Apache和svnserve都可以给用户赋予(或拒绝)访问许可,通常是对整个版本库:一个用户可以读版本库(或不),而且他可以写版本库(或不)。如果可能,也可以定义细粒度的访问规则。一组用户可以有版本库的一个目录的读写权限,但是没有其它的;另一个目录可以是只对一少部分用户可读。
Both servers use a common file format to describe these
path-based access rules. In the case of Apache, one needs to
load the mod_authz_svn module and then add
the AuthzSVNAccessFile directive (within
the httpd.conf file) pointing to your own
rules file. (For a full explanation, see
“Per-directory access control”一节.) If
you're using svnserve, then you need to make
the authz-db variable
(within svnserve.conf) point to your
rules file.
Once your server knows where to find your rules file, it's time to define the rules.
The syntax of the file is the same familiar one used
by svnserve.conf and the runtime
configuration files. Lines that start with a hash
(#) are ignored. In its simplest form, each
section names a repository and path within it, as well as the
authenticated usernames are the option names within each
section. The value of each option describes the user's level of
access to the repository path: either
r (read-only) or rw
(read-write). If the user is not mentioned at all, no access is
allowed.
To be more specific: the value of the section names are
either of the form [repos-name:path] or the
form [path]. If you're using the
SVNParentPath directive, then it's important
to specify the repository names in your sections. If you omit
them, then a section such as
[/some/dir] will match the path
/some/dir in every
repository. If you're using the SVNPath
directive, however, then it's fine to only define paths in your
sections—after all, there's only one repository.
[calc:/branches/calc/bug-142] harry = rw sally = r
在第一个例子里,用户harry对calc版本库中/branches/calc/bug-142具备完全的读写权利,但是用户sally只有读权利,任何其他用户禁止访问这个目录。
当然,访问控制是父目录传递给子目录的,这意味着我们可以为Sally指定一个子目录的不同访问策略:
[calc:/branches/calc/bug-142] harry = rw sally = r # give sally write access only to the 'testing' subdir [calc:/branches/calc/bug-142/testing] sally = rw
现在Sally可以读取分支的testing子目录,但对其他部分还是只可以读,同时,Harry对整个分支还继续有完全的读写权限。
也可以通过继承规则明确的的拒绝某人的访问,只需要设置用户名参数为空:
[calc:/branches/calc/bug-142] harry = rw sally = r [calc:/branches/calc/bug-142/secret] harry =
在这个例子里,Harry对bug-142目录树有完全的读写权限,但是对其中的secret子目录没有任何访问权利。
需要记住的是最详细的的路径会被匹配,服务器首先找到匹配自己的目录,然后父目录,然后父目录的父目录,就这样继续下去,更具体的路径控制会覆盖所有继承下来的访问控制。
缺省情况下,没有人对版本库有任何访问,这意味着如果你已经从一个空文件开始,你会希望给所有用户对版本库根目录具备读权限,你可以使用星号(*)实现,用来代表“所有用户”:
[/] * = r
This is a common setup; notice that there's no repository
name mentioned in the section name. This makes all repositories
world-readable to all users. Once all users have read-access to
the repositories, you can give explicit
rw permission to certain users on specific
subdirectories within specific repositories.
The asterisk variable (*) is also worth
special mention because it's the
only pattern that matches an anonymous
user. If you've configured your server block to allow a mixture
of anonymous and authenticated access, all users start out
accessing anonymously. The server looks for a
* value defined for the path being accessed;
if it can't find one, then it demands real authentication from
the client.
访问文件也允许你定义一组的用户,很像Unix的/etc/group文件:
[groups] calc-developers = harry, sally, joe paint-developers = frank, sally, jane everyone = harry, sally, joe, frank, sally, jane
组可以被赋予通用户一样的访问权限,使用“at”(@)前缀来加以区别:
[calc:/projects/calc] @calc-developers = rw [paint:/projects/paint] jane = r @paint-developers = rw
Another important fact is that
the first matching rule is the one which gets
applied to a user. In the prior example, even though Jane is a
member of the paint-developers group (which has
read-write access), the jane = r rule will be
discovered and matched before the group rule, thus denying Jane
write access.
组中也可以定义为包含其它的组:
[groups] calc-developers = harry, sally, joe paint-developers = frank, sally, jane everyone = @calc-developers, @paint-developers