All geek questions in one place

Labeling and Security Subversion

I installed the SVN repository from scratch and I have successfully tagged some of my releases using the SVN copy command.

I used the SSPI auth plugin for apache, so our developers just hit the server with their network credentials, and everything works fine.

I created an AuthZ authorization file, added our developers to the groups in the file, and gave them write access to the root. I also gave anonymous users read-only root access.

Then I locked the / svn / directory with: Require-group "CORP \ CKAN0BlahBlah"

This effectively restricts new developers in the security group to read-only access until access is granted through the aAuthZ configuration file.

Now I have a few questions:

  • What is the correct way (other than the honor system) to prevent users from making changes to any of the "tag" directories?

  • Is it possible to use SSPI to traverse group members in AuthZ, instead of listing the members individually in the configuration file?

+3
source share
5 answers

For Question No. 1, I developed for this:

@echo off
SET SVNLOOK=C:\Program Files\CollabNet Subversion Server\svnlook.exe
SET GREP=D:\SVN\Repo\hooks\grep.exe
SET LOG=D:\SVN\Repo Logs.txt

>>"%LOG%" echo ==== commit %1 %2 ====
>>"%LOG%" "%svnlook%" changed -t %2 %1

("%svnlook%" changed -t %2 %1 | "%grep%" "^U.*/tags/") && (echo Cannot commit to tags.>&2 && exit 1)
("%svnlook%" log -t %2 %1 | "%grep%" "[a-zA-Z0-9]") || (echo You must specify a comment.>&2 && exit 1)

exit 0

Grabbed the grep tool from http://sourceforge.net/projects/unxutils

For Question No. 2, the answer is NO, you cannot check the AD security groups in the AuthZ configuration file.

Thanks for all your help, everyone.

+3
source

1 - pre-commit , . SVN .

: Windows, :

pre-commit.bat hooks :

@echo off
set REPOSITORY=%1
echo %REPOSITORY% | find /I "tags"
if errorlevel 1 goto done
echo You tried to commit to %REPOSITORY% >&2
echo Committing to tags is not allowed >&2
exit 1
:done

. - , . .

+6

"" . - , . , Subversion. . .

+2

, . SVN, , , () . , , - . ( , MediaWiki). -, , , - Microsoft Office sharepoint.

+1

svn-auth ? :

[groups]
ADMINS=<your ID>
<rest of groups>=<all other IDs>

[/]
* = r
<rest of groups> = rw
@ADMINS = rw

[/tags]
<rest of groups> = r

This will allow ADMINS to read and write access to the tag directory, but to no one else. I do not know the SSPI auth plugin, so maybe my provided example does not work in your context.

0
source

Source: https://habr.com/ru/post/1708679/

More articles:


All Articles