Author: kotkov
Date: Wed Feb 17 15:19:47 2016
New Revision: 1730856
URL: http://svn.apache.org/viewvc?rev=1730856&view=rev
Log:
Provide a (hopefully) better documentation for the AuthzSVNGroupsFile
directive and for the groups-db option in svnserve.conf.
* subversion/libsvn_repos/repos.c
(create_conf): Explain the purpose of the groups-db option.
* subversion/mod_authz_svn/INSTALL
(II.1, Example 8): Add necessary details to this example with the
AuthzSVNGroupsFile directive.
(II.2): Split into two subsections with the format details and examples
for both access files and files with the group definitions.
Modified:
subversion/trunk/subversion/libsvn_repos/repos.c
subversion/trunk/subversion/mod_authz_svn/INSTALL
Modified: subversion/trunk/subversion/libsvn_repos/repos.c
URL:
http://svn.apache.org/viewvc/subversion/trunk/subversion/libsvn_repos/repos.c?rev=1730856&r1=1730855&r2=1730856&view=diff
==============================================================================
--- subversion/trunk/subversion/libsvn_repos/repos.c (original)
+++ subversion/trunk/subversion/libsvn_repos/repos.c Wed Feb 17 15:19:47 2016
@@ -848,11 +848,16 @@ create_conf(svn_repos_t *repos, apr_pool
"### no path-based access control is done." NL
"### Uncomment the line below to use the default authorization file." NL
"# authz-db = " SVN_REPOS__CONF_AUTHZ NL
-"### The groups-db option controls the location of the groups file." NL
-"### Unless you specify a path starting with a /, the file's location is" NL
-"### relative to the directory containing this file. The specified path" NL
-"### may be a repository relative URL (^/) or an absolute file:// URL to a" NL
-"### text file in a Subversion repository." NL
+"### The groups-db option controls the location of the file with the" NL
+"### group definitions and allows maintaining groups separately from the" NL
+"### authorization rules. The groups-db file is of the same format as the" NL
+"### authz-db file and should contain a single [groups] section with the" NL
+"### group definitions. If the option is enabled, the authz-db file cannot" NL
+"### contain a [groups] section. Unless you specify a path starting with" NL
+"### a /, the file's location is relative to the directory containing this" NL
+"### file. The specified path may be a repository relative URL (^/) or an" NL
+"### absolute file:// URL to a text file in a Subversion repository." NL
+"### This option is not being used by default." NL
"# groups-db = " SVN_REPOS__CONF_GROUPS NL
"### This option specifies the authentication realm of the repository." NL
"### If two repositories have the same authentication realm, they should" NL
Modified: subversion/trunk/subversion/mod_authz_svn/INSTALL
URL:
http://svn.apache.org/viewvc/subversion/trunk/subversion/mod_authz_svn/INSTALL?rev=1730856&r1=1730855&r2=1730856&view=diff
==============================================================================
--- subversion/trunk/subversion/mod_authz_svn/INSTALL (original)
+++ subversion/trunk/subversion/mod_authz_svn/INSTALL Wed Feb 17 15:19:47 2016
@@ -186,10 +186,16 @@ II. Configuration
The "Require" statement in the previous example is not strictly
needed, but has been included for clarity.
- H. Example 8: Separate authz and groups files.
+ H. Example 8: Separating groups and authorization rules
- This configuration allows storing the groups separately from the
- main authz file with the authorization rules.
+ It may be convenient to maintain group definitions separately from
+ the authorization rules. This configuration allows splitting them
+ into two separate files.
+
+ The file specified by the AuthzSVNGroupsFile directive uses the
+ same format as the ordinary authz file and should contain a single
+ section with the group definitions. See section II.2.B for more
+ details.
<Location /svn>
DAV svn
@@ -205,78 +211,106 @@ II. Configuration
Require valid-user
</Location>
+ Configurations with per-repository access files may also use a
+ single file containing the group definitions. This configuration
+ avoids the need to duplicate the group definitions across multiple
+ per-repository access files.
+
+ AuthzSVNReposRelativeAccessFile filename
+ AuthzSVNGroupsFile /path/to/groups/file
+
+ NOTE: When the AuthzSVNGroupsFile directive is enabled, the
+ file specified with the AuthzSVNReposRelativeAccessFile or
+ AuthzSVNAccessFile directive cannot contain any group definitions.
