at all, but more like SSL client cert DNs.  So I've 
changed the examples to look like:

    [aliases]
    harry = CN=Harold Hacker,OU=Engineers,DC=red-bean,DC=com
    sally = CN=Sally Swatterbug,OU=Engineers,DC=red-bean,DC=com
    joe = CN=Gerald I. Joseph,OU=Engineers,DC=red-bean,DC=com

> BTW, you've hired Harold Hacker?  He left our company after doing a rm 
> -fr / our central file server.  I'm sorry I can't recommend him :)

Heheh.

-- 
C. Michael Pilato <cm...@collab.net>
CollabNet   <>   www.collab.net   <>   Distributed Development On Demand

Re: Review requested: documenting the 'aliases' authz feature

Posted by Blair Zajac <bl...@orcaware.com>.

C. Michael Pilato wrote:
> Hey, folks.  I'm dropping a last-minute addition into the svnbook to 
> describe the new 'aliases' authz-file feature.  Can someone read over 
> this and sanity-check it?  Thanks.

Looks good.  I haven't tested the feature, but the write-up is a good one.

BTW, you've hired Harold Hacker?  He left our company after doing a rm -fr / our 
central file server.  I'm sorry I can't recommend him :)

Blair

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org