On 2013/10/18 5:09 PM, Ben Reser wrote: On 10/18/13 12:46 PM, Naumenko, Roman wrote:
But there are still checks (or maybe this is just info log) against access-file for each path in repository. Is it something expected or enabled somewhere by default? [Fri Oct 18 15:35:52 2013] [info] [client 10.11.11.18] Access granted: 'user1' REPORT /trunk/very_long_path/Data.manifest [Fri Oct 18 15:35:52 2013] [debug] subversion/mod_authz_svn/mod_authz_svn.c(195): [client 10.11.11.18] Path to authz file is /path_to_access_file/svn_acc I mean if a user has access to a repository, why checking all paths under? Or its just info log about mod_authz_svn processing path directly, as you said? The authz access file is only read once per connection. But the checks will be run for each path accessed by the request. Some of the requests over HTTP actually access multiple paths in the repository. For instance a REPORT request might be doing what's referred to as a bulk update, in which case it's asking for details on all the paths under a given path. The update REPORT in this case will include file content for paths under the path. Only the top level path will be in the URI. If you want to disallow access to some paths under that root path of the request it is necessary to check all the paths. Some other operations like COPY and MOVE also touch paths other than the one in the URI for the request since the action requires two paths. So what you're seeing is perfectly normal operation for the short_circuit configuration. You can entirely disable the additional checks mentioned above by setting "SVNPathAuthz off". However, I would not recommend that as it will make some authz rules ineffective. The whole created by this in the update report case can be closed by also setting "SVNAllowBulkUpdate off" but that doesn't help the COPY or MOVE cases. So in general, there's really not a great reason to use the off setting. I'd like to thank you, Ben. With short_circuit (and LDAP caching mentioned below in the thread), svn experience is much better. --Roman _______________________________________________________________________ This email is intended only for the use of the individual(s) to whom it is addressed and may be privileged and confidential. Unauthorised use or disclosure is prohibited. If you receive This e-mail in error, please advise immediately and delete the original message. This message may have been altered without your or our knowledge and the sender does not accept any liability for any errors or omissions in the message. Ce courriel est confidentiel et protégé. L'expéditeur ne renonce pas aux droits et obligations qui s'y rapportent. Toute diffusion, utilisation ou copie de ce message ou des renseignements qu'il contient par une personne autre que le (les) destinataire(s) désigné(s) est interdite. Si vous recevez ce courriel par erreur, veuillez m'en aviser immédiatement, par retour de courriel ou par un autre moyen.
