On Friday, October 18, 2013 02:46:39 AM Branko Čibej wrote:
On 17.10.2013 20:00, Alexey Neyman wrote: Hi all, We are actively using authz path-based authentication rules: due to some legal requirements, some parts of our product source code are not accessible to a part of the developer team. Currently authz does not support wildcards (there is an issue about that [1] discussed since 2006). Because of this, each time a branch is created, authz rules have to be copied and modified for the new branch. This leads to a proliferation of authz rules; our authz is currently about 2000 lines and growing. I am currently implementing a post-commit script so that we would be able to record authz rules on files/directories, and authz would be appended with new rules every time these files/directories are copied. First, I am wondering how well such 'authz' approach would scale. Has anyone run scalability tests on authz? Second, I thought that if I am using properties to track authz-controlled files, SVN server would probably do that more effectively than a post-commit script. As an added value, property-based authz would allow versioning in path-based auth configuration that current mechanism does not allow. E.g., currently one could either configure path /foo as either R/O, R/W or unaccessible to user U; it is not possible to configure the path to be unaccessible before/after a certain revision. Thoughts? Ideas? Properties are not suitable for storing ACLs because they are immutable; i.e., you cannot change properties on committed files and directories. You need a different kind of structure, one that the Subversion repository does not have yet. Well, technically you can dump & reload... But that's hardly maintainable, I agree. Are those ACLs you're describing going to be version-specific? In other words, will it be possible to specify that /foo/bar@2345 is r/w for user harry, but not accessible starting with revision 2346? Thanks for a pointer to that 1.8 feature, I forgot about that. That might make my task a bit easier. Regards,Alexey. -- Branko Čibej | *Director of Subversion* WANdisco // /Non-Stop Data/ e. br...@wandisco.com[1] -------- [1] mailto:br...@wandisco.com
