You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Matthew Dickinson <ma...@ire.org> on 2006/10/18 21:48:15 UTC
Individual repository for each user on system
Hi,
I'm running a system (RHEL4) with ~1000 users on it - I have a requirement
that each user needs their own repository that other users aren't able to
access. Users should be able to access their repository from local machine,
SSH, and also via the web.
Authentication on the system is handled with a NIS back-end for user
information, and LDAP for the actual authentication against some AD servers.
Just wondering if there was existing documentation (that I just couldn't
find) for undertaking this setup, or if someone has a bright idea to make
this easy!
Thanks,
Matthew
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Individual repository for each user on system
Posted by mi...@euphonynet.be.
Hello,
I can't give you a complete answer. But at our office (not so much users
as you), we have apache setup with mod_auth_kerb which gives you
spnego-authentication (ignle-signon). You'll have to setup and enforce ssl
to make it secure. This will ensure that users are authenticated using
their domain-id. If they are not on the domain, then basic-authentication
is used and the basi-cauthentication-data is checked against their
domain-info.
This will only make sure that the users don't have to enter credentials if
they are on the domain (internet explorer, firefox, tortoisesvn 1.4 and
maybe others) and that only domain-users are allowed access.
You'll have to use the SVN-authz-file to enforce additional restrictions.
Someone has built a script to extract info from ldap I believe. Maybe it
can help you if he would like to share it (Maybe he shared it already).
Greetings,
Michel
> Matthew Dickinson wrote:
>> Hi,
>>
>> I'm running a system (RHEL4) with ~1000 users on it - I have a
>> requirement
>> that each user needs their own repository that other users aren't able
>> to
>> access. Users should be able to access their repository from local
>> machine,
>> SSH, and also via the web.
>>
>> Authentication on the system is handled with a NIS back-end for user
>> information, and LDAP for the actual authentication against some AD
>> servers.
>>
>> Just wondering if there was existing documentation (that I just couldn't
>> find) for undertaking this setup, or if someone has a bright idea to
>> make
>> this easy!
>>
>>
>> Thanks,
>>
>> Matthew
>>
>>
> Perhaps the thing to do is to create a basic, simple repository inside
> of your /etc/skel/public_html folder. Set it up the way you want with
> any hook scripts or default .htaccess files configured with basic
> authentication. If you have Apache configured properly, each user will
> be able to access their own repository after they are created.
>
> I base this on what I think should work for a <Location ~/svn> directive
> that would basically map to the users home web directory.
>
> Something like:
>
> toybox:/etc/skel # svnadmin create svn
> toybox:/etc/skel/public_html # cd svn
> toybox:/etc/skel/public_html/svn # ls
> README.txt conf dav db format hooks locks
> toybox:/etc/skel/public_html/svn #
>
> I can't think of any good way to get the system to dynamically build a
> SVNAccessFile, so basic authentication might have to work.
>
> Just my 2 cents.
>
> Regards,
> Frank
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Individual repository for each user on system
Posted by Thomas Harold <tg...@tgharold.com>.
Frank Gruman wrote:
> Matthew Dickinson wrote:
>> Hi,
>>
>> I'm running a system (RHEL4) with ~1000 users on it - I have a
>> requirement
>> that each user needs their own repository that other users aren't able to
>> access. Users should be able to access their repository from local
>> machine,
>> SSH, and also via the web.
>>
>> Authentication on the system is handled with a NIS back-end for user
>> information, and LDAP for the actual authentication against some AD
>> servers.
>>
>> Just wondering if there was existing documentation (that I just couldn't
>> find) for undertaking this setup, or if someone has a bright idea to make
>> this easy!
>>
>>
>> Thanks,
>>
>> Matthew
>>
>>
> Perhaps the thing to do is to create a basic, simple repository inside
> of your /etc/skel/public_html folder. Set it up the way you want with
> any hook scripts or default .htaccess files configured with basic
> authentication. If you have Apache configured properly, each user will
> be able to access their own repository after they are created.
>
> I base this on what I think should work for a <Location ~/svn> directive
> that would basically map to the users home web directory.
>
> Something like:
>
> toybox:/etc/skel # svnadmin create svn
> toybox:/etc/skel/public_html # cd svn
> toybox:/etc/skel/public_html/svn # ls
> README.txt conf dav db format hooks locks
> toybox:/etc/skel/public_html/svn #
>
> I can't think of any good way to get the system to dynamically build a
> SVNAccessFile, so basic authentication might have to work.
The only downside to putting a base svn repository in /etc/skel is that
the SVN repository ID would be identical for all the users. And if the
user has 2 accounts, it could possibly cause issues. At least, I think
it might cause issues.
(see the db/uuid file in FSFS repositories)
Other then that, I agree that putting the SVN repos in ~/public_html/svn
across all the user's home folders sounds like the best track towards a
solution.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Individual repository for each user on system
Posted by Frank Gruman <fg...@verizon.net>.
Matthew Dickinson wrote:
> Hi,
>
> I'm running a system (RHEL4) with ~1000 users on it - I have a requirement
> that each user needs their own repository that other users aren't able to
> access. Users should be able to access their repository from local machine,
> SSH, and also via the web.
>
> Authentication on the system is handled with a NIS back-end for user
> information, and LDAP for the actual authentication against some AD servers.
>
> Just wondering if there was existing documentation (that I just couldn't
> find) for undertaking this setup, or if someone has a bright idea to make
> this easy!
>
>
> Thanks,
>
> Matthew
>
>
Perhaps the thing to do is to create a basic, simple repository inside
of your /etc/skel/public_html folder. Set it up the way you want with
any hook scripts or default .htaccess files configured with basic
authentication. If you have Apache configured properly, each user will
be able to access their own repository after they are created.
