Check Path based authorization

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Check Path based authorization

Stuempfig, Thomas

Hi all,

We have a large organization many projects and quite a bit of history (10years) with one of the repos… and after a while path based authorization becomes quite difficult.

I would like to ask if it is possible as an admin to check path based authorization for a user x (ldap).

 

It would be great if one could give (“none”,”rw”,”r”) or alike for path.

Kind executing a call like the call below as admin.

 

getactiveprivs usertocheck http(s)://server.domain.com//svn/myproject/branches/branch_dev/

 

I mean this is the core, there could be several variations of this call. Get privs of ldap group members … as different members belong to different other groups each of them have possibly different access rights. It would be really great to have some table of active priviledges.

 

 

best regards

Thomas

 

-----------------
Siemens Industry Software GmbH; Anschrift: Franz-Geuer-Str. 10, 50823 Köln; Gesellschaft mit beschränkter Haftung; Geschäftsführer: Urban August, Daniel Trebes; Sitz der Gesellschaft: Köln; Registergericht: Amtsgericht Köln, HRB 84564

Reply | Threaded
Open this post in threaded view
|

Re: Check Path based authorization

Branko Čibej
On 11.12.2018 10:24, Stuempfig, Thomas wrote:

> Hi all,
> We have a large organization many projects and quite a bit of history (10years) with one of the repos… and after a while path based authorization becomes quite difficult.
> I would like to ask if it is possible as an admin to check path based authorization for a user x (ldap).
>
> It would be great if one could give (“none”,”rw”,”r”) or alike for path.
> Kind executing a call like the call below as admin.
>
> getactiveprivs usertocheck http(s)://server.domain.com//svn/myproject/branches/branch_dev/
>
> I mean this is the core, there could be several variations of this call. Get privs of ldap group members … as different members belong to different other groups each of them have possibly different access rights. It would be really great to have some table of active priviledges.


Is the 'svnauthz' tool not good enough? It's usually installed
separately from the core binaries, in some 'subversion-tools' package,
but it's intended for exactly this kind of test.


-- Brane

$ svnauthz accessof --help
accessof: Print or test the permissions set by an authz file.
usage: 1. svnauthz accessof TARGET
       2. svnauthz accessof -t TXN REPOS_PATH FILE_PATH

  1. Prints the access of USER to PATH based on authorization file at TARGET.
     TARGET can be a path to a file or an absolute file:// URL to an authz
     file in a repository, but cannot be a repository relative URL (^/).

  2. Prints the access of USER to PATH based on authz file at FILE_PATH in the
     transaction TXN in the repository at REPOS_PATH.

  USER is the argument to the --username option; if that option is not
  provided, then access of an anonymous user will be printed or tested.

  PATH is the argument to the --path option; if that option is not provided,
  the maximal access to any path in the repository will be considered.

Outputs one of the following:
     rw    write access (which also implies read)
      r    read access
     no    no access

Returns:
    0   when syntax is OK and '--is' argument (if any) matches.
    1   when syntax is invalid.
    2   operational error
    3   when '--is' argument doesn't match

Valid options:
  -t [--transaction] ARG   : transaction id
  --username ARG           : username to check access of
  --path ARG               : path within repository to check access of
  --repository ARG         : repository authz name
  --is ARG                 : instead of outputting, test if the access is
                             exactly ARG
                             ARG can be one of the following values:
                                rw    write access (which also implies read)
                                 r    read-only access
                                no    no access
  --groups-file ARG        : use the groups from file ARG
  -R [--recursive]         : determine recursive access to PATH

Reply | Threaded
Open this post in threaded view
|

RE: Check Path based authorization

Stuempfig, Thomas
Hi Brane,
thank you for the quick response. This is probably what I would seek for. I'll test it and will come back with my findings.

Best regards
Thomas

-----Original Message-----
From: Branko Čibej [mailto:[hidden email]]
Sent: Dienstag, 11. Dezember 2018 11:00
To: [hidden email]
Subject: Re: Check Path based authorization

On 11.12.2018 10:24, Stuempfig, Thomas wrote:

> Hi all,
> We have a large organization many projects and quite a bit of history (10years) with one of the repos… and after a while path based authorization becomes quite difficult.
> I would like to ask if it is possible as an admin to check path based authorization for a user x (ldap).
>
> It would be great if one could give (“none”,”rw”,”r”) or alike for path.
> Kind executing a call like the call below as admin.
>
> getactiveprivs usertocheck
> http(s)://server.domain.com//svn/myproject/branches/branch_dev/
>
> I mean this is the core, there could be several variations of this call. Get privs of ldap group members … as different members belong to different other groups each of them have possibly different access rights. It would be really great to have some table of active priviledges.


Is the 'svnauthz' tool not good enough? It's usually installed separately from the core binaries, in some 'subversion-tools' package, but it's intended for exactly this kind of test.


