mod_dav_svn + automatic per-directory user authorization

2011-02-12 Thread m irya
The problem:
1) there's a directory on the server containing multiple svn
repositories roots, say /var/svn, with /var/svn/a, /var/svn/b, etc.
being repository roots
2) these repositories are accessed via HTTP, handled by Apache2 + mod_dav_svn
3) there's a MySQL user-password database we need to use to
authenticate access to those repositories
4) at last the problematic place itself: the repository
/var/svn/$username must be accessible (both read and write) only to
those who authenticated themselves as "$username" with a valid
password from the MySQL database

Currently i've stuck with two solutions (both incomplete) from tons of
manuals and how-tos:
a) AuthzSVNAccessFile could be a key to such an automatic repository
-> user binding, but updating the access rights file on changes to
MySQL database looks no way elegant, and will probably become a
bottleneck with growing users database
b) mod_auth_mysql (whatever one) makes it possible to transparently
use the users database in Apache config, but still I'm unable to find
a way to automatically Require user $username for a given repository
/var/svn/$username.

Please reply, if someone has an experience with such a configuration,
any ideas/thoughts are welcome.


Re: mod_dav_svn + automatic per-directory user authorization

2011-02-12 Thread m irya
Yep, i could manage to get to such configuration, but here's when it
comes to the real difference with your setup: we need to manage a huge
and frequently changing user database, with each user having a small
repository.

>
> Here's the big caveat:  whenever a repository is added or removed (in your
> case, every time a user is added or removed), httpd must be restarted
> because a  entry must be added or removed.

And that's what i'm trying to solve: the users database is not so tiny, so
1) we can't afford restarting httpd on every user added or removed
2) we can't afford duplicating the rules in authz svn access file, i
guess it may be handled inefficiently when it contains too much
records (at least much less efficiently than just requesting the
authorization from MySQL).

I'll try to describe it the other way, one abstraction level upper:
1) the user goes to http://somehost/repo/$something
2) authenticates him/herself as $username:$password (suppose Basic
auth, just will change it to https later)
3) Apache checks the credentials against MySQL database (mod_auth_mysql?)
4) If everything is ok, the user gets a WebDAV access to
/var/repo/$username/$something (regardless of the method, read or
write)

The database may change frequently, adding the user will mean
`svnadmin create /var/repo/$username`, removing will mean `rm -rf
/var/repo/$username`, but i prefer that nothing is done beyond that,
especially no httpd configuration changes and restart, all information
is stored in DB and nothing else should be changed.


Re: mod_dav_svn + automatic per-directory user authorization

2011-02-16 Thread m irya
>
> This might be exactly what's needed if you're, say, teaching a programming
> class where you want students to learn to use Subversion for version control
> of their projects.  You don't want students to be able to mess with each
> others' code, and you probably don't want to retain their data forever once
> the class is over.
> I don't know if that's the original poster's situation, but that's what it
> immediately reminded me of.
>

Thanks for a great example. My situation is quite similar to what you
describe actually, but consider _lots_ of students. This can be also
compared to some projects hosting service with multiple projects
hosted (and a repository for each), and multiple users accessing each
project repository. I believe multiple separate repositories work much
faster in this case than a single one, also there's absolutely no need
for a single versions set - every student or project _must_ know
nothing about others.

The only problem as I wrote before is automatic authorization - the
user A with the password B tries to access the repository C, and the
information whether or not A is allowed to access C (and whether A's
password is valid) is stored in MySQL due to the size of the users
database and because of interoperability with other subsystems like
external user management. I need to implement such authorization with
as little coding as possible, optimally simply by using standard
httpd/mod_dav_svn configuration options, so semi-standard extra
modules and probably simple scripts.