RE: Check Path based authorization

[Stuempfig, Thomas]

Hi Pavel,

thank you very much for your help. Your solution works.
This makes real value for of VisualSVN here.

Regards
Thomas

From: Pavel Lyalyakin [mailto:pavel.lyalya...@visualsvn.com]
Sent: Mittwoch, 12. Dezember 2018 20:38
To: Stuempfig, Thomas (DF PL S&SE DE PSM EAI) 
Subject: Check Path based authorization

Hello Thomas,

On Wednesday, December 12, 2018, Stuempfig, Thomas 
mailto:thomas.stuemp...@siemens.com>> wrote:
> Hi Pavel,
> i am impressed by the speed of your answer.

We value any feedback on our products, Subversion and version control in 
general. Therefore, we regularly monitor social media, forums and mailing 
lists. Feel free to share any other feedback or requests and we will examine 
them too.

> here is the content of the VisualSVN-WinAuthz.ini as a mini example user_a, 
> and user_b are members of Group_A. user_a and user_b can access the repo... 
> but I do not have a chance to verify it upfront with a tool... as admin 
> svnauthz is "rw" for Group_A and user_a but "no" for user_b
>
> [/]
> S-1-5-21-954228201-601818101-482762101-101590=rw  (Group_A)
> S-1-5-21-954228201-601818101-482762101-5978=rw (user_a)
>
> the real one is much larger. The repos vary from 1-10years of history from 
> 5000 files and folders to 8 Million files and Folders
> We have ~15000 potential read users and 500 committers. (We are a small part 
> of Siemens)
> Consider different path / group / user-group memberships...
>
>
> And I need a solution to this one

Please, see the attached PowerShell script that essentially loads a new cmdlet 
in addition to those available in current VisualSVN Server versions. The cmdlet 
returns effective access of a user account for a given repository path. We 
think that this is exactly what you are looking for. :)

DISCLAIMER: The script is provided without any warranty or support. You can use 
and adjust it on your own risk.

Please, follow these steps to run the script:

  *   Download and rename the attachment to Get-SvnEffectiveAccess.ps1 (i.e. 
remove the trailing underscore character).
  *   Start the PowerShell console that has the VisualSVN Server's PowerShell 
module loaded (this has to happen by default) or via the dedicated PowerShell 
console:

*   Start the VisualSVN Server Manager console.
*   Select Action | All Tasks.
*   Click Start PowerShell.

  *   Load the script to your current PowerShell session with this command 
(note the dot character and replace PATH with an actual path to the script's 
directory):
. PATH\Get-SvnEffectiveAccess.ps1

  *   Run the following command:
Get-SvnEffectiveAccess -Repository MyRepo -Path /branches/MyBranch -AccountName 
DOMAIN\username
The command should return effective access of the DOMAIN\username account for 
the /branches/MyBranch path in the MyRepo repository.

> I envisage a workaround based on the following powershell com
> Get-ADPrincipalGroupMembership -Identity USER | Format-Table -Property 
> SID -AutoSize
> Cycle throug the results and run svnauthz with each resulting line. This 
> should in principle give me some hint about the privilege
> But I don't know if VisualSVN grants widest privilege or first privilege.

VisualSVN Server conforms to main principles of the path-based authorization 
mechanism used in Subversion. Please, see the article KB33: Understanding 
VisualSVN Server authorization.

We will wait for your reply.

> -Original Message-
> From: Pavel Lyalyakin 
> [mailto:pavel.lyalya...@visualsvn.com]
> Sent: Mittwoch, 12. Dezember 2018 11:39
> To: Stuempfig, Thomas (DF PL S&SE DE PSM EAI) 
> mailto:thomas.stuemp...@siemens.com>>
> Cc: br...@apache.org; 
> users@subversion.apache.org
> Subject: Re: Check Path based authorization
>
> Hello Thomas,
>
> On Tue, Dec 11, 2018 at 8:40 PM Stuempfig, Thomas 
> mailto:thomas.stuemp...@siemens.com>> wrote:
>>
>> Hi Brane,
>> well after testing the tool does not actually do what i would like. But it 
>> is giving me a starting point / work around.
>> I tested the tool with Visualsvn Server on windows
>
> VisualSVN Server includes a PowerShell module[1] that provides a set of 
> cmdlets[2] for server and repository administration. You may want to try the 
> `Get-SvnAccessRule`[3] and `Select-SvnAccessRule`[4] cmdlets - I guess that 
> they can partially meet your requirements.
> However, they do not consider AD user's group membership and therefore do not 
> display effective access for a particular user account.
>
> Do I understand you correctly that you want a reporting tool that will 
> display actual effective access for AD user DOMAIN\Username considering his 
> group membership? How complex is the access rule configuration in your 
> repositories? Could you please show us an example (run Get-SvnAccessRule and 
> show us the output)? You can reply me privately or contact 
> 