-- Brane

$ svnauthz accessof --help
accessof: Print or test the permissions set by an authz file.
usage: 1. svnauthz accessof TARGET
       2. svnauthz accessof -t TXN REPOS_PATH FILE_PATH

  1. Prints the access of USER to PATH based on authorization file at TARGET.
     TARGET can be a path to a file or an absolute file:// URL to an authz
     file in a repository, but cannot be a repository relative URL (^/).

  2. Prints the access of USER to PATH based on authz file at FILE_PATH in the
     transaction TXN in the repository at REPOS_PATH.

  USER is the argument to the --username option; if that option is not
  provided, then access of an anonymous user will be printed or tested.

  PATH is the argument to the --path option; if that option is not provided,
  the maximal access to any path in the repository will be considered.

Outputs one of the following:
     rw    write access (which also implies read)
      r    read access
     no    no access

Returns:
    0   when syntax is OK and '--is' argument (if any) matches.
    1   when syntax is invalid.
    2   operational error
    3   when '--is' argument doesn't match

Valid options:
  -t [--transaction] ARG   : transaction id
  --username ARG           : username to check access of
  --path ARG               : path within repository to check access of
  --repository ARG         : repository authz name
  --is ARG                 : instead of outputting, test if the access is
                             exactly ARG
                             ARG can be one of the following values:
                                rw    write access (which also implies read)
                                 r    read-only access
                                no    no access
  --groups-file ARG        : use the groups from file ARG
  -R [--recursive]         : determine recursive access to PATH

-----------------
Siemens Industry Software GmbH; Anschrift: Franz-Geuer-Str. 10, 50823 Köln; Gesellschaft mit beschränkter Haftung; Geschäftsführer: Urban August, Daniel Trebes; Sitz der Gesellschaft: Köln; Registergericht: Amtsgericht Köln, HRB 84564
Reply | Threaded
Open this post in threaded view
|

RE: Check Path based authorization

Stuempfig, Thomas
Hi Brane,
well after testing the tool does not actually do what i would like. But it is giving me a starting point / work around.
I tested the tool with Visualsvn Server on windows


Steps to reproduce
1) configure basic windows authentication

2) grant" rw" access to the repository root path for AD group
        Visualsvn server places the objectSid S-1-1-11-111111111-111111111-11111111-11111  of the group in the  VisualSVN-WinAuthz.ini file of the repository

3) svnauthz.exe accessof --username S-2-2-22-222222222-22222222-222222222-22222 d:\repositories\test\conf\VisualSVN-WinAuthz.ini
  Where username is a member of the AD group objectSid S-1-1-11-111111111-111111111-11111111-11111
 Result no

But
4) svnauthz.exe accessof --username S-1-1-11-111111111-111111111-11111111-11111  22222 d:\repositories\test\conf\VisualSVN-WinAuthz.ini
Gives "rw"


This is not what I am looking for.

I could probably use some ldap query in order to find out the groups where user S-2--- is member of and test these against the svn file, I personally don't like ldap queries but if needed I will stick with that.

So I am seeking for better ideas... or if anybody already did the job of cycling through ones user AD groups recursively... calling svnauthz for each of the groups I would offer some beer ...

regards
Thomas

-----Original Message-----
From: [ext] Stuempfig, Thomas [mailto:[hidden email]]
Sent: Dienstag, 11. Dezember 2018 17:22
To: Branko Čibej <[hidden email]>; [hidden email]
Subject: RE: Check Path based authorization

Hi Brane,
thank you for the quick response. This is probably what I would seek for. I'll test it and will come back with my findings.

Best regards
Thomas

-----Original Message-----
From: Branko Čibej [mailto:[hidden email]]
Sent: Dienstag, 11. Dezember 2018 11:00
To: [hidden email]
Subject: Re: Check Path based authorization

On 11.12.2018 10:24, Stuempfig, Thomas wrote:

> Hi all,
> We have a large organization many projects and quite a bit of history (10years) with one of the repos… and after a while path based authorization becomes quite difficult.
> I would like to ask if it is possible as an admin to check path based authorization for a user x (ldap).
>
> It would be great if one could give (“none”,”rw”,”r”) or alike for path.
> Kind executing a call like the call below as admin.
>
> getactiveprivs usertocheck
> http(s)://server.domain.com//svn/myproject/branches/branch_dev/
>
> I mean this is the core, there could be several variations of this call. Get privs of ldap group members … as different members belong to different other groups each of them have possibly different access rights. It would be really great to have some table of active priviledges.


Is the 'svnauthz' tool not good enough? It's usually installed separately from the core binaries, in some 'subversion-tools' package, but it's intended for exactly this kind of test.


-- Brane

$ svnauthz accessof --help
accessof: Print or test the permissions set by an authz file.
usage: 1. svnauthz accessof TARGET
       2. svnauthz accessof -t TXN REPOS_PATH FILE_PATH

  1. Prints the access of USER to PATH based on authorization file at TARGET.
     TARGET can be a path to a file or an absolute file:// URL to an authz
     file in a repository, but cannot be a repository relative URL (^/).

