You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@subversion.apache.org by Kylo Ginsberg <ky...@gmail.com> on 2007/02/15 17:38:54 UTC

path-based access control questions

I'm converting a cvs repos to svn which includes an access-restricted
directory.  Two questions about the path-based access control:

1) Are wildcards supported in the path specification?  or can I
otherwise avoid adding an entry to the access-control file every time
the directory is branched?

2) The svnbook refers to performance implications,  stating ominously:
"in certain situations, there's very noticeable performance loss".
Can anyone elaborate?  Is this specific to http vs svn access? does it
linearly track # of paths specified? what ops, etc?

Any guidance appreciated.  As an alternative to the path-based access
control, I have the option of segregating the access-restricted
directory to a separate repository but that carries its own baggage.

Thanks!
Kylo

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: path-based access control questions

Posted by Shaun Johnson <sh...@gmail.com>.

> A certain directory on all branches/tags can not be read except by a
> select group of developers.

In that case you're probably best just to move that secret folder to a
different location in the repository, secure it (* = ) and use
svn:externals to pull it down during a checkout. It adds a little more
work when it comes to maintaining that folder (think tagging), but
it'll be easier to keep secure.

Shaun

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: path-based access control questions

Posted by Kylo Ginsberg <ky...@gmail.com>.

On 2/15/07, Shaun Johnson <sh...@gmail.com> wrote:
> What exactly do you mean by "restrict read access"? If you are trying

A certain directory on all branches/tags can not be read except by a
select group of developers.

So something like:

[groups]
special=mike,bob

[/]
* = rw

[/trunk/secret]
*=
@special=rw

[/branches/release1/secret]
*=
@special=rw

etc

Hope that's clearer.

Kylo

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: path-based access control questions

Posted by Shaun Johnson <sh...@gmail.com>.

> 2) The svnbook refers to performance implications,  stating ominously:
> "in certain situations, there's very noticeable performance loss".
> Can anyone elaborate?  Is this specific to http vs svn access? does it
> linearly track # of paths specified? what ops, etc?

We use authz rules extensively with our repositories and throughput
using HTTP is excellent. All of our rules are based on groups
permissions.

> Unfortunately, I need to restrict read access (contractual requirement
> to licensed source).  It looks like svnperms.py is a pre-commit check
> so can only catch write accesses.

What exactly do you mean by "restrict read access"? If you are trying
to prevent anonymous and authenticated users from even reading the
files then set "* = " at the root of the repository and explicitly
grant developers write access.

e.g.

[groups]
developers = mike, bob

[repos:/]
* =
@developers = rw

If want you want is to allow anonymous and authenticated users to have
read access to the files then set * = r.

e.g.

[groups]
developers = mike, bob

[repos:/]
* = r
@developers = rw

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: path-based access control questions

Posted by Les Mikesell <le...@gmail.com>.

Kylo Ginsberg wrote:

>> > Any guidance appreciated.  As an alternative to the path-based access
>> > control, I have the option of segregating the access-restricted
>> > directory to a separate repository but that carries its own baggage.
>>
>> Another option for you might be svnperms.py. You install it as a hook
> 
> Unfortunately, I need to restrict read access (contractual requirement
> to licensed source).  It looks like svnperms.py is a pre-commit check
> so can only catch write accesses.

I haven't used it with subversion specifically, but I'd expect apache's 
FilesMatch directive to work if you only allow http(s) access.

-- 
  Les Mikesell
    lesmikesell@gmail.com

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: path-based access control questions

Posted by Kylo Ginsberg <ky...@gmail.com>.

On 2/15/07, Andy Levy <an...@gmail.com> wrote:
> On 2/15/07, Kylo Ginsberg <ky...@gmail.com> wrote:
> > Any guidance appreciated.  As an alternative to the path-based access
> > control, I have the option of segregating the access-restricted
> > directory to a separate repository but that carries its own baggage.
>
> Another option for you might be svnperms.py. You install it as a hook

Unfortunately, I need to restrict read access (contractual requirement
to licensed source).  It looks like svnperms.py is a pre-commit check
so can only catch write accesses.

Kylo

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Re: path-based access control questions

Posted by Andy Levy <an...@gmail.com>.

On 2/15/07, Kylo Ginsberg <ky...@gmail.com> wrote:
> I'm converting a cvs repos to svn which includes an access-restricted
> directory.  Two questions about the path-based access control:
>
> 1) Are wildcards supported in the path specification?  or can I
> otherwise avoid adding an entry to the access-control file every time
> the directory is branched?

Unfortunately, no.

> 2) The svnbook refers to performance implications,  stating ominously:
> "in certain situations, there's very noticeable performance loss".
> Can anyone elaborate?  Is this specific to http vs svn access? does it
> linearly track # of paths specified? what ops, etc?

I think it's both http and svn access.

> Any guidance appreciated.  As an alternative to the path-based access
> control, I have the option of segregating the access-restricted
> directory to a separate repository but that carries its own baggage.

Another option for you might be svnperms.py. You install it as a hook
script and it can give you much more flexibility in your access
controls. Haven't used it myself, but it may fix your wildcard
problem, and may be better in terms of performance as well.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org