From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1RAwbP-00040I-FN for garchives@archives.gentoo.org; Tue, 04 Oct 2011 04:27:35 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 5D42F21C133; Tue, 4 Oct 2011 04:27:17 +0000 (UTC) Received: from mail2.viabit.com (mail2.viabit.com [65.246.80.16]) by pigeon.gentoo.org (Postfix) with ESMTP id 5FA6321C0E0 for ; Tue, 4 Oct 2011 04:25:55 +0000 (UTC) Received: from [172.17.29.14] (unknown [65.213.236.242]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail2.viabit.com (Postfix) with ESMTPSA id BAC5237AD8 for ; Tue, 4 Oct 2011 00:25:54 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=orlitzky.com; s=mail2; t=1317702354; bh=mZwuWk5CyGScTbJ1oaZu8MYzV9rt4jdDWGfH9MeAvmc=; h=Message-ID:Date:From:MIME-Version:To:Subject:References: In-Reply-To:Content-Type:Content-Transfer-Encoding; b=WLXZzLYBBj2bDS9sSVUR/nIu1OKR27fNFQkfj4i2BRvrnblYzNakgXEZDjTpu89HO MRDNG1UZt+U2+JcnmUOZtBkitXjXaCsVTiR2fZOdICpbj6mJDrhrJiMmzosDSEUF9k qhUOPrSwNQUMJPTxoo+Ea+RHJU/1GSbNEsm4UkVQ= Message-ID: <4E8A8AD1.1080809@orlitzky.com> Date: Tue, 04 Oct 2011 00:25:53 -0400 From: Michael Orlitzky User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.20) Gecko/20110923 Lightning/1.0b3pre Thunderbird/3.1.12 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] {OT} Development framework with access restriction? References: <4E80F086.9010804@orlitzky.com> <20110929091341.128242e2@zaphod.digimed.co.uk> <4E84A98B.4070101@orlitzky.com> <4E865D7F.8080106@orlitzky.com> <4E88B5AE.70705@orlitzky.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Archives-Salt: X-Archives-Hash: b01b9e170b23c133ef6f0eee87148527 On 10/03/2011 05:54 PM, Grant wrote: > > Would multiple repos work in a scenario where different developers > have access to different stuff and some stuff should be accessible to > multiple devs? I don't think you want the same stuff in more than one > repo. It seems like managing multiple repos would get out of hand in > that sort of situation and I might be better off with config files and > a single repo. (for the tl;dr, see the last paragraph) Subversion separates authentication and authorization: http://svnbook.red-bean.com/en/1.6/svn.serverconfig.svnserve.html#svn.serverconfig.svnserve.auth You'll hear security people say that a lot, but hopefully an example makes the difference clear. I'll use Apache in my example, because that's what we use, and I'm mostly sure I'm not talking out of my ass this way =) The "authentication" part is your usernames and passwords. Authentication is proving who you are. Each developer has his own username and password -- these only need to be stored once. When you go the Apache route, Apache itself controls the authentication. In the "website" definition, we have, # The SVN "root" which lists all repos, assuming you're allowed to do # that. This would be offered up as e.g. https://svn.example.org/ # Allow from all DAV svn SVNParentPath /var/svn/repos SVNListParentPath on AuthType Basic AuthName "Subversion Repository" AuthUserFile /var/svn/auth/svnusers Require valid-user SSLRequireSSL # Accessible via https://svn.example.org/repo1 # Allow from all DAV svn AuthType Basic AuthName "Repository One" AuthUserFile /var/svn/auth/svnusers AuthzSVNAccessFile /var/svn/auth/authz-repo1 Require valid-user SSLRequireSSL # Accessible via https://svn.example.org/repo2 # Allow from all DAV svn AuthType Basic AuthName "Repository Two" AuthUserFile /var/svn/auth/svnusers AuthzSVNAccessFile /var/svn/auth/authz-repo2 Require valid-user SSLRequireSSL You'll notice that both repos (and the root) use the same AuthUserFile. That's just an Apache 'htpasswd2' file with usernames and encrypted passwords. Some of our developers have access to every repo, but they still go in that file just once. The "authorization" part defines what you're allowed to do once you've authenticated (i.e. we know who you are). Apache calls this "authz" as opposed to "auth" everywhere, and is a subtle distinction that took me embarrassingly long to realize. Each Subversion repository can have its own AuthzSVNAccessFile, and that format is specified somewhere in the Subversion book. Basically, you list which users (from the AuthUserFile) can do what. In the example above, the two repos use different authorization files, because our devs have different permissions in repo1 than they do in repo2. So, to answer your question: you separate your projects into repositories logically, in whatever way makes sense. Then, you define users and permissions to match that. The authentication and authorization are flexible enough that you shouldn't have to duplicate anything.