  2. Prints the access of USER to PATH based on authz file at FILE_PATH in the
     transaction TXN in the repository at REPOS_PATH.

  USER is the argument to the --username option; if that option is not
  provided, then access of an anonymous user will be printed or tested.

  PATH is the argument to the --path option; if that option is not provided,
  the maximal access to any path in the repository will be considered.

Outputs one of the following:
     rw    write access (which also implies read)
      r    read access
     no    no access

Returns:
    0   when syntax is OK and '--is' argument (if any) matches.
    1   when syntax is invalid.
    2   operational error
    3   when '--is' argument doesn't match

Valid options:
  -t [--transaction] ARG   : transaction id
  --username ARG           : username to check access of
  --path ARG               : path within repository to check access of
  --repository ARG         : repository authz name
  --is ARG                 : instead of outputting, test if the access is
                             exactly ARG
                             ARG can be one of the following values:
                                rw    write access (which also implies read)
                                 r    read-only access
                                no    no access
  --groups-file ARG        : use the groups from file ARG
  -R [--recursive]         : determine recursive access to PATH

-----------------
Siemens Industry Software GmbH; Anschrift: Franz-Geuer-Str. 10, 50823 Köln; Gesellschaft mit beschränkter Haftung; Geschäftsführer: Urban August, Daniel Trebes; Sitz der Gesellschaft: Köln; Registergericht: Amtsgericht Köln, HRB 84564
-----------------
Siemens Industry Software GmbH; Anschrift: Franz-Geuer-Str. 10, 50823 Köln; Gesellschaft mit beschränkter Haftung; Geschäftsführer: Urban August, Daniel Trebes; Sitz der Gesellschaft: Köln; Registergericht: Amtsgericht Köln, HRB 84564
Reply | Threaded
Open this post in threaded view
|

Re: Check Path based authorization

Branko Čibej
On 11.12.2018 18:40, Stuempfig, Thomas wrote:

> Hi Brane,
> well after testing the tool does not actually do what i would like. But it is giving me a starting point / work around.
> I tested the tool with Visualsvn Server on windows
>
>
> Steps to reproduce
> 1) configure basic windows authentication
>
> 2) grant" rw" access to the repository root path for AD group
>         Visualsvn server places the objectSid S-1-1-11-111111111-111111111-11111111-11111  of the group in the  VisualSVN-WinAuthz.ini file of the repository
>
> 3) svnauthz.exe accessof --username S-2-2-22-222222222-22222222-222222222-22222 d:\repositories\test\conf\VisualSVN-WinAuthz.ini
>   Where username is a member of the AD group objectSid S-1-1-11-111111111-111111111-11111111-11111
>  Result no
>
> But
> 4) svnauthz.exe accessof --username S-1-1-11-111111111-111111111-11111111-11111  22222 d:\repositories\test\conf\VisualSVN-WinAuthz.ini
> Gives "rw"

I really have no idea what the WinAuthz.ini file is and what VisualSVN
does with it. It's impossible to say if your result is expected if we
don't see the contents of the authz file.

But yes, 'svnauthz' will calculate access for users, not for groups. A
user can be a member of several groups and the actual rights she has can
be a combination of rights granted to the groups.

-- Brane

Reply | Threaded
Open this post in threaded view
|

RE: Check Path based authorization

Stuempfig, Thomas
Hi Brane,

sorry i cannot post the contents of VisualSVN-WinAuthz.ini file since it is company security related.
I will take some time to setup a separate Demo LDAP, but this will take some time.

But basically my observation is

1) You have ldap group "GroupA"
2) Within that group you have users user_a and user_b (memberOf Attribute)

now
3)  you setup your  repo authz file
*****************************
[/]
user_a          rw
GroupA          rw
*****************************

(I explicity do not include something like Group_A=user_a,user_b and set @Group_A rw in authz file as this would duplicate ldap definition
of Group membership)

svnauthz gives "rw" for user_a and "Result no" for user_b



my guess is that svnauthz does not evaluate the actual ldap info and ony cares about groups defined in authz file whereas "svn --username .. ." does authenticate with the ldap-group.  If I am thinking about the svnauthz commandline, svnauthz has no information about the ldap connection which sits in apache httpd.conf.

regards
Thomas










-----Original Message-----
From: Branko Čibej [mailto:[hidden email]]
Sent: Dienstag, 11. Dezember 2018 20:54
To: Stuempfig, Thomas (DF PL S&SE DE PSM EAI) <[hidden email]>; [hidden email]
Subject: Re: Check Path based authorization

On 11.12.2018 18:40, Stuempfig, Thomas wrote:

