svn.accessfile difficulties

We host a svn repository for multiple projects and business files on apache. This is accessed by multiple programmers and some project folders also by clients. Example layout is:

svn/ourcompany/business
svn/ourcompany/projects
svn/ourcompany/projects/proj1
svn/ourcompany/projects/proj2
svn/ourcompany/projects/proj3

Previously our svn.accessfile looked as follows:

[groups] 
admin = jd 
programmer = jd,pr1,pr2

[ourcompany:/]
@admin = rw

[ourcompany:/business]
@admin = rw

[ourcompany:/projects]
@admin = rw
@programmer = rw

[ourcompany:/projects/proj1]
client1a = rw
client1b = rw
webclient = rw

Today we found that this setup causes a 403 error for webclient1 on ourcompany:/projects/proj1

After some research a contractor suggested to add

[groups] 
admin = jd 
programmer = jd,pr1,pr2

[ourcompany:/]
* = r
@admin = rw

[ourcompany:/business]
* =
@admin = rw

[ourcompany:/projects]
@admin = rw
@programmer = rw

[ourcompany:/projects/proj1]
client1a = rw
client1b = rw
webclient = rw

But that now means I need to add

*= 

to every single project in the project folder ???

Can someone advice on how permissions in svn.accessfile work in the folder hierarchy?

apache virtual host below

    <VirtualHost ipadress:80>

            ServerName subversion.ourcompany.com
            ServerAdmin webmaster@ourcompany.com
            DocumentRoot /var/www/subversion.ourcompany.com
            DavLockDB /var/lock/apache2/DavLock 

            <Location /svn>
                    DAV svn
                    SVNParentPath /var/svn
                    SVNListParentPath on
                    SVNAutoversioning on
                    SVNIndexXSLT "/repos-web/view/repos.xsl"
                    #ModMimeUsePathInfo on
                    AuthzSVNAccessFile /etc/apache2/svn.accessfile
                    AuthType Basic
                    AuthName "SVN"
                    AuthUserFile /etc/apache2/svn.passwd
                    Require valid-user

                    # compress as much as possible
                    SetOutputFilter DEFLATE
                    SetInputFilter DEFLATE
                    # Don't compress images
                    SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
            </Location>

            <IfModule mpm_itk_module>
                    AssignUserId www-data www-data
            </IfModule>

            DeflateFilterNote Input instream
            DeflateFilterNote Output outstream
            DeflateFilterNote Ratio ratio

            LogFormat '"%r" %{outstream}n/%{instream}n (%{ratio}n%%) %s' deflate
            CustomLog /var/log/apache2/svn-deflate.log deflate
            CustomLog /var/log/apache2/svn-access.log "%t %u %{SVN-ACTION}e" env=SVN-ACTION
            ErrorLog /var/log/apache2/svn-error.log


    </VirtualHost>

What we want to achieve:

webclient to access ourcompany:/projects/proj1 only and to have no read access to ourcompany:/projects The latter could be achieved by putting a *= into each subfolder of ourcompany:/projects, but that is not practiable.

Answers


I would like to give the following advice first:

  • Try to define groups and use only groups in your rules of the access files. This makes it more easy to change things later and to understand what the rules are.
  • Use group names that denote what the semantic of the group is. This makes it easier to understand the rules as well.
  • Try to give every user only one group, so it is easier to understand what the role (and the access rights) of that user are.

I would change / add some parts, so that the complete resulting file is:

[groups] 
admin = jd 
programmer = jd,pr1,pr2
gr_client1 = client1a,client1b,webclient1

[ourcompany:/]
* = 
@programmer = r
@gr_client1 =
@admin = rw

[ourcompany:/projects]
@programmer = rw

[ourcompany:/projects/proj1]
@gr_client1 = rw

This expresses the following

  • You have three groups of users: admins, programmers and clients of individual projects (here in the example gr_client1).
  • The overall access rights say that admins may read and write everything. You don't have to repeat that rule in the subdirectories, it is inherited automatically.
  • The programmers may read anything, and have additionally write access rights in all projects.
  • The clients may only access their individual directory, and may read and write there.

So as a result you have to add for each new group an additional client group, add the users there, and add one rule for their individual project only.

PS: In your question webclient1 is used, but in the files you give, it is only webclient. Which one do you want to have?


Need Your Help

Rails modules and routing

ruby-on-rails module routing include

I'd like to include TestModule in MyModule:

About UNIX Resources Network

Original, collect and organize Developers related documents, information and materials, contains jQuery, Html, CSS, MySQL, .NET, ASP.NET, SQL, objective-c, iPhone, Ruby on Rails, C, SQL Server, Ruby, Arrays, Regex, ASP.NET MVC, WPF, XML, Ajax, DataBase, and so on.