+
2. Specifying permissions
- The file format of the access file looks like this:
+ A. File format of the access file
- [groups]
- <groupname> = <user>[,<user>...]
- ...
-
- [<path in repository>]
- @<group> = [rw|r]
- <user> = [rw|r]
- * = [rw|r]
-
- [<repository name>:<path in repository>]
- @<group> = [rw|r]
- <user> = [rw|r]
- * = [rw|r]
-
- An example (line continued lines are supposed to be on one line):
-
- [groups]
- subversion = jimb,sussman,kfogel,gstein,brane,joe,ghudson,fitz, \
- daniel,cmpilato,kevin,philip,jerenkrantz,rooneg, \
- bcollins,blair,striker,naked,dwhedon,dlr,kraai,mbk, \
- epg,bdenny,jaa
- subversion-doc = nsd,zbrown,fmatias,dimentiy,patrick
- subversion-bindings = xela,yoshiki,morten,jespersm,knacke
- subversion-rm = mprice
- ...and so on and so on...
-
- [/]
- # Allow everyone read on the entire repository
- * = r
- # Allow devs with blanket commit to write to the entire repository
- @subversion = rw
-
- [/trunk/doc]
- @subversion-doc = rw
-
- [/trunk/subversion/bindings]
- @subversion-bindings = rw
-
- [/branches]
- @subversion-rm = rw
-
- [/tags]
- @subversion-rm = rw
-
- [/branches/issue-650-ssl-certs]
- mass = rw
-
- [/branches/pluggable-db]
- gthompson = rw
-
- ...
-
- [/secrets]
- # Just for demonstration
- * =
- @subversion = rw
-
- # In case of SVNParentPath we can specify which repository we are
- # referring to. If no matching repository qualified section is found,
- # the general unqualified section is tried.
- #
- # NOTE: This will work in the case of using SVNPath as well, only the
- # repository name (the last element of the url) will always be the
- # same.
- [dark:/]
- * =
- @dark = rw
+ The file format of the access file looks like this:
- [light:/]
- @light = rw
+ [groups]
+ <groupname> = <user>[,<user>...]
+ ...
+
+ [<path in repository>]
+ @<group> = [rw|r]
+ <user> = [rw|r]
+ * = [rw|r]
+
+ [<repository name>:<path in repository>]
+ @<group> = [rw|r]
+ <user> = [rw|r]
+ * = [rw|r]
+
+ An example (line continued lines are supposed to be on one line):
+
+ [groups]
+ subversion = jimb,sussman,kfogel,gstein,brane,joe,ghudson,fitz, \
+ daniel,cmpilato,kevin,philip,jerenkrantz,rooneg, \
+ bcollins,blair,striker,naked,dwhedon,dlr,kraai,mbk, \
+ epg,bdenny,jaa
+ subversion-doc = nsd,zbrown,fmatias,dimentiy,patrick
+ subversion-bindings = xela,yoshiki,morten,jespersm,knacke
+ subversion-rm = mprice
+ ...and so on and so on...
+
+ [/]
+ # Allow everyone read on the entire repository
+ * = r
+ # Allow devs with blanket commit to write to the entire repository
+ @subversion = rw
+
+ [/trunk/doc]
+ @subversion-doc = rw
+
+ [/trunk/subversion/bindings]
+ @subversion-bindings = rw
+
+ [/branches]
+ @subversion-rm = rw
+
+ [/tags]
+ @subversion-rm = rw
+
+ [/branches/issue-650-ssl-certs]
+ mass = rw
+
+ [/branches/pluggable-db]
+ gthompson = rw
+
+ ...
+
+ [/secrets]
+ # Just for demonstration
+ * =
+ @subversion = rw
+
+ # In case of SVNParentPath we can specify which repository we are
+ # referring to. If no matching repository qualified section is
+ # found, the general unqualified section is tried.
+ #
+ # NOTE: This will work in the case of using SVNPath as well, only
+ # the repository name (the last element of the url) will always be
+ # the same.
+ [dark:/]
+ * =
+ @dark = rw
+
+ [light:/]
+ @light = rw
+
+ B. File format of the groups file
+
+ The file format of the groups file looks like this:
+
+ [groups]
+ <groupname> = <user>[,<user>...]
+ ...
+
+ An example:
+
+ [groups]
+ developers = harry,sally,john
+ managers = jim,joe