> Hi Brane,
> well after testing the tool does not actually do what i would like. But it is giving me a starting point / work around.
> I tested the tool with Visualsvn Server on windows
>
>
> Steps to reproduce
> 1) configure basic windows authentication
>
> 2) grant" rw" access to the repository root path for AD group
>         Visualsvn server places the objectSid
> S-1-1-11-111111111-111111111-11111111-11111  of the group in the
> VisualSVN-WinAuthz.ini file of the repository
>
> 3) svnauthz.exe accessof --username S-2-2-22-222222222-22222222-222222222-22222 d:\repositories\test\conf\VisualSVN-WinAuthz.ini
>   Where username is a member of the AD group objectSid
> S-1-1-11-111111111-111111111-11111111-11111
>  Result no
>
> But
> 4) svnauthz.exe accessof --username
> S-1-1-11-111111111-111111111-11111111-11111  22222
> d:\repositories\test\conf\VisualSVN-WinAuthz.ini
> Gives "rw"

I really have no idea what the WinAuthz.ini file is and what VisualSVN does with it. It's impossible to say if your result is expected if we don't see the contents of the authz file.

But yes, 'svnauthz' will calculate access for users, not for groups. A user can be a member of several groups and the actual rights she has can be a combination of rights granted to the groups.

-- Brane

-----------------
Siemens Industry Software GmbH; Anschrift: Franz-Geuer-Str. 10, 50823 Köln; Gesellschaft mit beschränkter Haftung; Geschäftsführer: Urban August, Daniel Trebes; Sitz der Gesellschaft: Köln; Registergericht: Amtsgericht Köln, HRB 84564
Reply | Threaded
Open this post in threaded view
|

Re: Check Path based authorization

Johan Corveleyn-3
On Wed, Dec 12, 2018 at 9:28 AM Stuempfig, Thomas
<[hidden email]> wrote:

>
> Hi Brane,
>
> sorry i cannot post the contents of VisualSVN-WinAuthz.ini file since it is company security related.
> I will take some time to setup a separate Demo LDAP, but this will take some time.
>
> But basically my observation is
>
> 1) You have ldap group "GroupA"
> 2) Within that group you have users user_a and user_b (memberOf Attribute)
>
> now
> 3)  you setup your  repo authz file
> *****************************
> [/]
> user_a          rw
> GroupA          rw
> *****************************
>
> (I explicity do not include something like Group_A=user_a,user_b and set @Group_A rw in authz file as this would duplicate ldap definition
> of Group membership)
>
> svnauthz gives "rw" for user_a and "Result no" for user_b
>
>
>
> my guess is that svnauthz does not evaluate the actual ldap info and ony cares about groups defined in authz file whereas "svn --username .. ." does authenticate with the ldap-group.  If I am thinking about the svnauthz commandline, svnauthz has no information about the ldap connection which sits in apache httpd.conf.
>

Okay, it seems there is some misunderstanding here. First of all,
"core" svn does not by itself have support for LDAP groups for
authorization. Indeed, it only looks at groups that are defined in the
authz file itself.

The VisualSVN-WinAuthz.ini file is an extra feature developed by
VisualSVN, on top of "core" svn. So indeed, the svnauthz commandline
tool does not know about those groups.

To get some help on using / validating the VisualSVN-WinAuthz.ini
file, you'll have to reach out to VisualSVN people (some of them are
reading this list too, so they might be able to comment further here).

--
Johan
Reply | Threaded
Open this post in threaded view
|

Re: Check Path based authorization

bahrep
In reply to this post by Stuempfig, Thomas
Hello Thomas,

On Tue, Dec 11, 2018 at 8:40 PM Stuempfig, Thomas
<[hidden email]> wrote:
>
> Hi Brane,
> well after testing the tool does not actually do what i would like. But it is giving me a starting point / work around.
> I tested the tool with Visualsvn Server on windows

VisualSVN Server includes a PowerShell module[1] that provides a set
of cmdlets[2] for server and repository administration. You may want
to try the `Get-SvnAccessRule`[3] and `Select-SvnAccessRule`[4]
cmdlets - I guess that they can partially meet your requirements.
However, they do not consider AD user's group membership and therefore
do not display effective access for a particular user account.

Do I understand you correctly that you want a reporting tool that will
display actual effective access for AD user DOMAIN\Username
considering his group membership? How complex is the access rule
configuration in your repositories? Could you please show us an
example (run Get-SvnAccessRule and show us the output)? You can reply
me privately or contact [hidden email] and we will examine your
case further.

