Authentication: cache plugins for auth and their settings in the auth_registry....

Authentication: cache plugins for auth and their settings in the auth_registry. - Before that change on each requests 4x we loaded plugins for authentication, this hit many caches, db invalidation context and loaded the plugins logic each time. This was a heavy performance hit for SVN and other backends as they needed to load that plugins many many times - Since Authentication plugins almost never change, we'll not store the plugins listed for authentication into the authnregistry for each process - For AuthPlugins settings we now also flush plugins settings, and authnregistry cached plugins

marcink - - Load All Authors

File last commit:

r3693:f470fd2e new-ui


                r4220:5a873939

stable

Download file

             svn-path-permissions.rst
        
                    80 lines
            
             | 2.4 KiB
            
                | text/x-rst
            
             |
                RstLexer

/ docs / admin / system_admin / svn-path-permissions.rst

History | Annotation | Raw |Copy content |Copy permalink

|svn| Enabling Path Permissions

Because |RCEE| uses standard svn apache mod_svn we can take advantage of the authz configuration to protect paths and branches.

Configuring RhodeCode

To configure path based permissions first we need to use a customized mod_dav_svn.conf.

Open :file:`home/{user}/.rccontrol/{instance-id}/rhodecode.ini` file. And find svn.proxy.config_template setting. Now set a new path to read the template from. For example:
```
svn.proxy.config_template = /home/ubuntu/rhodecode/custom_mod_dav_svn.conf.mako
```
Create the file as in example: /home/ubuntu/rhodecode/custom_mod_dav_svn.conf.mako You can download one from:

https://code.rhodecode.com/rhodecode-enterprise-ce/files/default/rhodecode/apps/svn_support/templates/mod-dav-svn.conf.mako/
Add (if not yet exists) a section AuthzSVNReposRelativeAccessFile in order to read the path auth file.

Example modified config section enabling reading the authz file relative to repository path. Means located in /storage_dir/repo_name/conf/authz
```
# snip ...

# use specific SVN conf/authz file for each repository
AuthzSVNReposRelativeAccessFile authz

Allow from all
# snip ...
```
Note

The AuthzSVNReposRelativeAccessFile should go above the Allow from all directive.
Restart RhodeCode, Go to the :menuselection:`Admin --> Settings --> VCS` page, and click :guilabel:`Generate Apache Config`. This will now generate a new configuration with enabled changes to read the authz file. You can verify if changes were made by checking the generated mod_dav_svn.conf file which is included in your apache configuration.
Specify new rules in the repository authz configuration. edit a file in :file:`repo_name/conf/authz`. For example, we specify that only admin is allowed to push to develop branch
```
[/branches/develop]
* = r
admin = rw
```
For more example see: https://svn.apache.org/repos/asf/subversion/trunk/subversion/mod_authz_svn/INSTALL/

Those rules also work for paths, so not only branches but all different paths inside the repository can be specified.

Reload Apache. If all is configured correctly it should not be allowed to commit according to specified rules.

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages