颠覆标记和安全
我从头开始设置了一个 SVN 存储库,并使用 SVN 复制命令成功标记了我的一些版本。
我使用了 apache 的 SSPI auth 插件,因此我们的开发人员只需使用他们的网络凭据访问服务器,一切都运行良好。
我创建了一个 AuthZ 授权文件,将我们的开发人员添加到文件中的组中,并授予他们对根目录的写访问权限。 我还授予匿名用户对根目录的只读访问权限。
然后,我使用以下命令锁定 /svn/ 目录: Require-group "CORP\CKAN0BlahBlah"
这有效地限制了安全组中的新开发人员的只读访问权限,直到他们通过 aAuthZ 配置文件获得访问权限。
现在,我有几个问题:
正确的方法是什么(除了 荣誉系统)以防止用户 对任何一项进行更改 “tags”目录?
是否可以使用SSPI来传递 AuthZ 组的成员, 而不是列出成员 单独在配置中 文件?
I have set up an SVN repository from scratch, and I have successfully tagged some of my releases using the SVN copy command.
I used the SSPI auth plugin for apache, so our developers just hit the server with their network credentials, and everything works nicely.
I have created an AuthZ authorization file, added our developers to groups in the file, and have granted them write access to the root. I also have granted anonymous users read-only access to the root.
I then locked down the /svn/ directory with: Require-group "CORP\CKAN0BlahBlah"
This effectively limits new developers in the security group to read-only access until they are granted access through the aAuthZ config file.
Now, I have a couple of questions:
What is the proper way (other than
the honor system) to prevent users
from commiting changes to any of the
"tags" directories?Is it possible to use SSPI to pass
the members of the groups to AuthZ,
rather than listing the members
individually in the configuration
file?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
对于问题#1,我为此开发:
从 http:// 获取 grep 工具sourceforge.net/projects/unxutils
对于问题 #2,答案是否定的,您无法检查 AuthZ 配置文件中的 AD 安全组。
谢谢大家的帮助。
For Question #1, I developed for this:
Grabbed the grep tool from http://sourceforge.net/projects/unxutils
For Question #2, the answer is NO, you cannot check against AD security groups in the AuthZ config file.
Thanks for your help, everyone.
没有“正确”的方法。 标签是一种约定,开发人员应该学习并遵循它。 除此之外,可以使用 Subversion 挂钩来实现故障保护。 请参阅此页面获取不错的教程。
There's no "proper" way. Tags are a convention and developers should learn and follow it. Barring that, a fail-safe can be implemented using Subversion hooks. See this page for a nice tutorial.
在我看来,这是一个教育和过程的问题。 如果您的开发人员了解 SVN 标记的用途,那么您让人(故意)对标记进行提交的可能性似乎就会小得多。 我发现有效沟通这些流程不可或缺的是最新的书面文档。 我的团队使用 wiki 来存储有关我们流程的文档(具体来说,我们使用 MediaWiki)。 与在共享点中存储版本化的 MS Office 文档之类的方法相比,wiki 方法似乎使事情更容易访问并且更容易保持最新状态。
This seems to me to be a matter of education and process. If your developers understand the purpose of your SVN tags, it seems a lot less likely that you'll have people (intentionally) doing commits to a tag. What I found to be indispensable to communicating these processes effectively is up to date, written documentation. My team uses a wiki to store documentation about our processes (specifically, we use MediaWiki). The wiki approach seems to make things a lot more accessible and easier to keep up to date than something like storing versioned MS Office documents in sharepoint.
使用 svn-auth 文件来定义它怎么样? 这看起来像这样:
这将允许管理员对标签目录进行读写访问,但不允许其他人。 我不知道 SSPI auth 插件,所以也许我提供的示例在您的上下文中不起作用。
How about using the svn-auth file to define that? this would look like that:
This will allow the ADMINS read-write access to the tags directory, but no one else. I do not know the SSPI auth plugin, so perhaps my provided example does not work in your context.
1 - 您可以使用预提交挂钩来阻止提交,请参阅 SVN 预提交挂钩,用于避免更改标签子目录。
编辑:要在 Windows 上执行此操作,请尝试以下操作:
将其另存为存储库的 hooks 文件夹中名为 pre-commit.bat 的文件:
注意,这将阻止提交到包含以下内容的任何存储库路径:子字符串标签。 根据您的需要进行修改。
1 - You can use the pre-commit hook to prevent commits, see SVN pre-commit hook for avoiding changes to tags subdirectories.
Edit: To do this on Windows, try the following:
Save this as a file named pre-commit.bat in the hooks folder of your repo:
Note, this will prevent commiting to any repository path that contains the substring tags. Modify according to your needs.