Path-Based Authorization for files
Thorsten Schöning
tschoening at am-soft.de
Fri Sep 30 02:27:49 CDT 2011
Hello,
recently there was a posting on users at subversion.apache.org where one
states that path-based authorization is able to restrict access on
files. In the appropriate section of your book only directories are
mentioned and as this is a common reference, I would appreciate if
your able to add a paragraph just mentioning that everything works
with, files, too, as they are only paths like directories. I attached
a very small patch which I find would be enough for me as a notice.
http://svn.haxx.se/users/archive-2011-09/0366.shtml
Index: ch06-server-configuration.xml
===================================================================
--- ch06-server-configuration.xml (Revision 4098)
+++ ch06-server-configuration.xml (Arbeitskopie)
@@ -552,7 +552,7 @@
<screen>
$ svnserve -i
( success ( 2 2 ( ) ( edit-pipeline svndiff1 absent-entries commit-revprops d\
-epth log-revprops atomic-revprops partial-replay ) ) )
+epth log-revprops atomic-revprops partial-replay ) ) )
</screen>
</informalexample>
@@ -1539,7 +1539,7 @@
<para>This example allows both Harry and Sally to connect to
the same account via public key authentication. Each of
them has a custom command that will be executed;
- the <option>--tunnel-user</option> option
+ the <option>--tunnel-user</option> option
tells <command>svnserve</command> to assume that the named
argument is the authenticated user. Without
<option>--tunnel-user</option>, it would appear as though
@@ -1565,7 +1565,7 @@
</informalexample>
<para>Note that this all must be on one line—truly on
- one line—since SSH <filename>authorized_keys</filename>
+ one line—since SSH <filename>authorized_keys</filename>
files do not even allow the conventional backslash character
(<literal>\</literal>) for line continuation. The only
reason we've shown it with a line break is to fit it on
@@ -1918,7 +1918,7 @@
<ulink url="http://httpd.apache.org/docs/current/programs/htpasswd.html"
/>.</para></footnote> for managing files containing
usernames and passwords.</para>
-
+
<warning>
<para>Basic authentication is <emphasis>extremely</emphasis>
insecure, because it sends passwords over the network
@@ -1929,7 +1929,7 @@
<para>First, create a password file and grant access to
users Harry and Sally:</para>
-
+
<informalexample>
<screen>
$ ### First time: use -c to create the file
@@ -1982,7 +1982,7 @@
location of the password file to use.</para>
</listitem>
</itemizedlist>
-
+
<para>However, this <literal><Location></literal> block
doesn't yet do anything useful. It merely tells Apache that
<emphasis>if</emphasis> authorization were required, it
@@ -2021,7 +2021,7 @@
<!-- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -->
<sect3 id="svn.serverconfig.httpd.authn.digest">
<title>Digest authentication</title>
-
+
<para>Digest authentication is an improvement on Basic
authentication which allows the server to verify a client's
identity without sending the password over the network
@@ -2643,7 +2643,7 @@
http://host.example.com/repos/project/trunk/README.txt?r=1234
</programlisting>
</informalexample>
-
+
<para>What if the thing you're trying to view no longer exists
in the youngest revision of the repository? That's where a
peg revision is handy:</para>
@@ -2671,7 +2671,7 @@
detailed explanation of these <quote>peg revision</quote>
and <quote>operative revision</quote> concepts. They can
be a bit tricky to wrap your head around.</para>
-
+
<para>As a reminder, this feature
of <command>mod_dav_svn</command> offers only a limited
repository browsing experience. You can see directory
@@ -2689,7 +2689,7 @@
a much wider set of features, including the display of the
aforementioned property sets, display of content
differences between file revisions, and so on.</para>
-
+
</sect4>
<sect4 id="svn.serverconfig.httpd.extra.browsing.mimetype">
@@ -3208,7 +3208,7 @@
Subversion <literal><Location></literal> block with
the <literal>SVNAdvertiseV2Protocol Off</literal>
directive.</para>
-
+
<tip>
<para>For the best results possible, try to run the same
version of Subversion on your master and slave
@@ -3293,7 +3293,8 @@
One set of users may have permission to write to a certain
directory in the repository, but not others; another directory
might not even be readable by all but a few special
- people.</para>
+ people. As files are paths, too, it's even possible to restrict
+ access on a per file basis.</para>
<para>Both servers use a common file format to describe these
path-based access rules. In the case of Apache, one needs to
@@ -3673,6 +3674,20 @@
</programlisting>
</informalexample>
+ <para>All of the above examples use directories, because defining
+ access rules on them is the most common case. But as files are
+ paths just like directories, Subversion is similarly able to
+ restrict access on them.
+ </para>
+
+ <informalexample>
+ <programlisting>
+[calendar:/projects/calendar/manager.ics]
+harry = rw
+sally = r
+</programlisting>
+ </informalexample>
+
<!-- ### FIXME: This is very Neon-specific. -->
<sidebar>
<title>Partial Readability and Checkouts</title>
@@ -3734,7 +3749,7 @@
configuration mechanisms—see
<xref linkend="svn.serverconfig.httpd.extra.logging"/> for
details.</para>
-
+
<para>The following is a list of Subversion action log messages
produced by its high-level logging mechanism, followed by one or
more examples of the log message as it appears in the log
Mit freundlichen Grüßen,
Thorsten Schöning
--
Thorsten Schöning
AM-SoFT IT-Systeme - Hameln | Potsdam | Leipzig
Telefon: Potsdam: 0331-743881-0
E-Mail: tschoening at am-soft.de
Web: http://www.am-soft.de
AM-SoFT GmbH IT-Systeme, Konsumhof 1-5, 14482 Potsdam
Amtsgericht Potsdam HRB 21278 P, Geschäftsführer: Andreas Muchow
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ch06-server-configuration.xml.diff
Type: application/octet-stream
Size: 5794 bytes
Desc: not available
URL: <http://www.red-bean.com/pipermail/svnbook-dev/attachments/20110930/ddaca339/attachment.obj>
More information about the svnbook-dev
mailing list