基于路径的授权

基于路径的授权
上一页	第 6 章服务配置	下一页

Both Apache and svnserve are capable of granting (or denying) permissions to users. Typically this is done over the entire repository: a user can read the repository (or not), and she can write to the repository (or not). It's also possible, however, to define finer-grained access rules. One set of users may have permission to write to a certain directory in the repository, but not others; another directory might not even be readable by all but a few special people.

Both servers use a common file format to describe these path-based access rules. In the case of Apache, one needs to load the mod_authz_svn module and then add the AuthzSVNAccessFile directive (within the httpd.conf file) pointing to your own rules-file. (For a full explanation, see “每目录访问控制”一节.) If you're using svnserve, then you need to make the authz-db variable (within svnserve.conf) point to your rules-file.

你真的需要基于路径的访问控制吗？

许多第一次设置Subversion的管理员会在未经太多的思考的情况下轻易选择使用路径为基础的访问控制，管理员通常知道团队的成员工作在哪个项目，所以很容易确定赋予哪些团队访问哪些目录，不能访问哪些目录。这看起来是很自然的事情，它满足了管理员紧密控制版本库访问的愿望。

注意，这个特性通常有一些看不见（和可见的）代价。可见的，需要更多的工作来确信用户对某个路径有读写权限；在一些情况下，会是非常大的性能损失。不可见的，考虑你创建的文化，大多数情况下，因为特定用户不能够在特定目录提交修改，所以社会契约不必通过技术来加强。团队有时候可以自然的互相协作；一些人会通过为他人提交不能正常工作目录的内容的方法帮助别人，你设置了一种不期望交流的障碍。你也要建立一套项目开发、新人加入等活动的规则，还有很多额外的工作。

记住这是一个版本控制系统，即使一些人不小心提交了一些不该提交的东西，很容易回退修改。如果一个用户故意提交到了错误的位置，这是一个社会问题，需要在Subversion之外解决。

所以在开始限制用户的访问权限之前，你要问你自己是否有一个真正的、正直的需要，或仅仅是为了对一个管理员来说这样“听起来不错”。决定是否值得影响服务器的速度，必须记住只有很小的风险；依靠技术手段解决社会问题并不好。^[45]。

作为一个思考的例子，考虑Subversion项目本身有允许某个用户可以在那个目录提交的设置，而只是通过社交方式规定。这是一个社区信任的好模型，特别是对开源项目。当然，有时候需要正统的路径为基础的访问控制；在公司中，例如，只有部分数据是敏感的，只允许以小组人可以访问。

当你的服务器知道去查找规则文件时，就是需要定义规则的时候了。

The syntax of the file is the same familiar one used by svnserve.conf and the runtime configuration files. Lines that start with a hash (#) are ignored. In its simplest form, each section names a repository and path within it, and the authenticated usernames are the option names within each section. The value of each option describes the user's level of access to the repository path: either r (read-only) or rw (read-write). If the user is not mentioned at all, no access is allowed.

To be more specific: the value of the section-names are either of the form [repos-name:path] or the form [path]. If you're using the SVNParentPath directive, then it's important to specify the repository names in your sections. If you omit them, then a section like [/some/dir] will match the path /some/dir in every repository. If you're using the SVNPath directive, however, then it's fine to only define paths in your sections—after all, there's only one repository.

[calc:/branches/calc/bug-142]
harry = rw
sally = r

In this first example, the user harry has full read and write access on the /branches/calc/bug-142 directory in the calc repository, but the user sally has read-only access. Any other users are blocked from accessing this directory.

当然，访问控制是父目录传递给子目录的，这意味着我们可以为Sally指定一个子目录的不同访问策略：

[calc:/branches/calc/bug-142]
harry = rw
sally = r

# give sally write access only to the 'testing' subdir
[calc:/branches/calc/bug-142/testing]
sally = rw

Now Sally can write to the testing subdirectory of the branch, but can still only read other parts. Harry, meanwhile, continues to have complete read-write access to the whole branch.

也可以通过继承规则明确的的拒绝某人的访问，只需要设置用户名参数为空：

[calc:/branches/calc/bug-142]
harry = rw
sally = r

[calc:/branches/calc/bug-142/secret]
harry =

In this example, Harry has read-write access to the entire bug-142 tree, but has absolutely no access at all to the secret subdirectory within it.

需要记住的是最详细的的路径会被匹配，服务器首先找到匹配自己的目录，然后父目录，然后父目录的父目录，就这样继续下去，更具体的路径控制会覆盖所有继承下来的访问控制。

By default, nobody has any access to the repository at all. That means that if you're starting with an empty file, you'll probably want to give at least read permission to all users at the root of the repository. You can do this by using the asterisk variable (*), which means “all users”:

[/]
* = r

This is a common setup; notice that there's no repository name mentioned in the section name. This makes all repositories world readable to all users. Once all users have read-access to the repositories, you can give explicit rw permission to certain users on specific subdirectories within specific repositories.

The asterisk variable (*) is also worth special mention here: it's the only pattern which matches an anonymous user. If you've configured your server block to allow a mixture of anonymous and authenticated access, all users start out accessing anonymously. The server looks for a * value defined for the path being accessed; if it can't find one, then it demands real authentication from the client.

The access file also allows you to define whole groups of users, much like the Unix /etc/group file:

[groups]
calc-developers = harry, sally, joe
paint-developers = frank, sally, jane
everyone = harry, sally, joe, frank, sally, jane

Groups can be granted access control just like users. Distinguish them with an “at” (@) prefix:

[calc:/projects/calc]
@calc-developers = rw

[paint:/projects/paint]
@paint-developers = rw
jane = r

组中也可以定义为包含其它的组：

[groups]
calc-developers = harry, sally, joe
paint-developers = frank, sally, jane
everyone = @calc-developers, @paint-developers

部分可读性和检出

如果你使用Apache作为Subversion服务器，并让版本库的某些子目录对特定用户不可读，然后你需要知道svn checkout会有一个不理想的执行方式。

当客户端通过HTTP请求检出或更新时，它会做出一个单独的服务器请求，并接收一个单独的（通常很大）服务器响应，当服务器接收到请求，这是Apache服务器要求用户认证的唯一机会，这有一些副作用。例如，如果版本库的一个特定子目录只对用户Sally可读，用户Harry检出父目录，他的客户端会在收到认证要求时返回用户名Harry，因为服务器生成的响应很大，无法在达到特别子目录时重新发送认证请求；因此子目录会被一起略过，而不会询问用户是否使用Sally重新认证。如果版本库是匿名可访问的，则整个检出将不需要认证—再一次，略过不可读的目录，而不会中途要求认证。

^[45]本书的共同主题！

上一页	上一级	下一页
httpd，Apache 的 HTTP 服务器	起始页	支持多种版本库访问方法