SVN user groups and permissions
I have setup an SVN server on my hosting account. Users can check in and out, but they have access to my entire repository.
To give people access, I issue users a public key to my account and then I add a line into my "authorized_keys" file inside my ~/.ssh that looks like this:
command="/home/user/packages/bin/svnserve -t 开发者_如何学运维-r /home/user/repository --tunnel-user=diogo",no-port-forwarding,no-agent-forwarding,no-X11-forwarding,no-pty ssh-rsa [KEY DATA IN HERE]== xxxx@xxxx.hostxxxxx.com
Users can then checkout from my sever through a tunnel like so:
svn+ssh://host.com/project/trunk
My question is how can I restrict certain users to have access to certain projects?
You are using a SSH tunnel. If I read the svn book correctly, you will need to set the permissions on the repository files themselves for the user you log in as, but you can also block users directly in the conf file:
When running over a tunnel, authorization is primarily controlled by operating system permissions to the repository's database files; it's very much the same as if Harry were accessing the repository directly via a file:/// URL.
If multiple system users are going to be accessing the repository directly, you may want to place them into a common group, and you'll need to be careful about umasks. (Be sure to read the section called “Supporting Multiple Repository Access Methods”.)
But even in the case of tunneling, the svnserve.conf file can still be used to block access, by simply setting auth-access = read or auth-access = none.
(From "SSH authentication and authorization")
By the way, you say you are doing this on your hosting account. I tried that as well once, but had to give up because I was not allowed to add new SSH users. If you can't add SSH user accounts, you can't do fine-grained authentication through a tunnel - users will always have full access to the repo.
To use multi-user authentication independently from SSH, you'd have to integrate svn with Apache, something that's usually impossible in a shared environment.
I ended up switching to a small Windows-based virtual server and installing Brain-dead easy svn wrapper VisualSVN Server there. It costs some money (about €20/month, I've seen Linux based virtual servers starting at $10) but I've been happy with it ever since. (Of course, you can just use Linux and set up svn with Apache, which is what VisualSVN does internally too.)
精彩评论