Bennett, Brian
2017-03-24 20:28:13 UTC
I am able to use svnperms.py as written and have configured a working svnperms.conf with it. My production Subversion environment is currently using an AuthzSVNAccessFile directive in the http configuration to specify groups and read or read-write access; e.g.:
[groups]
grp1 = user1, user2, ...
grp2 = user3, user4, ...
[repo1:/]
@grp1 = r
@grp2 = rw
.
.
.
My question has to do with how it might be possible to "integrate" svnperms.py usage alongside repositories that are using the permissions in the AuthzSVNAccessFile file. I know that I can use the precommit hook to "engage" svnperms.py to give me the fine-grained read-write permissions that I am after. But I'm struggling trying to figure out how to configure the two to work together.
My goals are:
* Have all read-write access controlled solely by svnperms.py
* Restrict users that can read the repository
I know that using "* = rw" in the AuthzSVNAccessFile file would allow all read-write requests to be managed by svnperms.py, but it also allows all users to have read access as well. So it is appearing like the only way to make this work is to do something like the following in the AuthzSVNAccessFile file:
[groups]
readers1 = user1, user2
readers2 = user3, user4
writers = user5, user6, user7, user8
[repo1:/]
@readers1 = r
@writers = rw
[repo1:/branches]
@readers2 = r
This would give @readers1 read access throughout the repository, @readers2 read access to only the /branches and @writers read-write access to the entire repository but have that access checked against svnperms.py via the precommit call.
But it also forces me to list all possible read-write users in the AuthzSVNAccessFile and again in my svnperms.conf file. Is there a configuration possible where I don't have to list all possible read-write users in both the AuthzSVNAccessFile and the svnperms.conf file?
Brian Bennett | Supv System Admin & Support, TA TECH Change Mgmt/Production Support
o: 319-355-7602 | c: 319-533-1094
e: ***@transamerica.com<mailto:***@transamerica.com> | w: www.transamerica.com<http://www.transamerica.com/>
Transamerica
6400 C St. SW, Cedar Rapids, IA 52404 MS-2410
Facebook<https://www.facebook.com/brian.bennett.31924792> | LinkedIn<https://www.linkedin.com/in/brian-bennett-981bb46>
[groups]
grp1 = user1, user2, ...
grp2 = user3, user4, ...
[repo1:/]
@grp1 = r
@grp2 = rw
.
.
.
My question has to do with how it might be possible to "integrate" svnperms.py usage alongside repositories that are using the permissions in the AuthzSVNAccessFile file. I know that I can use the precommit hook to "engage" svnperms.py to give me the fine-grained read-write permissions that I am after. But I'm struggling trying to figure out how to configure the two to work together.
My goals are:
* Have all read-write access controlled solely by svnperms.py
* Restrict users that can read the repository
I know that using "* = rw" in the AuthzSVNAccessFile file would allow all read-write requests to be managed by svnperms.py, but it also allows all users to have read access as well. So it is appearing like the only way to make this work is to do something like the following in the AuthzSVNAccessFile file:
[groups]
readers1 = user1, user2
readers2 = user3, user4
writers = user5, user6, user7, user8
[repo1:/]
@readers1 = r
@writers = rw
[repo1:/branches]
@readers2 = r
This would give @readers1 read access throughout the repository, @readers2 read access to only the /branches and @writers read-write access to the entire repository but have that access checked against svnperms.py via the precommit call.
But it also forces me to list all possible read-write users in the AuthzSVNAccessFile and again in my svnperms.conf file. Is there a configuration possible where I don't have to list all possible read-write users in both the AuthzSVNAccessFile and the svnperms.conf file?
Brian Bennett | Supv System Admin & Support, TA TECH Change Mgmt/Production Support
o: 319-355-7602 | c: 319-533-1094
e: ***@transamerica.com<mailto:***@transamerica.com> | w: www.transamerica.com<http://www.transamerica.com/>
Transamerica
6400 C St. SW, Cedar Rapids, IA 52404 MS-2410
Facebook<https://www.facebook.com/brian.bennett.31924792> | LinkedIn<https://www.linkedin.com/in/brian-bennett-981bb46>