From: Michael Orlitzky <michael@orlitzky.com>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] {OT} Development framework with access restriction?
Date: Tue, 04 Oct 2011 00:25:53 -0400 [thread overview]
Message-ID: <4E8A8AD1.1080809@orlitzky.com> (raw)
In-Reply-To: <CAN0CFw2-COXcuMQDg+Bsjojp5oVtpn0osU3dcFHKZK-1GQTNZA@mail.gmail.com>
On 10/03/2011 05:54 PM, Grant wrote:
>
> Would multiple repos work in a scenario where different developers
> have access to different stuff and some stuff should be accessible to
> multiple devs? I don't think you want the same stuff in more than one
> repo. It seems like managing multiple repos would get out of hand in
> that sort of situation and I might be better off with config files and
> a single repo.
(for the tl;dr, see the last paragraph)
Subversion separates authentication and authorization:
http://svnbook.red-bean.com/en/1.6/svn.serverconfig.svnserve.html#svn.serverconfig.svnserve.auth
You'll hear security people say that a lot, but hopefully an example
makes the difference clear. I'll use Apache in my example, because
that's what we use, and I'm mostly sure I'm not talking out of my ass
this way =)
The "authentication" part is your usernames and passwords.
Authentication is proving who you are. Each developer has his own
username and password -- these only need to be stored once. When you go
the Apache route, Apache itself controls the authentication. In the
"website" definition, we have,
# The SVN "root" which lists all repos, assuming you're allowed to do
# that. This would be offered up as e.g. https://svn.example.org/
#
<Location />
Allow from all
DAV svn
SVNParentPath /var/svn/repos
SVNListParentPath on
AuthType Basic
AuthName "Subversion Repository"
AuthUserFile /var/svn/auth/svnusers
Require valid-user
SSLRequireSSL
</Location>
# Accessible via https://svn.example.org/repo1
#
<Location /repo1>
Allow from all
DAV svn
AuthType Basic
AuthName "Repository One"
AuthUserFile /var/svn/auth/svnusers
AuthzSVNAccessFile /var/svn/auth/authz-repo1
Require valid-user
SSLRequireSSL
</Location>
# Accessible via https://svn.example.org/repo2
#
<Location /repo2>
Allow from all
DAV svn
AuthType Basic
AuthName "Repository Two"
AuthUserFile /var/svn/auth/svnusers
AuthzSVNAccessFile /var/svn/auth/authz-repo2
Require valid-user
SSLRequireSSL
</Location>
You'll notice that both repos (and the root) use the same AuthUserFile.
That's just an Apache 'htpasswd2' file with usernames and encrypted
passwords. Some of our developers have access to every repo, but they
still go in that file just once.
The "authorization" part defines what you're allowed to do once you've
authenticated (i.e. we know who you are). Apache calls this "authz" as
opposed to "auth" everywhere, and is a subtle distinction that took me
embarrassingly long to realize.
Each Subversion repository can have its own AuthzSVNAccessFile, and that
format is specified somewhere in the Subversion book. Basically, you
list which users (from the AuthUserFile) can do what. In the example
above, the two repos use different authorization files, because our devs
have different permissions in repo1 than they do in repo2.
So, to answer your question: you separate your projects into
repositories logically, in whatever way makes sense. Then, you define
users and permissions to match that. The authentication and
authorization are flexible enough that you shouldn't have to duplicate
anything.
next prev parent reply other threads:[~2011-10-04 4:27 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-09-26 20:01 [gentoo-user] {OT} Development framework with access restriction? Grant
2011-09-26 21:37 ` Michael Orlitzky
2011-09-27 11:27 ` Mick
2011-09-29 1:18 ` Grant
2011-09-29 2:23 ` Grant
2011-09-29 6:57 ` Jonas de Buhr
2011-09-29 7:32 ` Mick
2011-09-30 23:53 ` Grant
2011-10-01 11:07 ` Florian Philipp
2011-10-01 23:27 ` Grant
2011-10-02 22:41 ` Mick
2011-10-03 22:01 ` Grant
2011-10-03 22:12 ` Michael Mol
2011-09-29 8:13 ` Neil Bothwick
2011-09-29 17:23 ` Michael Orlitzky
2011-09-30 23:59 ` Grant
2011-10-01 0:23 ` Michael Orlitzky
2011-10-01 23:46 ` Grant
2011-10-02 19:04 ` Michael Orlitzky
2011-10-03 21:54 ` Grant
2011-10-03 22:00 ` Michael Mol
2011-10-04 4:25 ` Michael Orlitzky [this message]
2011-09-27 12:19 ` Jonas de Buhr
2011-09-29 1:23 ` Grant
2011-09-29 6:43 ` Jonas de Buhr
2011-09-30 23:50 ` Grant
-- strict thread matches above, loose matches on Subject: below --
2011-10-01 5:58 Pandu Poluan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4E8A8AD1.1080809@orlitzky.com \
--to=michael@orlitzky.com \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox