Announcement

Collapse
No announcement yet.

Cnheckout/update once for all authorized folders under the same repo

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cnheckout/update once for all authorized folders under the same repo

    I have a MyCompany repo whose folder structure as the following :

    MyCompany/
    └── departments
    ....├── HR
    ....├── Public
    ....│...├── OPS
    ....│...├── QA
    ....│...└── PM
    ....├── IPD
    ....└── develop
    ........├── IAP
    ........├── AM
    ........└── TM


    I have setup path-access:

    [MyCompany:/departments/Public/OPS]
    @g_ops=rw

    [MyCompany:/departments/HR]
    @g_ops=rw

    [MyCompany:/departments/develop/TM]
    @g_ops=rw


    i.e. group g_ops can only access departments/Public/OPS , departments/HR , departments/develop/TM , 3 folders.

    if @g_ops want to access departments/Public/OPS,
    they have to checkout/update from http://svn.mycompany.com/MyCompany/d...nts/Public/OPS
    if @g_ops want to access departments/HR,
    they have to checkout/update from http://svn.mycompany.com/MyCompany/departments/HR

    That is not convenient.

    I wonder that if it is possible that :
    @g_ops only have to checkout /update once from http://svn.mycompany.com/MyCompany/,
    they will "checkout /update" all the data of the folders which they are authorized to under the same repo automatically .
    The folder structure of their workspace may looks like this :

    MyCompany/
    └── departments
    ....├── HR
    ....├── Public
    ....│...└── OPS
    ....└── develop
    ....└── TM



    Thank you!
    Last edited by DougR; 07-27-2018, 07:11 PM. Reason: Another attempt to fix structure.

  • #2
    I call what you described "buried access" for exactly the reason that you must know the path exactly for the URL and the checkouts/updates/checkins can only occur to those paths. And you end up needing 1 working copy for each buried directory where access is enabled.

    You can either live with this OR choose to give them READONLY for the other paths from the root down. If you do the latter then they will be able to see the directory names down to their checkouts. Depending on how you write the rules, they'll either be able to see the other, uninvolved directories (and their contents) - or not.

    NOTE: SVN 1.10 has enabled wildcarding that might be very helpful if you choose to move toward the latter.

    Comment


    • #3
      Hi , DougR.
      Thank you for your reply . I konw that truth now .
      The latter method may achieve. And "wildcarding" may reduce much work for writing rules.
      And I think that if the folder structure of the repo is complicated ,and many users have this requirement ,
      I still have to write quite a lot of rules .

      Comment


      • #4
        I am tring to implement it using wildcard (Apache Subversion version 1.10.0 (r1827917).)( https://subversion.apache.org/docs/r...html#authzperf )
        And it failed , it show "You don't have permission to access /MyCompany/ on this server."


        [/]
        * = r

        [MyCompany:/departments/Public/OPS]
        @g_ops = rw

        [MyCompany:/departments/HR]
        @g_ops = rw

        [MyCompany:/departments/develop/TM]
        @g_ops = rw

        [MyCompany:/departments/**/]
        @g_ops =


        root@ubt-18:/home/svn# apt-cache policy subversion |grep Installed
        Installed: 1.10.0-2ubuntu2
        root@ubt-18:/home/svn# apt-cache policy libapache2-mod-svn | grep Installed
        Installed: 1.10.0-2ubuntu2

        Comment


        • #5
          The rules that you are specifying are for a repository called "MyCompany", not a branch called "MyCompany". And for this type of construction to work it is critical that "MyCompany" be directly following the SVNParentPath (if you're using Apache) or directly below the root path (if you're using svnserve).

          Beyond that, the one rule that contains a wildcard is incorrect for 2 reasons:
          A. You need to tell SVN that it should be considered a wildcard rule (the default is NOT).
          B. You probably don't want to end with a slash ('/').

          So the rule would look like:

          [:glob:MyCompany:/departments/**]
          @g_ops =

          What this says is to block the g_ops group from accessing the /departments directory and everything below it, regardless of whether there is another rule enabling them or not. Since that rule is last in the file, it will have highest precedence and therefore disable all of the prior rules! So, you should put that last rule first in the file - to drop its priority to last.

          However, you're not done yet because, while the other rules will enable explicitly access to those specified paths, since the /** rule directly matches all files and other directories in those directories specified, access to those files and other directories will be blocked as well. You probably do NOT want to use a wildcard for this rule. So it should become:

          [MyCompany:/department]
          @g_ops =

          You might want to download and study: https://svn.haxx.se/dev/archive-2017...Wildcards.pptx

          Comment


          • #6
            Hi , DougR.
            Thank you for your detail explanation

            The following rules does not restrict anything.


            [/]
            * = r

            [MyCompany:/department]
            @g_ops =

            [MyCompany:/departments/Public/OPS]
            @g_ops = rw

            [MyCompany:/departments/HR]
            @g_ops = rw

            [MyCompany:/departments/develop/TM]
            @g_ops = rw



            The following rules not show "forbidden" - "You don't have permission to access /MyCompany/ on this server."


            [MyCompany:/department]
            @g_ops =

            [MyCompany:/departments/Public/OPS]
            @g_ops = rw

            [MyCompany:/departments/HR]
            @g_ops = rw

            [MyCompany:/departments/develop/TM]
            @g_ops = rw

            Comment


            • #7
              Did you mean to say "The following rules *now* show..."? I'll assume so.

              The 1st rule in the 1st section above gives every account read access to the entire repository, including unauthenticated access. Due to that, until/unless an operation requires further rights (like needing to make changes), then the other rules won't be involved since they require authenticated accounts in order to determine if they are involved.

              Perhaps change that 1st rule in the 1st section to be:

              [/]
              $authenticated = r

              That might change things significantly.

              One question: did you mean for the "/department" to be singular (and to therefore not match "/departments/HR")?

              Comment

              Working...
              X