Re: Old repo backup, checkout current, lost repo, create new repo?

[Tom Browder]

On Mon, Dec 10, 2018 at 23:15 Nico Kadel-Garcia  wrote:
>
> On Mon, Dec 10, 2018 at 9:10 PM Tom Browder  wrote:
> >
> >
> >
> > On Mon, Dec 10, 2018 at 19:45 Nico Kadel-Garcia  wrote:
> >>
> >> On Mon, Dec 10, 2018 at 5:56 AM Tom Browder  wrote:
> >> >
> >> > On Mon, Dec 10, 2018 at 12:10 AM Nico Kadel-Garcia  
> >> > wrote:
> >> > > On Sun, Dec 9, 2018 at 6:31 PM Tom Browder  
> >> > > wrote:
> >> > ...
> >> > > > Given that history will be lost, does anyone see any problems with 
> >> > > > my recovery plan?
> >> > ...
> >> > > If you have working copies and you don't care about history, why are
> >> > > you spending any cycles on doing anything with hotcopy? You've lost
> >> > > history anyway, why keep any of it?
> >> >
> >> > Cycles aren't important, but the size of the data is. Transferring the
> >> > working copy from scratch would take a LONG time, while the bulk of
> >> > the data are already there in the hotcopy.
> >>
> >> Under what possible conditions wound importing a single snapshot of
> >> the current working copy, without history, take more time than working
> >> from a hotcopy to overlay the changes on top of that hotcopy?
> >
> >
> > I don’t know, Nico, I am a real novice at this. Your first answer didn’t 
> > help because I didn’t know the ramifications of what I was trying to do.
> >
> > The original data, from just six months ago, was about 27 Gb, which took a 
> > very long time to upload from my home computer to my remote server.  Since 
> > the only hotcopy, done shortly after the repo was loaded, there has been 
> > very little change, so if I could start with the hotcopy and somehow synch 
> > my working copy without pushing 27 Gb again, life would be better.
>
> ??? An import of the copy of the working data has no history. Is the
> *data* 27 GB, with no .svn content, 27 GB ? What in the devil are you
> putting in source control?
>
> I'm not objecting to your situation, just really confused by the
> content you are dealing with.


Sorry, Nico, I probably didn’t use the correct terms in my problem
description. Basically the subversion repos on my remote server were
current as of about six months ago when they were established there
and a hotcopy was made.

There have been few updates since, so is the hotcopy of value or not,
history wise?

Anyway, my thought was to save some upload and download time if possible.

UPDATE: Problems in svn-repo land

I copied the two hotcopy backups to the original repo locations, and
my local server has found them (I'm using GUI client SmartSVN on
Windows, command line on Linux).

I started to update on one and am getting these messages (which you
warned me about):

  Clean Up: Failed to run the WC DB work queue associated with
'C:\Users\Tom\Documents\0-mydocs-svn', work item 636 (file-install
Personal/TomB/sto/Misc/llftpar2.exe 1 0 1 1) Can't open file
'C:\Users\Tom\Documents\0-mydocs-svn\.svn\pristine\7e\7eddb1479c338c0a0fb4a08e21e2b81a8d6c1b61.
svn-base': The system cannot find the file specified.

FWIW, the repos are on my remote Linux server I have full control
over--running Debian 9.

(Note the working copy is on Windows, and I do not have a wc of it on
my local Linux host.)

Is there anything I can do to fix something like that?  Or do I have
to go through creating new repos and populating them from he original
repo files and dirs?

Thanks so much.

-Tom