You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@subversion.apache.org by "Johnson, Robert" <r....@cgi.com> on 2010/10/25 22:58:34 UTC

Path based authorization

I'm not sure this is a bug or the documentation is wrong, or I'm
misunderstanding the concept.

 

The setup and config:

Redhat Enterprise Linux AS release 4 (October Update 7)

Apache 2.2.16

Subversion version 1.6.12 from Collabnet

mod_authz_svn.so built from Subversion sources 1.6.13 (uses 1.6.12 libs
at runtime)

 

In the SVN doc:

Section 6.5 Path-Based Authorization

 

[paint:/projects/paint]

jane = r

@paint-developers = rw

 

Another important fact is that the first matching rule is the one which
gets applied to a user. In the prior example,

even though Jane is a member of the paint-developers group (which has
read/write access), the jane = r

rule will be discovered and matched before the group rule, thus denying
Jane write access.

 

My authz file:

 

[groups]

Administrators = admin, r.thompson, john.robbins

SE-tech = r.thompson, john.robbins, test.user

 

[/]

#start with everyone has read access

* = r

@Administrators = rw

 

[SystemEngineering:/trunk]

test.user = r

@Administrators = rw

@SE-tech = rw

 

I am not getting the results as described in the documentation.  I
thought excluding a user from write access even though they were a
member of an rw group was kind of handy.  I have observed this behavior
in both svn and http protocols.  Even though the test.user has been
designated as "r" on the trunk, that user can still commit to the
SystemEngineering/trunk repository folder.

 

Any help or clarification would be greatly appreciated.

 

 

Bob Johnson

CGI - Insurance Sector

Columbia, S.C.

(803)917-7751

RE: Path based authorization

Posted by "Cooke, Mark" <ma...@siemens.com>.

> -----Original Message-----
> From: Johnson, Robert [mailto:r.johnson@cgi.com] 
> Sent: 25 October 2010 23:59
> To: users@subversion.apache.org
> Subject: Path based authorization
> 
> I'm not sure this is a bug or the documentation is wrong, or 
> I'm misunderstanding the concept.
> 
> The setup and config:
> 
> Redhat Enterprise Linux AS release 4 (October Update 7)
> Apache 2.2.16
> Subversion version 1.6.12 from Collabnet
> mod_authz_svn.so built from Subversion sources 1.6.13 (uses 
> 1.6.12 libs at runtime)
> 
> In the SVN doc:
> 
> Section 6.5 Path-Based Authorization
> 
> [paint:/projects/paint]
> jane = r
> @paint-developers = rw
> 
> Another important fact is that the first matching rule is the 
> one which gets applied to a user. In the prior example,
> even though Jane is a member of the paint-developers group 
> (which has read/write access), the jane = r
> rule will be discovered and matched before the group rule, 
> thus denying Jane write access.
> 
> My authz file:
> 
> [groups]
> Administrators = admin, r.thompson, john.robbins
> SE-tech = r.thompson, john.robbins, test.user

...I am not sure but can you try with a different name without the '-'
minus sign?  

> [/]
> #start with everyone has read access
> * = r
> @Administrators = rw
> 
> [SystemEngineering:/trunk]
> test.user = r
> @Administrators = rw
> @SE-tech = rw
> 
> I am not getting the results as described in the 
> documentation.  I thought excluding a user from write access 
> even though they were a member of an rw group was kind of 
> handy.  I have observed this behavior in both svn and http 
> protocols.  Even though the test.user has been designated as 
> "r" on the trunk, that user can still commit to the 
> SystemEngineering/trunk repository folder.
> 
> Any help or clarification would be greatly appreciated.
> 
> Bob Johnson
> CGI - Insurance Sector
> Columbia, S.C.
> (803)917-7751
>

RE: Path based authorization

Posted by Jon Foster <Jo...@cabot.co.uk>.

Hi,

Robert Johnson wrote:
> I'm not sure this is a bug or the documentation is wrong,
> or I'm misunderstanding the concept.
>
> In the SVN doc:
> > Section 6.5 Path-Based Authorization
> > [paint:/projects/paint]
> > jane = r
> > @paint-developers = rw
> >
> > Another important fact is that the first matching rule
> > is the one which gets applied to a user. In the prior
> > example, even though Jane is a member of the paint-developers
> > group (which has read/write access), the jane = r rule
> > will be discovered and matched before the group rule,
> > thus denying Jane write access.

Older versions of the SVN book were wrong.  The latest version has
corrected this.  See:
http://svnbook.red-bean.com/nightly/en/svn.serverconfig.pathbasedauthz.h
tml

Kind regards,

Jon

**********************************************************************
This email and its attachments may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Cabot Communications Ltd.

If you are not the intended recipient of this email and its attachments, you must take no action based upon them, nor must you copy or show them to anyone.

Cabot Communications Limited
Verona House, Filwood Road, Bristol BS16 3RY, UK
+44 (0) 1179584232

Co. Registered in England number 02817269

Please contact the sender if you believe you have received this email in error.

**********************************************************************

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________