[1]: https://www.visualsvn.com/server/features/powershell/
[2]: https://www.visualsvn.com/support/topic/00088/
[3]: https://www.visualsvn.com/support/topic/00088/#Get-SvnAccessRule
[4]: https://www.visualsvn.com/support/topic/00088/#Select-SvnAccessRule

> Steps to reproduce
> 1) configure basic windows authentication
>
> 2) grant" rw" access to the repository root path for AD group
>         Visualsvn server places the objectSid S-1-1-11-111111111-111111111-11111111-11111  of the group in the  VisualSVN-WinAuthz.ini file of the repository
>
> 3) svnauthz.exe accessof --username S-2-2-22-222222222-22222222-222222222-22222 d:\repositories\test\conf\VisualSVN-WinAuthz.ini
>   Where username is a member of the AD group objectSid S-1-1-11-111111111-111111111-11111111-11111
>  Result no
>
> But
> 4) svnauthz.exe accessof --username S-1-1-11-111111111-111111111-11111111-11111  22222 d:\repositories\test\conf\VisualSVN-WinAuthz.ini
> Gives "rw"
>
>
> This is not what I am looking for.
>
> I could probably use some ldap query in order to find out the groups where user S-2--- is member of and test these against the svn file, I personally don't like ldap queries but if needed I will stick with that.
>
> So I am seeking for better ideas... or if anybody already did the job of cycling through ones user AD groups recursively... calling svnauthz for each of the groups I would offer some beer ...
>
> regards
> Thomas
>
> -----Original Message-----
> From: [ext] Stuempfig, Thomas [mailto:[hidden email]]
> Sent: Dienstag, 11. Dezember 2018 17:22
> To: Branko Čibej <[hidden email]>; [hidden email]
> Subject: RE: Check Path based authorization
>
> Hi Brane,
> thank you for the quick response. This is probably what I would seek for. I'll test it and will come back with my findings.
>
> Best regards
> Thomas
>
> -----Original Message-----
> From: Branko Čibej [mailto:[hidden email]]
> Sent: Dienstag, 11. Dezember 2018 11:00
> To: [hidden email]
> Subject: Re: Check Path based authorization
>
> On 11.12.2018 10:24, Stuempfig, Thomas wrote:
> > Hi all,
> > We have a large organization many projects and quite a bit of history (10years) with one of the repos… and after a while path based authorization becomes quite difficult.
> > I would like to ask if it is possible as an admin to check path based authorization for a user x (ldap).
> >
> > It would be great if one could give (“none”,”rw”,”r”) or alike for path.
> > Kind executing a call like the call below as admin.
> >
> > getactiveprivs usertocheck
> > http(s)://server.domain.com//svn/myproject/branches/branch_dev/
> >
> > I mean this is the core, there could be several variations of this call. Get privs of ldap group members … as different members belong to different other groups each of them have possibly different access rights. It would be really great to have some table of active priviledges.
>
>
> Is the 'svnauthz' tool not good enough? It's usually installed separately from the core binaries, in some 'subversion-tools' package, but it's intended for exactly this kind of test.
>
>
> -- Brane
>
> $ svnauthz accessof --help
> accessof: Print or test the permissions set by an authz file.
> usage: 1. svnauthz accessof TARGET
>        2. svnauthz accessof -t TXN REPOS_PATH FILE_PATH
>
>   1. Prints the access of USER to PATH based on authorization file at TARGET.
>      TARGET can be a path to a file or an absolute file:// URL to an authz
>      file in a repository, but cannot be a repository relative URL (^/).
>
>   2. Prints the access of USER to PATH based on authz file at FILE_PATH in the
>      transaction TXN in the repository at REPOS_PATH.
>
>   USER is the argument to the --username option; if that option is not
>   provided, then access of an anonymous user will be printed or tested.
>
>   PATH is the argument to the --path option; if that option is not provided,
>   the maximal access to any path in the repository will be considered.
>
> Outputs one of the following:
>      rw    write access (which also implies read)
>       r    read access
>      no    no access
>
> Returns:
>     0   when syntax is OK and '--is' argument (if any) matches.
>     1   when syntax is invalid.
>     2   operational error
>     3   when '--is' argument doesn't match
>
> Valid options:
>   -t [--transaction] ARG   : transaction id
>   --username ARG           : username to check access of
>   --path ARG               : path within repository to check access of
>   --repository ARG         : repository authz name
>   --is ARG                 : instead of outputting, test if the access is
>                              exactly ARG
>                              ARG can be one of the following values:
>                                 rw    write access (which also implies read)
>                                  r    read-only access
>                                 no    no access
>   --groups-file ARG        : use the groups from file ARG
>   -R [--recursive]         : determine recursive access to PATH
>
> -----------------
> Siemens Industry Software GmbH; Anschrift: Franz-Geuer-Str. 10, 50823 Köln; Gesellschaft mit beschränkter Haftung; Geschäftsführer: Urban August, Daniel Trebes; Sitz der Gesellschaft: Köln; Registergericht: Amtsgericht Köln, HRB 84564
> -----------------
> Siemens Industry Software GmbH; Anschrift: Franz-Geuer-Str. 10, 50823 Köln; Gesellschaft mit beschränkter Haftung; Geschäftsführer: Urban August, Daniel Trebes; Sitz der Gesellschaft: Köln; Registergericht: Amtsgericht Köln, HRB 84564



--
With best regards,
Pavel Lyalyakin
VisualSVN Team
Reply | Threaded
Open this post in threaded view
|

Re: Check Path based authorization

Branko Čibej
In reply to this post by Stuempfig, Thomas
[Please do not top-post on this list.]

