Subversion Tagging and Security

Question

I have set up an SVN repository from scratch, and I have successfully tagged some of my releases using the SVN copy command.

I used the SSPI auth plugin for apache, so our developers just hit the server with their network credentials, and everything works nicely.

I have created an AuthZ authorization file, added our developers to groups in the file, and have granted them write access to the root. I also have granted anonymous users read-only access to the root.

I then locked down the /svn/ directory with: Require-group "CORP\CKAN0BlahBlah"

This effectively limits new developers in the security group to read-only access until they are granted access through the aAuthZ config file.

Now, I have a couple of questions:

1. What is the proper way (other than the honor system) to prevent users from commiting changes to any of the "tags" directories?

2. Is it possible to use SSPI to pass the members of the groups to AuthZ, rather than listing the members individually in the configuration file?

Answer 1

For Question #1, I developed for this:

@echo off
SET SVNLOOK=C:\Program Files\CollabNet Subversion Server\svnlook.exe
SET GREP=D:\SVN\Repo\hooks\grep.exe
SET LOG=D:\SVN\Repo Logs.txt

>>"%LOG%" echo ==== commit %1 %2 ====
>>"%LOG%" "%svnlook%" changed -t %2 %1

("%svnlook%" changed -t %2 %1 | "%grep%" "^U.*/tags/") && (echo Cannot commit to tags.>&2 && exit 1)
("%svnlook%" log -t %2 %1 | "%grep%" "[a-zA-Z0-9]") || (echo You must specify a comment.>&2 && exit 1)

exit 0

Grabbed the grep tool from http://sourceforge.net/projects/unxutils

---

For Question #2, the answer is NO, you cannot check against AD security groups in the AuthZ config file.

Thanks for your help, everyone.

Answer 2

1 - You can use the pre-commit hook to prevent commits, see SVN pre-commit hook for avoiding changes to tags subdirectories.

Edit: To do this on Windows, try the following:

Save this as a file named pre-commit.bat in the hooks folder of your repo:

@echo off
set REPOSITORY=%1
echo %REPOSITORY% | find /I "tags"
if errorlevel 1 goto done
echo You tried to commit to %REPOSITORY% >&2
echo Committing to tags is not allowed >&2
exit 1
:done

Note, this will prevent commiting to any repository path that contains the substring tags. Modify according to your needs.

Answer 3

There's no "proper" way. Tags are a convention and developers should learn and follow it. Barring that, a fail-safe can be implemented using Subversion hooks. See this page for a nice tutorial.

Answer 4

This seems to me to be a matter of education and process. If your developers understand the purpose of your SVN tags, it seems a lot less likely that you'll have people (intentionally) doing commits to a tag. What I found to be indispensable to communicating these processes effectively is up to date, written documentation. My team uses a wiki to store documentation about our processes (specifically, we use MediaWiki). The wiki approach seems to make things a lot more accessible and easier to keep up to date than something like storing versioned MS Office documents in sharepoint.

Answer 5

How about using the svn-auth file to define that? this would look like that:

[groups]
ADMINS=<your ID>
<rest of groups>=<all other IDs>

[/]
* = r
<rest of groups> = rw
@ADMINS = rw

[/tags]
<rest of groups> = r

This will allow the ADMINS read-write access to the tags directory, but no one else. I do not know the SSPI auth plugin, so perhaps my provided example does not work in your context.