Set more detailed privileges on a repository for users/groups:

Normally all the authorisations for a user/group to access a svn repo via http access are taken care by the “authz” file.

The privileges granted by the authz file can be narrowly “r” and “w”.

There is no specific privilege for the user/group, like only the “adding” access or “deleting” access or “modifying” access.

This comes in a scenario consider,
1. the admin has the privilege to “add” a new file, “delete” an existing file and even “modify” a file. Whereas the privilege granted by “authz” for this is more generically “rw”.

2. the full svn commiters have the privilege to “add” new files and “modify” existing files. Whereas here too the privilege granted by “authz” is more generically “rw”, which can not prevent the commiter from “deleting” an existing file.

3. say some people must only be able to “add” new files but NOT “modify” an existing file.
whereas here too the privilege granted by “authz” is more generically “rw”,which can not prevent the commiter from “modifying/deleting” an existing file.

This is where the svnperms.py and svnperms.conf come into action. The svnperms.py script depends on the svnperms.conf configuration file.

The svnperms.conf has granted specific write accesses as follows:
1. ‘add’ means adding new files.
2. ‘remove’ means deleting the file/dir.
3. ‘update’ means modify the file/dir.

Sample svnperms.py can be downloaded from
https://svn.apache.org/repos/asf/subversion/trunk/tools/hook-scripts/svnperms.py

Sample svnperms.conf can be downloaded from
https://svn.apache.org/repos/asf/subversion/trunk/tools/hook-scripts/svnperms.conf.example

My pre-commit looks as follows,

#!/bin/sh
REPOS=”$1″
TXN=”$2″
python /path/to/svnperms.py -r $REPOS -t $TXN||exit 1;
exit 0;

NOTE:
1. pre-commit script is in /path/to/repo/hooks/pre-commit.
2. it must be made executable.

By default, this python script sees the svnperms.conf file in /path/to/repo/conf/svnperms.conf
This is a sample svnperms.conf file:

[groups]
group1 = user2 user3
admin = user1

[testrepo]
trunk/.* = prabhugs,@admin(add,remove,update) @group1(update)
tags/[^/]+/ = prabhugs,@admin(add) @group1(update)
branches/[^/]+/.* = @admin(add) @group1(update)

Here, we have three users (user1, user2, user3), where user1 is in “admin” group and the users “user1” “user2” are in “group1” group.
Here “testrepo” is my repo name.

i) groups are prefixed by “@”
ii) all permissions may be revoked with ()

1. Here, user “prabhugs” and the group “admin” can add/delete/modify any file in the trunk, whereas the users in the group “group1” can ONLY modify the existing files.

2. user “prabhugs” and the group “admin” can add any file in the tags, whereas the users in the group “group1” can ONLY modify the existing files.

3. Note keenly the left-hand-side of “tags” and “branches”. The regular expressions tell us that, “tags” does NOT allow any subdirectories like “tags/abc/xyz” whereas “branches” allows us to add subdirectories like “branches/abc/xyz”

5 thoughts on “Set more detailed privileges on a repository for users/groups:

  1. I was looking around for python scripts to do approximately what this one does.

    I’m kind of interested in the inverse problem, though — I would like to automate the granting of privileges to a new user. I want to set things up to pass off to an administrator who basically knows no python, unix or subversion, so that I don’t have to be involved most of the time.

    Say I have a svnperms.conf with groups defined for different projects, and I just want to add a new user to one of those groups … it would be pretty simple to use ConfigFile to modify that, wouldn’t it? I wouldn’t have to play with anything else, just the group definition.

  2. Hi,
    Can you pls provide parameters which we need to provide while invoking pre-commit.bat as I am getting below error during commit.

    Commit failed (details follow):
    Commit blocked by pre-commit hook (exit code 1) with output:
    svnlook author C:\csvn\data\repositories\Test -t 5-17
    ‘{‘ is not recognized as an internal or external command,
    operable program or batch file.error: command failed: svnlook author
    C:\csvn\data\repositories\Test -t 5-17
    ‘{‘ is not recognized as an internal or external command,
    operable program or batch file.

  3. Now that error is resolved after I used orignal python script again and updated the parameters passed to pre-commit.bat
    But access control is not working as expected. User(user1) is able to delete under branches where he is not supposed to.

    Pre-commit.bat:
    REM precommit.bat script for Windows Systems
    REM ### Set the location of the “svnlook” command below ###
    set SVN_LOOK=C:\csvn\bin
    set REPOS=%1
    set TXN=%2
    set HOOKS_DIR=C:\csvn\data\repositories\Test\hooks
    set SVNLK=”C:\csvn\bin\svnlook.exe”
    C:\csvn\data\repositories\Test\hooks\svnperms.py” -r “%REPOS%” -t “%TXN%”||exit 1
    exit 0

    svnperms.conf:
    [groups]
    admin = user1
    group1 = user2
    [Test]
    branches/[^/]+/.* = @admin(add) @group1(update)
    tags/[^/]+/ = user3,@admin(add) @group1(update)
    trunk/.* = user3,@admin(add,remove,update) @group1(update)

    Access Rules in corignal conf
    [Test:/]
    user1 = rw
    user2 = rw
    user3 = rw

    Parameters:
    C:\csvn\data\repositories\Test\hooks\pre-commit.bat C:\csvn\data\repositories\Test\ 1

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s