On 12.12.2018 09:25, Stuempfig, Thomas wrote:

> Hi Brane,
>
> sorry i cannot post the contents of VisualSVN-WinAuthz.ini file since it is company security related.
> I will take some time to setup a separate Demo LDAP, but this will take some time.
>
> But basically my observation is
>
> 1) You have ldap group "GroupA"
> 2) Within that group you have users user_a and user_b (memberOf Attribute)
>
> now
> 3)  you setup your  repo authz file
> *****************************
> [/]
> user_a          rw
> GroupA          rw
> *****************************
>
> (I explicity do not include something like Group_A=user_a,user_b and set @Group_A rw in authz file as this would duplicate ldap definition
> of Group membership)
>
> svnauthz gives "rw" for user_a and "Result no" for user_b
>
>
>
> my guess is that svnauthz does not evaluate the actual ldap info and ony cares about groups defined in authz file whereas "svn --username .. ." does authenticate with the ldap-group.  If I am thinking about the svnauthz commandline, svnauthz has no information about the ldap connection which sits in apache httpd.conf.

As Johan already wrote, Subversion does not look anywhere but in its
authorisation files for group definitions. Not LDAP, nor AD, nor any
other group directory. If your groups are defined in LDAP, then you very
likely already have a tool that extracts them from there into the proper
format for Subversion; in that case, all you need to do is tell svnauthz
about that file, see the '--groups-file' option.


-- Brane



> -----Original Message-----
> From: Branko Čibej [mailto:[hidden email]]
> Sent: Dienstag, 11. Dezember 2018 20:54
> To: Stuempfig, Thomas (DF PL S&SE DE PSM EAI) <[hidden email]>; [hidden email]
> Subject: Re: Check Path based authorization
>
> On 11.12.2018 18:40, Stuempfig, Thomas wrote:
>> Hi Brane,
>> well after testing the tool does not actually do what i would like. But it is giving me a starting point / work around.
>> I tested the tool with Visualsvn Server on windows
>>
>>
>> Steps to reproduce
>> 1) configure basic windows authentication
>>
>> 2) grant" rw" access to the repository root path for AD group
>>         Visualsvn server places the objectSid
>> S-1-1-11-111111111-111111111-11111111-11111  of the group in the
>> VisualSVN-WinAuthz.ini file of the repository
>>
>> 3) svnauthz.exe accessof --username S-2-2-22-222222222-22222222-222222222-22222 d:\repositories\test\conf\VisualSVN-WinAuthz.ini
>>   Where username is a member of the AD group objectSid
>> S-1-1-11-111111111-111111111-11111111-11111
>>  Result no
>>
>> But
>> 4) svnauthz.exe accessof --username
>> S-1-1-11-111111111-111111111-11111111-11111  22222
>> d:\repositories\test\conf\VisualSVN-WinAuthz.ini
>> Gives "rw"
> I really have no idea what the WinAuthz.ini file is and what VisualSVN does with it. It's impossible to say if your result is expected if we don't see the contents of the authz file.
>
> But yes, 'svnauthz' will calculate access for users, not for groups. A user can be a member of several groups and the actual rights she has can be a combination of rights granted to the groups.
>
> -- Brane
>
> -----------------
> Siemens Industry Software GmbH; Anschrift: Franz-Geuer-Str. 10, 50823 Köln; Gesellschaft mit beschränkter Haftung; Geschäftsführer: Urban August, Daniel Trebes; Sitz der Gesellschaft: Köln; Registergericht: Amtsgericht Köln, HRB 84564

Reply | Threaded
Open this post in threaded view
|

RE: Check Path based authorization

Stuempfig, Thomas
In reply to this post by bahrep

Hi Pavel,

thank you very much for your help. Your solution works.

This makes real value for of VisualSVN here.

 

Regards

Thomas

 

From: Pavel Lyalyakin [mailto:[hidden email]]
Sent: Mittwoch, 12. Dezember 2018 20:38
To: Stuempfig, Thomas (DF PL S&SE DE PSM EAI) <[hidden email]>
Subject: Check Path based authorization

 

Hello Thomas,

On Wednesday, December 12, 2018, Stuempfig, Thomas <[hidden email]> wrote:
> Hi Pavel,
> i am impressed by the speed of your answer.

We value any feedback on our products, Subversion and version control in general. Therefore, we regularly monitor social media, forums and mailing lists. Feel free to share any other feedback or requests and we will examine them too.

