On 10/03/2011 05:54 PM, Grant wrote: > > Would multiple repos work in a scenario where different developers > have access to different stuff and some stuff should be accessible to > multiple devs? I don't think you want the same stuff in more than one > repo. It seems like managing multiple repos would get out of hand in > that sort of situation and I might be better off with config files and > a single repo.
(for the tl;dr, see the last paragraph) Subversion separates authentication and authorization: http://svnbook.red-bean.com/en/1.6/svn.serverconfig.svnserve.html#svn.serverconfig.svnserve.auth You'll hear security people say that a lot, but hopefully an example makes the difference clear. I'll use Apache in my example, because that's what we use, and I'm mostly sure I'm not talking out of my ass this way =) The "authentication" part is your usernames and passwords. Authentication is proving who you are. Each developer has his own username and password -- these only need to be stored once. When you go the Apache route, Apache itself controls the authentication. In the "website" definition, we have, # The SVN "root" which lists all repos, assuming you're allowed to do # that. This would be offered up as e.g. https://svn.example.org/ # <Location /> Allow from all DAV svn SVNParentPath /var/svn/repos SVNListParentPath on AuthType Basic AuthName "Subversion Repository" AuthUserFile /var/svn/auth/svnusers Require valid-user SSLRequireSSL </Location> # Accessible via https://svn.example.org/repo1 # <Location /repo1> Allow from all DAV svn AuthType Basic AuthName "Repository One" AuthUserFile /var/svn/auth/svnusers AuthzSVNAccessFile /var/svn/auth/authz-repo1 Require valid-user SSLRequireSSL </Location> # Accessible via https://svn.example.org/repo2 # <Location /repo2> Allow from all DAV svn AuthType Basic AuthName "Repository Two" AuthUserFile /var/svn/auth/svnusers AuthzSVNAccessFile /var/svn/auth/authz-repo2 Require valid-user SSLRequireSSL </Location> You'll notice that both repos (and the root) use the same AuthUserFile. That's just an Apache 'htpasswd2' file with usernames and encrypted passwords. Some of our developers have access to every repo, but they still go in that file just once. The "authorization" part defines what you're allowed to do once you've authenticated (i.e. we know who you are). Apache calls this "authz" as opposed to "auth" everywhere, and is a subtle distinction that took me embarrassingly long to realize. Each Subversion repository can have its own AuthzSVNAccessFile, and that format is specified somewhere in the Subversion book. Basically, you list which users (from the AuthUserFile) can do what. In the example above, the two repos use different authorization files, because our devs have different permissions in repo1 than they do in repo2. So, to answer your question: you separate your projects into repositories logically, in whatever way makes sense. Then, you define users and permissions to match that. The authentication and authorization are flexible enough that you shouldn't have to duplicate anything.
