On 17.10.2013 20:00, Alexey Neyman wrote: > Hi all, > > We are actively using authz path-based authentication rules: due to some > legal > requirements, some parts of our product source code are not accessible to a > part of the developer team. Currently authz does not support wildcards (there > is an issue about that [1] discussed since 2006). Because of this, each time > a > branch is created, authz rules have to be copied and modified for the new > branch. > > This leads to a proliferation of authz rules; our authz is currently about > 2000 lines and growing. I am currently implementing a post-commit script so > that we would be able to record authz rules on files/directories, and authz > would be appended with new rules every time these files/directories are > copied. > > First, I am wondering how well such 'authz' approach would scale. Has anyone > run scalability tests on authz? > > Second, I thought that if I am using properties to track authz-controlled > files, SVN server would probably do that more effectively than a post-commit > script. As an added value, property-based authz would allow versioning in > path-based auth configuration that current mechanism does not allow. E.g., > currently one could either configure path /foo as either R/O, R/W or > unaccessible to user U; it is not possible to configure the path to be > unaccessible before/after a certain revision. > > Thoughts? Ideas?
Properties are not suitable for storing ACLs because they are immutable; i.e., you cannot change properties on committed files and directories. You need a different kind of structure, one that the Subversion repository does not have yet. In-repository ACLs are a feature that's we'd like to add to the new repository back-end that's being developed. But don't hold your breath; it will be several years before this is available. In the meantime, one authz file per repository (and preferably stored /in/ the repository, which is a new feature in 1.8) is IMO the best available option. You can also use the pre-commit and pre-revprop-change hooks and build your own authz system around those, but that's a lot of work. -- Brane -- Branko Čibej | Director of Subversion WANdisco // Non-Stop Data e. br...@wandisco.com