> here is the content of the VisualSVN-WinAuthz.ini as a mini example user_a, and user_b are members of Group_A. user_a and user_b can access the repo... but I do not have a chance to verify it upfront with a tool... as admin svnauthz is "rw" for Group_A and user_a but "no" for user_b....
>
> [/]
> S-1-5-21-954228201-601818101-482762101-101590=rw  (Group_A)
> S-1-5-21-954228201-601818101-482762101-5978=rw (user_a)
>
> the real one is much larger. The repos vary from 1-10years of history from 5000 files and folders to 8 Million files and Folders
> We have ~15000 potential read users and 500 committers. (We are a small part of Siemens)
> Consider different path / group / user-group memberships...
>
>
> And I need a solution to this one

Please, see the attached PowerShell script that essentially loads a new cmdlet in addition to those available in current VisualSVN Server versions. The cmdlet returns effective access of a user account for a given repository path. We think that this is exactly what you are looking for. :)

 

DISCLAIMER: The script is provided without any warranty or support. You can use and adjust it on your own risk

 

Please, follow these steps to run the script:

  • Download and rename the attachment to Get-SvnEffectiveAccess.ps1 (i.e. remove the trailing underscore character).
  • Start the PowerShell console that has the VisualSVN Server's PowerShell module loaded (this has to happen by default) or via the dedicated PowerShell console:
      1. Start the VisualSVN Server Manager console.
      2. Select Action | All Tasks.
      3. Click Start PowerShell.
  • Load the script to your current PowerShell session with this command (note the dot character and replace PATH with an actual path to the script's directory):

. PATH\Get-SvnEffectiveAccess.ps1

  • Run the following command:

Get-SvnEffectiveAccess -Repository MyRepo -Path /branches/MyBranch -AccountName DOMAIN\username

The command should return effective access of the DOMAIN\username account for the /branches/MyBranch path in the MyRepo repository.


> I envisage a workaround based on the following powershell com
> Get-ADPrincipalGroupMembership -Identity USERXXXX | Format-Table -Property SID -AutoSize
> Cycle throug the results and run svnauthz with each resulting line. This should in principle give me some hint about the privilege
> But I don't know if VisualSVN grants widest privilege or first privilege.
 
VisualSVN Server conforms to main principles of the path-based authorization mechanism used in Subversion. Please, see the article KB33: Understanding VisualSVN Server authorization.

 

We will wait for your reply.


