Svn – Setup SVN repository subfolder specific write permission

svn

I need to setup a SVN repository which the devgroup should have full privilege to read and write except for two sub folders /1 and /2.

For /1 and /2, four users should have write permission and all other users should only have read permission.

I put the following into the configuration file, but people in devgroup still have write permission in /1 and /2.

Any help would be highly appreciated.

[project:/]
@devgroup = rw

[project:/1]
@devgroup = r
user1 = rw
user2 = rw
user3 = rw
user4 = rw

[project:/2]
@devgroup = r
user1 = rw
user2 = rw
user3 = rw
user4 = rw

Best Answer

You cannot remove permissions from a user already granted, therefore, by providing read/write access at the root of the repository to the @devgroup you have provided it to all sub-trees.

The way I would achieve this is by segregating your project areas into different repositories with different permissions and then using the svn:externals property to bundle these into the top level repo.

The svn:externals property can be set on any versioned directory, and its value is a multi-line table of subdirectories (relative to the versioned directory on which the property is set), optional revision flags, and fully qualified, absolute Subversion repository URLs.

$ svn propget svn:externals .
1             http://svn.example.com/repos/restricted-1
2             http://svn.example.com/repos/restricted-2

When someone checks out a working copy of the project repo , Subversion also continues to check out the items found in its externals definition.

$ svn checkout http://svn.example.com/repos/project
A  project
A  project/Makefile
A  project/integer.c
A  project/button.c
Checked out revision 148.

Fetching external item into 1
A  1/security.c
...
Checked out revision 14.

Fetching external item into 2
...

You can then place restrictions upon the two restricted repositories to prevent the @devgroup users from updating these, whilst still getting them when they checkout the main project repo.

Related Solutions

Svn – From SVN to GIT: Something similar to authz

It would appear that you may have made the leap to git (it's not an acronym, by the way) a little prematurely -- because git's data storage and access control models are completely different to SVN.

Access control on a per-repository basis isn't hard; while I don't have any configuration examples to hand, it shouldn't be hard to emulate if you're using HTTPS access, because the authentication and authorisation model is much the same as with SVN. For per-branch access control, I know it can be done with gitolite (although that's an SSH access system by default, it could probably be mangled into using HTTPS with a bit of thought).

In theory, you could presumably do something with path-based access for writes using some cunningly crafted hooks, but you really can't do it for read access control, because the whole model of git is commits across an entire repo, so you can't stop people from seeing all the data in the repo.

Svn – Migrate multiple svn repositories into single git repository

One solution would be to generate each of the repositories separately with svn2git or just git svn (it's a nice little tool already built into git), and then wire them together with git filter-branch.

Clone each svn repository individually.
In the repository you want to be root, add the other repositories as remotes, and fetch their branches you want to merge to that repo (you'll get warnings since the branches have no common history; that is expected).
Execute git filter-branch on those new branches, using an index filter to generate a new subdirectory for them.
Merge the filtered branches into master (or whatever branch you wanted) on the root repository. Full history would be preserved.

The command for step 3 would look something like this:

git filter-branch --index-filter '
    git ls-files -s |
    perl -pe "s{\t\"?}{$&newsubdir/}" |
    GIT_INDEX_FILE=$GIT_INDEX_FILE.new git update-index --index-info &&
    mv $GIT_INDEX_FILE.new $GIT_INDEX_FILE
' HEAD

The magic, and every time I have to do this it does feel a little like magic, is the perl statement. git filter-branch is filtering the index at each commit and prepending all blob paths (i.e. changing the working tree's file paths) with 'newsubdir'. You might have to experiment around to get the paths exactly right. A couple of lessons learned from someone who's walked this path before:

Back everything up. git filter-branch is history destructive. Once you change it, you cannot easily change it back. Be sure to back up all the repository copies you're using. Nothing's worse then finishing a complex operation and discovering you missed a / in the path.
Script everything. Unless you've got some serious skill; you won't get this right the first time. Script each individual step as you complete it, so that rerunning any of them is easy. Also if you discover a week later you screwed up a flag, you can replicate in moments.
Spend $20 on a cluster compute instance in EC2. git filter-branch is enormously CPU intensive. An index-filter on a deep history could take hours to run on your local environment, but a fraction of that time on an AWS cluster compute instance. Sure, they cost a little more than $2 an hour, but you're only going to need one for a few hours. Save yourself pain and use those scripts you wrote on hardware that makes the operation trivial. It costs the price of a nice lunch.

Best Answer

Related Solutions

Svn – From SVN to GIT: Something similar to authz

Svn – Migrate multiple svn repositories into single git repository

Related Topic