mod_dav_svn + automatic per-directory user authorization
The problem: 1) there's a directory on the server containing multiple svn repositories roots, say /var/svn, with /var/svn/a, /var/svn/b, etc. being repository roots 2) these repositories are accessed via HTTP, handled by Apache2 + mod_dav_svn 3) there's a MySQL user-password database we need to use to authenticate access to those repositories 4) at last the problematic place itself: the repository /var/svn/$username must be accessible (both read and write) only to those who authenticated themselves as "$username" with a valid password from the MySQL database Currently i've stuck with two solutions (both incomplete) from tons of manuals and how-tos: a) AuthzSVNAccessFile could be a key to such an automatic repository -> user binding, but updating the access rights file on changes to MySQL database looks no way elegant, and will probably become a bottleneck with growing users database b) mod_auth_mysql (whatever one) makes it possible to transparently use the users database in Apache config, but still I'm unable to find a way to automatically Require user $username for a given repository /var/svn/$username. Please reply, if someone has an experience with such a configuration, any ideas/thoughts are welcome.
Re: mod_dav_svn + automatic per-directory user authorization
Yep, i could manage to get to such configuration, but here's when it comes to the real difference with your setup: we need to manage a huge and frequently changing user database, with each user having a small repository. > > Here's the big caveat: whenever a repository is added or removed (in your > case, every time a user is added or removed), httpd must be restarted > because a entry must be added or removed. And that's what i'm trying to solve: the users database is not so tiny, so 1) we can't afford restarting httpd on every user added or removed 2) we can't afford duplicating the rules in authz svn access file, i guess it may be handled inefficiently when it contains too much records (at least much less efficiently than just requesting the authorization from MySQL). I'll try to describe it the other way, one abstraction level upper: 1) the user goes to http://somehost/repo/$something 2) authenticates him/herself as $username:$password (suppose Basic auth, just will change it to https later) 3) Apache checks the credentials against MySQL database (mod_auth_mysql?) 4) If everything is ok, the user gets a WebDAV access to /var/repo/$username/$something (regardless of the method, read or write) The database may change frequently, adding the user will mean `svnadmin create /var/repo/$username`, removing will mean `rm -rf /var/repo/$username`, but i prefer that nothing is done beyond that, especially no httpd configuration changes and restart, all information is stored in DB and nothing else should be changed.
Re: mod_dav_svn + automatic per-directory user authorization
> > This might be exactly what's needed if you're, say, teaching a programming > class where you want students to learn to use Subversion for version control > of their projects. You don't want students to be able to mess with each > others' code, and you probably don't want to retain their data forever once > the class is over. > I don't know if that's the original poster's situation, but that's what it > immediately reminded me of. > Thanks for a great example. My situation is quite similar to what you describe actually, but consider _lots_ of students. This can be also compared to some projects hosting service with multiple projects hosted (and a repository for each), and multiple users accessing each project repository. I believe multiple separate repositories work much faster in this case than a single one, also there's absolutely no need for a single versions set - every student or project _must_ know nothing about others. The only problem as I wrote before is automatic authorization - the user A with the password B tries to access the repository C, and the information whether or not A is allowed to access C (and whether A's password is valid) is stored in MySQL due to the size of the users database and because of interoperability with other subsystems like external user management. I need to implement such authorization with as little coding as possible, optimally simply by using standard httpd/mod_dav_svn configuration options, so semi-standard extra modules and probably simple scripts.