> -----Original Message-----
> From: Pavel Lyalyakin [mailto:[hidden email]]
> Sent: Mittwoch, 12. Dezember 2018 11:39
> To: Stuempfig, Thomas (DF PL S&SE DE PSM EAI) <[hidden email]>
> Cc: [hidden email]; [hidden email]
> Subject: Re: Check Path based authorization
>
> Hello Thomas,
>
> On Tue, Dec 11, 2018 at 8:40 PM Stuempfig, Thomas <[hidden email]> wrote:
>>
>> Hi Brane,
>> well after testing the tool does not actually do what i would like. But it is giving me a starting point / work around.
>> I tested the tool with Visualsvn Server on windows
>
> VisualSVN Server includes a PowerShell module[1] that provides a set of cmdlets[2] for server and repository administration. You may want to try the `Get-SvnAccessRule`[3] and `Select-SvnAccessRule`[4] cmdlets - I guess that they can partially meet your requirements.
> However, they do not consider AD user's group membership and therefore do not display effective access for a particular user account.
>
> Do I understand you correctly that you want a reporting tool that will display actual effective access for AD user DOMAIN\Username considering his group membership? How complex is the access rule configuration in your repositories? Could you please show us an example (run Get-SvnAccessRule and show us the output)? You can reply me privately or contact [hidden email] and we will examine your case further.
>
> [1]: https://www.visualsvn.com/server/features/powershell/
> [2]: https://www.visualsvn.com/support/topic/00088/
> [3]: https://www.visualsvn.com/support/topic/00088/#Get-SvnAccessRule
> [4]: https://www.visualsvn.com/support/topic/00088/#Select-SvnAccessRule
>
>> Steps to reproduce
>> 1) configure basic windows authentication
>>
>> 2) grant" rw" access to the repository root path for AD group
>>         Visualsvn server places the objectSid
>> S-1-1-11-111111111-111111111-11111111-11111  of the group in the
>> VisualSVN-WinAuthz.ini file of the repository
>>
>> 3) svnauthz.exe accessof --username S-2-2-22-222222222-22222222-222222222-22222 d:\repositories\test\conf\VisualSVN-WinAuthz.ini
>>   Where username is a member of the AD group objectSid
>> S-1-1-11-111111111-111111111-11111111-11111
>>  Result no
>>
>> But
>> 4) svnauthz.exe accessof --username
>> S-1-1-11-111111111-111111111-11111111-11111  22222
>> d:\repositories\test\conf\VisualSVN-WinAuthz.ini
>> Gives "rw"
>>
>>
>> This is not what I am looking for.
>>
>> I could probably use some ldap query in order to find out the groups where user S-2--- is member of and test these against the svn file, I personally don't like ldap queries but if needed I will stick with that.
>>
>> So I am seeking for better ideas... or if anybody already did the job of cycling through ones user AD groups recursively... calling svnauthz for each of the groups I would offer some beer ...
>>
>> regards
>> Thomas
>>
>> -----Original Message-----
>> From: [ext] Stuempfig, Thomas [mailto:[hidden email]]
>> Sent: Dienstag, 11. Dezember 2018 17:22
>> To: Branko Čibej <[hidden email]>; [hidden email]
>> Subject: RE: Check Path based authorization
>>
>> Hi Brane,
>> thank you for the quick response. This is probably what I would seek for. I'll test it and will come back with my findings.
>>
>> Best regards
>> Thomas
>>
>> -----Original Message-----
>> From: Branko Čibej [mailto:[hidden email]]
>> Sent: Dienstag, 11. Dezember 2018 11:00
>> To: [hidden email]
>> Subject: Re: Check Path based authorization
>>
>> On 11.12.2018 10:24, Stuempfig, Thomas wrote:
>> > Hi all,
>> > We have a large organization many projects and quite a bit of history (10years) with one of the repos… and after a while path based authorization becomes quite difficult.
>> > I would like to ask if it is possible as an admin to check path based authorization for a user x (ldap).
>> >
>> > It would be great if one could give (“none”,”rw”,”r”) or alike for path.
>> > Kind executing a call like the call below as admin.
>> >
>> > getactiveprivs usertocheck
>> > http(s)://server.domain.com//svn/myproject/branches/branch_dev/
>> >
>> > I mean this is the core, there could be several variations of this call. Get privs of ldap group members … as different members belong to different other groups each of them have possibly different access rights. It would be really great to have some table of active priviledges.
>>
>>
>> Is the 'svnauthz' tool not good enough? It's usually installed separately from the core binaries, in some 'subversion-tools' package, but it's intended for exactly this kind of test.
>>
>>
>> -- Brane
>>
>> $ svnauthz accessof --help
>> accessof: Print or test the permissions set by an authz file.
>> usage: 1. svnauthz accessof TARGET
>>        2. svnauthz accessof -t TXN REPOS_PATH FILE_PATH
>>
>>   1. Prints the access of USER to PATH based on authorization file at TARGET.
>>      TARGET can be a path to a file or an absolute file:// URL to an authz
>>      file in a repository, but cannot be a repository relative URL (^/).
>>
>>   2. Prints the access of USER to PATH based on authz file at FILE_PATH in the
>>      transaction TXN in the repository at REPOS_PATH.
>>
>>   USER is the argument to the --username option; if that option is not
>>   provided, then access of an anonymous user will be printed or tested.
>>
>>   PATH is the argument to the --path option; if that option is not provided,
>>   the maximal access to any path in the repository will be considered.
>>
>> Outputs one of the following:
>>      rw    write access (which also implies read)
>>       r    read access
>>      no    no access
>>
>> Returns:
>>     0   when syntax is OK and '--is' argument (if any) matches.
>>     1   when syntax is invalid.
>>     2   operational error
>>     3   when '--is' argument doesn't match
>>
>> Valid options:
>>   -t [--transaction] ARG   : transaction id
>>   --username ARG           : username to check access of
>>   --path ARG               : path within repository to check access of
>>   --repository ARG         : repository authz name
>>   --is ARG                 : instead of outputting, test if the access is
>>                              exactly ARG
>>                              ARG can be one of the following values:
>>                                 rw    write access (which also implies read)
>>                                  r    read-only access
>>                                 no    no access
>>   --groups-file ARG        : use the groups from file ARG
>>   -R [--recursive]         : determine recursive access to PATH
>>
>> -----------------
>> Siemens Industry Software GmbH; Anschrift: Franz-Geuer-Str. 10, 50823
>> Köln; Gesellschaft mit beschränkter Haftung; Geschäftsführer: Urban
>> August, Daniel Trebes; Sitz der Gesellschaft: Köln; Registergericht:
>> Amtsgericht Köln, HRB 84564
>> -----------------
>> Siemens Industry Software GmbH; Anschrift: Franz-Geuer-Str. 10, 50823
>> Köln; Gesellschaft mit beschränkter Haftung; Geschäftsführer: Urban
>> August, Daniel Trebes; Sitz der Gesellschaft: Köln; Registergericht:
>> Amtsgericht Köln, HRB 84564
>
>
>
> --
> With best regards,
> Pavel Lyalyakin
> VisualSVN Team
> -----------------
> Siemens Industry Software GmbH; Anschrift: Franz-Geuer-Str. 10, 50823 Köln; Gesellschaft mit beschränkter Haftung; Geschäftsführer: Urban August, Daniel Trebes; Sitz der Gesellschaft: Köln; Registergericht: Amtsgericht Köln, HRB 84564
>

-----------------
Siemens Industry Software GmbH; Anschrift: Franz-Geuer-Str. 10, 50823 Köln; Gesellschaft mit beschränkter Haftung; Geschäftsführer: Urban August, Daniel Trebes; Sitz der Gesellschaft: Köln; Registergericht: Amtsgericht Köln, HRB 84564