Google Git
Sign in
apache / subversion / refs/heads/0.11.1 / . / notes / auth_proposal.txt
blob: 767485f43b8826637a6876ec8aa0ee9763221a70 [file] [log] [blame]
Here's an idea for how authentication/authorization could work, based
on discussions with Jim and others.
It completely avoids filesystem "property ACLs", and I believe that it
satisfies all the requirements in our alpha_checklist.
(written by Ben, 3/29/01)
-----------------------------------------------
Authentication
==============
If the repository is being accessed via http, then *any* existing Apache
method can be used to authenticate: Apache's own passwd file,
certificates, kerberos, etc.
If the repository is being accessed via local disk, then the operating
system has already authenticated you. Your identity is your UID.
Authorization
=============
Axiom: assume that the caller of the svn_fs.h interface has already
obtained a username somehow. (In other words, authentication is not
the filesystem's problem.)
1. Add two new parameters to svn_fs_open_berkeley:
svn_fs_open_berkeley (fs, env, username, auth_hook);
Both the USERNAME and the AUTH_HOOK should be permanently stored in
the caller's opaque fs object.
2. (Optional) Write a new fs routine:
svn_fs_change_user (fs, username);
If, for some reason, the caller suddenly wants to operate on the
fs as a different user, this will prevent the caller from having
to "start over" (tossing the fs object and all derived root
objects.)
3. In svn_fs.h, define an enumerated list of "actions", something like
this:
{
/* Create a new transaction */
SVN_FS_ACTION_BEGIN_TXN,
/* Read the contents of a node, either file text or dir entries */
SVN_FS_ACTION_READ_CONTENT,
/* Change a file's text */
SVN_FS_ACTION_WRITE_CONTENT,
/* Read the properties of a file or dir node */
SVN_FS_ACTION_READ_PROPS,
/* Write the properties of a file or dir node */
SVN_FS_ACTION_WRITE_PROPS,
/* Delete an entry from from a dir */
SVN_FS_ACTION_DELETE_ENTRY,
/* Add an entry to a dir */
SVN_FS_ACTION_ADD_ENTRY
}
Of course, this is just an example. This table could list any
actions we want... presumably the actions would be sufficiently
general to satisfy any authorization system.
4. Modify the following svn_fs.h routines:
svn_fs_begin_txn
svn_fs_commit_txn
svn_fs_abort_txn
svn_fs_list_transactions
svn_fs_node_prop
svn_fs_node_proplist
svn_fs_change_node_prop
svn_fs_merge
svn_fs_delete
svn_fs_delete_tree
svn_fs_dir_entries
svn_fs_make_dir
svn_fs_make_file
svn_fs_rename
svn_fs_copy
svn_fs_file_contents
svn_fs_apply_textdelta
svn_fs_revision_proplist
svn_fs_change_rev_prop
These are all the routines that have something to do with reading
or writing the fs. (A routine like svn_fs_dir_delta is actually
built on top of them, which is why it's not listed.)
Each of the routines *must* begin by calling the AUTH_HOOK
routine stashed in the fs object:
/* Decide if USERNAME is allowed to perform ACTION on
REVISION:PATH. Return TRUE or FALSE. */
auth_hook (action, username, revision, path)
Notice: all routines that "write" (and sometimes "reads") operate
on transaction trees, not revision trees. This means we'll need
an internal mechanism that can map
(txn_root, path) ==> (revision, path)
This mechanism probably needs to be a table of some sort that
lives *within* the txn_root object. Every time the transaction
is modified my svn_fs_copy, the table will need to be updated.
5. Write any old auth_hook you want:
* it might always return TRUE
* it could authorize against an independent database full of users,
groups, and roles
* in the case of "local" repository access, we can still write
an auth_hook that maps Unix UIDs to actions and fs paths.
(In CVS, local access is determined by Unix file perms on the
RCS files; a subversion repos can't function this way, since
the db files are opaque -- it still needs an auth_hook.)