[svnbook] r3781 committed - * src/en/book/ch06-server-configuration.xml...
svnbook at googlecode.com
svnbook at googlecode.com
Mon Sep 13 14:18:17 CDT 2010
Revision: 3781
Author: cmpilato at gmail.com
Date: Mon Sep 13 12:17:34 2010
Log: * src/en/book/ch06-server-configuration.xml
For issue 8, document the $authenticated and $anonymous magic authz
file authentication class tokens and the tilde (~) exclusion marker.
http://code.google.com/p/svnbook/source/detail?r=3781
Modified:
/trunk/src/en/book/ch06-server-configuration.xml
=======================================
--- /trunk/src/en/book/ch06-server-configuration.xml Mon Sep 13 11:29:19
2010
+++ /trunk/src/en/book/ch06-server-configuration.xml Mon Sep 13 12:17:34
2010
@@ -2916,11 +2916,11 @@
load the <command>mod_authz_svn</command> module and then add
the <literal>AuthzSVNAccessFile</literal> directive (within
the <filename>httpd.conf</filename> file) pointing to your own
- rules file. (For a full explanation, see
+ access rules file. (For a full explanation, see
<xref linkend="svn.serverconfig.httpd.authz.perdir"/>.) If
you're using <command>svnserve</command>, you need to make
the <literal>authz-db</literal> variable
- (within <filename>svnserve.conf</filename>) point to your
+ (within <filename>svnserve.conf</filename>) point to your access
rules file.</para>
<sidebar>
@@ -2985,7 +2985,7 @@
</sidebar>
- <para>Once your server knows where to find your rules file, it's
+ <para>Once your server knows where to find your access file, it's
time to define the rules.</para>
<para>The syntax of the file is the same familiar one used
@@ -3143,10 +3143,15 @@
everyone = @calc-developers, @paint-developers
</screen>
- <para>Subversion 1.5 brings another useful feature to the access
- file syntax: username aliases. Some authentication systems
- expect and carry relatively short usernames of the sorts we've
- been describing here—<literal>harry</literal>,
+ <para>Subversion 1.5 brought several useful features to the access
+ file syntax—username aliases, authentication class tokens,
+ and a new rule exclusion mechanism—all of which further
+ simplify the maintenance of the access file. We'll describe
+ first the username aliases feature.</para>
+
+ <para>Some authentication systems expect and carry relatively
+ short usernames of the sorts we've been describing
+ here—<literal>harry</literal>,
<literal>sally</literal>, <literal>joe</literal>, and so on. But
other authentication systems—such as those which use LDAP
stores or SSL client certificates—may carry much more
@@ -3186,6 +3191,55 @@
instead of doing global-search-and-replace operations on the
whole access file.</para>
+ <para>Subversion also supports some <quote>magic</quote> tokens
+ for helping you to make rule assignments based on the user's
+ authentication class. One such token is
+ the <literal>$authenticated</literal> token. Use this token
+ where you would otherwise specify a username, alias, or group
+ name in your authorization rules to declare the permissions
+ granted to any user who has authenticated with any username at
+ all. Similarly employed is the <literal>$anonymous</literal>
+ token, except that it matches everyone who has
+ <emphasis>not</emphasis> authenticated with a username.</para>
+
+ <screen>
+[calendar:/projects/calendar]
+$anonymous = r
+$authenticated = rw
+</screen>
+
+ <para>Finally, another handy bit of access file syntax magic is
+ the use of the tilde (<literal>~</literal>) character as an
+ exclusion marker. In your authorization rules, prefixing a
+ username, alias, group name, or authentication class token with
+ a tilde character will cause Subversion to apply the rule to
+ users who do <emphasis>not</emphasis> match the rule. Though
+ somewhat unnecessarily obfuscated, the following block is
+ equivalent to the one in the previous example:</para>
+
+ <screen>
+[calendar:/projects/calendar]
+~$authenticated = r
+~$anonymous = rw
+</screen>
+
+ <para>A less obvious example might be as follows:</para>
+
+ <screen>
+[groups]
+calc-developers = &harry, &sally, &joe
+calc-owners = &hewlett, &packard
+calc = @calc-developers, @calc-owners
+
+# Any calc participant has read-write access...
+[calc:/projects/calc]
+ at calc = rw
+
+# ...but only allow the owners to make and modify release tags.
+[calc:/projects/calc/tags]
+~@calc-owners = r
+</screen>
+
<!-- TODO(sussman): Once serf becomes officially support, this
sidebar will need to be revisited. -->
<sidebar>
More information about the svnbook-dev
mailing list