Using svnperms.py and AuthzSVNAccessFile file together?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Using svnperms.py and AuthzSVNAccessFile file together?

Bennett, Brian

I am able to use svnperms.py as written and have configured a working svnperms.conf with it. My production Subversion environment is currently using an AuthzSVNAccessFile directive in the http configuration to specify groups and read or read-write access; e.g.:

 

[groups]

grp1 = user1, user2, …

grp2 = user3, user4, …

 

[repo1:/]

@grp1 = r

@grp2 = rw

.

.

.

 

My question has to do with how it might be possible to “integrate” svnperms.py usage alongside repositories that are using the permissions in the AuthzSVNAccessFile file. I know that I can use the precommit hook to “engage” svnperms.py to give me the fine-grained read-write permissions that I am after.  But I’m struggling trying to figure out how to configure the two to work together.

 

My goals are:

·         Have all read-write access controlled solely by svnperms.py

·         Restrict users that can read the repository

 

I know that using “* = rw” in the AuthzSVNAccessFile file would allow all read-write requests to be managed by svnperms.py, but it also allows all users to have read access as well. So it is appearing like the only way to make this work is to do something like the following in the AuthzSVNAccessFile file:

 

[groups]

readers1 = user1, user2

readers2 = user3, user4

writers = user5, user6, user7, user8

 

[repo1:/]

@readers1 = r

@writers = rw

[repo1:/branches]

@readers2 = r

 

This would give @readers1 read access throughout the repository, @readers2 read access to only the /branches and @writers read-write access to the entire repository but have that access checked against svnperms.py via the precommit call.

 

But it also forces me to list all possible read-write users in the AuthzSVNAccessFile and again in my svnperms.conf file. Is there a configuration possible where I don’t have to list all possible read-write users in both the AuthzSVNAccessFile and the svnperms.conf file?

 

Brian Bennett | Supv System Admin & Support, TA TECH Change Mgmt/Production Support

o: 319-355-7602 | c: 319-533-1094

e: [hidden email] | w: www.transamerica.com

Transamerica

6400 C St. SW, Cedar Rapids, IA 52404 MS-2410

Facebook | LinkedIn

 

Reply | Threaded
Open this post in threaded view
|

Re: Using svnperms.py and AuthzSVNAccessFile file together?

Branko Čibej
On 24.03.2017 21:28, Bennett, Brian wrote:
> My goals are:
>
> *         Have all read-write access controlled solely by svnperms.py
>
> *         Restrict users that can read the repository
>
> I know that using "* = rw" in the AuthzSVNAccessFile file would allow all read-write requests to be managed by svnperms.py, but it also allows all users to have read access as well. So it is appearing like the only way to make this work is to do something like the following in the AuthzSVNAccessFile file:

http://svnbook.red-bean.com/en/1.7/svn.serverconfig.pathbasedauthz.html

[repo:/]
$authenticated = rw
$anonymous =

Reply | Threaded
Open this post in threaded view
|

RE: Using svnperms.py and AuthzSVNAccessFile file together?

Bennett, Brian
Thank you for the response, but I'd considered that configuration. Doesn't this:

$authenticated = rw

give all authenticated users read access that will not be managed by pre-commit/svnperms (since it isn't a write operation).

One of my goals is that I must restrict read access as well.

Brian Bennett | Supv System Admin & Support, TA TECH Change Mgmt/Production Support
o: 319-355-7602 | c: 319-533-1094
e: [hidden email] | w: www.transamerica.com

Transamerica
6400 C St. SW, Cedar Rapids, IA 52404 MS-2410
Facebook | LinkedIn


-----Original Message-----
From: Branko Čibej [mailto:[hidden email]]
Sent: Saturday, March 25, 2017 4:41 AM
To: [hidden email]
Cc: Bennett, Brian <[hidden email]>
Subject: Re: Using svnperms.py and AuthzSVNAccessFile file together?

On 24.03.2017 21:28, Bennett, Brian wrote:
> My goals are:
>
> *         Have all read-write access controlled solely by svnperms.py
>
> *         Restrict users that can read the repository
>
> I know that using "* = rw" in the AuthzSVNAccessFile file would allow all read-write requests to be managed by svnperms.py, but it also allows all users to have read access as well. So it is appearing like the only way to make this work is to do something like the following in the AuthzSVNAccessFile file:

https://urldefense.proofpoint.com/v2/url?u=http-3A__svnbook.red-2Dbean.com_en_1.7_svn.serverconfig.pathbasedauthz.html&d=DwICaQ&c=9g4MJkl2VjLjS6R4ei18BA&r=CorEYR_fG6hKwP1xRO7dkFFJM6UfxLGgypqJT0q3mO4&m=ZPaBa681lvEbh1L0Cm4P9L4VaQf9I6doOlJHAT0aN64&s=FophqA5eBN5Wz3n-LxVYU-GXnLijtR5m6B4UUIgogCY&e= 

[repo:/]
$authenticated = rw
$anonymous =