Announcement

Collapse
No announcement yet.

Rolling my own path-based authorization via hooks?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Rolling my own path-based authorization via hooks?

    I anticipate that my repository will need to control RW authorization based on paths. The approach described in "Path-Based Authorization" of the red bean book does not look very promising.

    My workplace divides development into components - where component access is associated with particular groups. Development is further organized into branches (possibly many dozens - anyone is allowed to create a new branch) - with instances of different components being committed to various branches.

    So, an example instantaneous state might be:

    [FONT=courier new] branches/branchA/compA
    /compB
    /compC
    branches/branchB/compA
    /compB
    branches/branchC/compB

    The group that has access to "compA" - really needs to have access to "branches/*/compA". As near as I can tell - wild cards are not yet supported in path based authorization. I could automatically rewrite the authorization file every time anyone creates a branch - but I'm not thrilled about creating an authorization operation that is O(branch count * component count).

    So I was looking at whether I could implement hooks to provide the needed control.

    It appears that there is a pre-commit hook that would allow me to control write access. But I didn't immediately see a corresponding hook for read access as needed by check out or update operations. Perhaps I'm not looking in the correct place(s)?[/FONT]

    -jrm

  • #2
    You need to upgrade your server to SVN 1.10 - which just shipped a couple of weeks ago.

    In there you will find support for wildcards. They are going to take a little bit of getting used to but should fill in the huge gap that would have existed before 1.10!

    The release notes: [url]https://subversion.apache.org/docs/release-notes/1.10.html[/url]
    Improved path-based AuthZ: [url]https://subversion.apache.org/docs/release-notes/1.10.html#authzperf[/url]

    Check out a slide-deck describing them. It's a bit out of date: you can now have more than one asterisk ('*') within a single Atom (you'll see what I mean).
    [url]https://svn.haxx.se/dev/archive-2017-02/att-0188/SubversionWildcards.pptx[/url]

    Comment


    • #3
      Excellent! I see the release note now...

      Comment

      Working...
      X