Subversion permission Control

Document directory

• 1. authentication and authorization)
• 2. configuration file under svnserve
• 3. svnserve-based version library file Layout
• 4. Test user and group description

Before reading this article, make sure that you know the basic Server Management of subversion, the configuration of svnserve or Apache, and how to set the user and password. For svnserve configuration, see our subversion quick start tutorial and build a secure version control environment using Apache and subversion. for details, refer to "Use Subversion for version control".

As a configuration administrator, you need to manage user permissions. This article mainly introduces the authorization file "authz-DB" using subversion. To clarify this, I first clarify some concepts.

1. authentication and authorization)

These two terms are often used together. Authentication means to identify the user. The most common method is to use the user name and password. authorization is to determine whether the user has certain operation permissions, the "authz-DB" file is provided in Subversion to implement path-based authorization, that is, to determine whether the user has the permission to operate the corresponding path. After subversion 1.3, both svnserve and Apache can use the "authz-DB" file.

2. configuration file under svnserve

Because this article uses svnserve as an example, we will first introduce the structure of the version library directory:

D:/svnroot/project1
├ ── Conf
├ ── Dav
Analytic DB
│ Bai── revprops
│ ─ ── Revs
│ Transactions
├ ── Hooks
─ ── Locks

Conf contains three files:

Authz
Passwd
Svnserve. conf

"Svnserve. conf" is the configuration file of this version library. When svnserve is used, this configuration file determines what authentication and authorization files are used:

Password-DB = passwd
Authz-DB = authz

The preceding configuration instructions use "svnserve. conf "is the same as passwd and authz in the directory. The password-DB specifies the user password file, and authz-DB is our authorization file, which is the file we will introduce in this article.

Note: When apache is used as the server, it does not reference the content of the "svnserve. conf" file, but Apache configuration.

3. svnserve-based version library file Layout

When using svnserve, the same authentication and authorization files should be used for management convenience, so the configuration files of all version libraries should be svnserve. conf points to the same password-DB and authz-DB files. The following is a multi-version library directory:
D:/svnroot
├ ── Project1
│ ─ ── Conf
│ ├ ── Dav
│ ─ ── DB
│ ─-Revprops
│ ── Revs
│ Transactions
│ ─ ── Hooks
│ ─ ── Locks
└ ── Project2
├ ── Conf
├ ── Dav
Analytic DB
│ Bai── revprops
│ ─ ── Revs
│ Transactions
├ ── Hooks
─ ── Locks

D:/svnroot has two directories: project1 and project2, both of which have created version libraries. Therefore, we modify the svnserve under each conf directory. conf to point to the same password-DB and authz-DB files.

password-db = ../../passwdauthz-db = ../../authz

In this way, D:/svnroot/passwd and D:/svnroot/authz control the svnserve Access to All version libraries. In addition, to disable anonymous access in subsequent operations, remove the "#" before "Anon-access = none" to ensure that only authenticated users can access the service.

Note: The value of "Realm" of svnserve should also be noted. In the preceding settings, ensure that all vertices use the same realm value, the password cache for version libraries can be shared among multiple version libraries. For more details, seeClient credential Cache.

4. Test user and group description

The version library prohibits access by any anonymous users and is only valid for authenticated users.

Root: the configuration administrator has full management permissions on the version library.

P1_admin1: Administrator of project1, with full permissions on project1.
P1_d1: the developer of project1 has full permissions on the trunk of project1, but has no permissions on the/trunk/Admin directory.
P1_t1: The tester of project1 has full read permission on the trunk of project1, but has no permission on the/trunk/Admin directory.

P2_admin1: the Administrator of project2, who has full permissions on project2.
P2_d1: the developer of project2 has full permissions on the trunk of project2, but has no permissions on the/trunk/Admin directory.
P2_t1: The tester of project2 has full read permission on the trunk of project2, but has no permission on the/trunk/Admin directory.

Users in the corresponding group and group:
P1_group_a: p1_admin1
P1_group_d: p1_d1
P1_group_t: p1_t1
P2_group_a: p2_admin1
P2_group_d: p2_d1
P2_group_t: p2_t1

5. Modify the D:/svnroot/passwd file.

As mentioned above, the user and password file should be in D:/svnroot/passwd, so we set permissions for each user. The file content is as follows:

[users]p1_admin1 = p1_admin1p1_d1 = p1_d1p1_t1 = p1_t1         p2_admin1 = p2_admin1p2_d1 = p2_d1p2_t1 = p2_t1

To facilitate verification, all passwords and user names are the same. If you are using another authentication method, this step may be different, but the user names should be the same.

6. Configure authorization and modify D:/svnroot/authz.

[Groups]
# Define group information

P1_group_a = p1_admin1
P1_group_d = p1_d1
P1_group_t = p1_t1

P2_group_a = p2_admin1
P2_group_d = p2_d1
P2_group_t = p2_t1

[/]
# Specify that all version libraries are read-only by default and can be read and written by root.
* = R
Root = RW

[Project1:/]
# Specify permissions for the root directory of the version library project1
@ P1_group_a = RW
@ P1_group_d = RW
@ P1_group_t = r

[Project1:/trunk/admin]
# Specify the permission for the/trunk/admin root directory of the version library project1,
# P1_group_a: read and write, p1_group_d and p1_group_t do not have any permissions.
@ P1_group_a = RW
@ P1_group_d =
@ P1_group_t =

 

[Project2:/]
# Specify permissions for the Project 2 root directory of the version Library
@ P2_group_a = RW
@ P2_group_d = RW
@ P2_group_t = r

[Project2:/trunk/admin]
# Specify the permission for the/trunk/admin root directory of the version library project1
@ P2_group_a = RW
@ P2_group_d =
@ P2_group_t =

After the above settings, you will find some interesting things. When the user "p1_d1" is used to check the trunk of project1, the directory is empty, as if the Admin directory does not exist at all. When the p1_d1 user browses the version library, the Admin directory is displayed, however, the content cannot be seen.

About the Chinese directory, there is no problem, just pay attention to the authz file into UTF-8 format, in my WINXP ultraedit display file format for U8-DOS, the specific approach is to use ultraedit to open the authz file, then select File-> convert-> ASCII to UTF-8, and then save.

This is even more complex. In actual work, you must first plan the permissions and grant only the minimum permissions to the users to implement the most complex permission control with the minimum configuration.

This article from: http://www.subversion.org.cn/index.php? Option = com_content & task = view & id = 84 & Itemid = 9