I base this on what I think should work for a <Location ~/svn> directive
that would basically map to the users home web directory.
Something like:
toybox:/etc/skel # svnadmin create svn
toybox:/etc/skel/public_html # cd svn
toybox:/etc/skel/public_html/svn # ls
README.txt conf dav db format hooks locks
toybox:/etc/skel/public_html/svn #
I can't think of any good way to get the system to dynamically build a
SVNAccessFile, so basic authentication might have to work.
Just my 2 cents.
Regards,
Frank
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Individual repository for each user on system
Posted by Sheryl <gu...@his.com>.
Jehan wrote:
> then you have an access file (authz) for each users (svnserve.conf ->
> authz-db = authz) ? or it's a "central" access file pointed by each
> individuals svnserve.conf (authz-db = /var/svn/central-authz) ?
> I ask this question because I have the same needs as the initial poster,
> svn for each users with private access through http,https,svn+ssh cli
> protocols use
It's a central access file pointed to by
AuthzSVNAccessFile /path/to/access-file
in the http.conf file. Since I'm using apache rather than svn+ssh, I
don't use the svnserve.conf file. Sorry, but since most of your questions
relate to svnserve, I can't really answer them.
> and the problem I have is that for cli (svn+ssh) access , when I define
> access internally to the repository ( [/project] )it works fine, when I
> centralize authz and then uses access this way [repository:/project]
> then access controls aren't honored :-( (although they are honored for
> DAV (http,https) acces !)
> Does svn+ssh uses authz file, or unix file system access mode ?! I'am in
> doubt now ...
>
> Thanks .
>
> PS: is there a way to log (syslog) svnserve access control checks ? or
> more generaly log svnserve globally ?
>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Individual repository for each user on system
Posted by Jehan PROCACCIA <Je...@int-evry.fr>.
Sheryl wrote:
>> I'm running a system (RHEL4) with ~1000 users on it - I have a requirement
>> that each user needs their own repository that other users aren't able to
>> access. Users should be able to access their repository from local
>> machine,
>> SSH, and also via the web.
>>
>> Authentication on the system is handled with a NIS back-end for user
>> information, and LDAP for the actual authentication against some AD
>> servers.
>>
>
> I do something similar for a smaller number of users. We're just rolling
> out one subversion server for admin use, one for projects, and one for
> workstation backups. I respectfully disagree with the posters who want to
> put the repositories in their home directories -- especially in
> public-html. If a user fat-fingers permissions it won't be his colleagues
> he has to worry about accessing his repository -- it will be the whole
> Internet. Users also would be able to get in and muck with the repository
> directly -- I see a support nightmare in the making.
>
> My vote would be for apache to be set up with an SVNParentPath, with
> individual user repositories defined below that level. You also can
> define LDAP authentication in the httpd.conf. One of the web interfaces
> like WebSVN can be installed for readonly access, and if a user needs
> read-write access they can install one of the many client options on their
> home machine. Or they can ssh in and use the command line (or a GUI if
> you allow X tunneling and they have the right setup).
>
> Scripting account setup isn't hard at all. I have scripts to set up our
> various repositories (I go ahead and svn mkdir the trunk, branches and
> tags directories on the project server). Just something like this for the
> access file:
>
> cat <<EOT >>/path/to/access/file
> [userid:/]
> userid = rw
> EOT
>
> Good luck,
>
> Sheryl
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
>
>
then you have an access file (authz) for each users (svnserve.conf ->
authz-db = authz) ? or it's a "central" access file pointed by each
individuals svnserve.conf (authz-db = /var/svn/central-authz) ?
I ask this question because I have the same needs as the initial poster,
svn for each users with private access through http,https,svn+ssh cli
protocols use
and the problem I have is that for cli (svn+ssh) access , when I define
access internally to the repository ( [/project] )it works fine, when I
centralize authz and then uses access this way [repository:/project]
then access controls aren't honored :-( (although they are honored for
DAV (http,https) acces !)
Does svn+ssh uses authz file, or unix file system access mode ?! I'am in
doubt now ...
Thanks .
PS: is there a way to log (syslog) svnserve access control checks ? or
more generaly log svnserve globally ?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Individual repository for each user on system
Posted by Sheryl <gu...@his.com>.
> I'm running a system (RHEL4) with ~1000 users on it - I have a requirement
> that each user needs their own repository that other users aren't able to
> access. Users should be able to access their repository from local
> machine,
> SSH, and also via the web.
>
> Authentication on the system is handled with a NIS back-end for user
> information, and LDAP for the actual authentication against some AD
> servers.
I do something similar for a smaller number of users. We're just rolling
out one subversion server for admin use, one for projects, and one for
workstation backups. I respectfully disagree with the posters who want to
put the repositories in their home directories -- especially in
public-html. If a user fat-fingers permissions it won't be his colleagues
he has to worry about accessing his repository -- it will be the whole
Internet. Users also would be able to get in and muck with the repository
directly -- I see a support nightmare in the making.
My vote would be for apache to be set up with an SVNParentPath, with
individual user repositories defined below that level. You also can
define LDAP authentication in the httpd.conf. One of the web interfaces
like WebSVN can be installed for readonly access, and if a user needs
read-write access they can install one of the many client options on their
home machine. Or they can ssh in and use the command line (or a GUI if
you allow X tunneling and they have the right setup).
Scripting account setup isn't hard at all. I have scripts to set up our
various repositories (I go ahead and svn mkdir the trunk, branches and
tags directories on the project server). Just something like this for the
access file:
cat <<EOT >>/path/to/access/file
[userid:/]
userid = rw
EOT
Good luck,
Sheryl
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org