From users-return-4116-daniel=haxx.se@subversion.apache.org Thu Aug 5 10:18:57 2010 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on giant.haxx.se X-Spam-Level: X-Spam-Status: No, score=-1.5 required=3.0 tests=BAYES_00,T_RP_MATCHES_RCVD autolearn=ham version=3.3.1 Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by giant.haxx.se (8.14.3/8.14.3/Debian-9.1) with SMTP id o758IufG015818 for ; Thu, 5 Aug 2010 10:18:56 +0200 Received: (qmail 43271 invoked by uid 500); 5 Aug 2010 08:18:47 -0000 Mailing-List: contact users-help@subversion.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@subversion.apache.org Delivered-To: moderator for users@subversion.apache.org Received: (qmail 28935 invoked by uid 99); 5 Aug 2010 08:07:18 -0000 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS Received-SPF: pass (athena.apache.org: domain of bruno@defraine.net designates 109.74.193.180 as permitted sender) From: Bruno De Fraine Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Subject: Status of SVNPathAuthz short_circuit Date: Thu, 5 Aug 2010 10:06:50 +0200 Message-Id: To: users@subversion.apache.org Mime-Version: 1.0 (Apple Message framework v1081) X-Mailer: Apple Mail (2.1081) X-AV-Checked: ClamAV using ClamSMTP on mail.defraine.net X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.3.5 (giant.haxx.se [80.67.6.50]); Thu, 05 Aug 2010 10:18:57 +0200 (CEST) X-Friend: Nope Hello list, We have a reasonably big, long-running Subversion repository (started in = the day of SVN 1.1) that is served over HTTPS. We collect different = projects inside of the same repository and we use path-based = authorization with mod_authz_svn to restrict access to each project. This has worked quite well, except that for a while now, the repository = has been extremely slow for "log" or "diff" operations that involve = directories with lots of nodes. It was quickly determined that = path-based authorization is the culprit, and after reading the relevant = section of chapter 6 of the svn-book [1], I (sort of) concluded that our = current layout is not sustainable, i.e. that path-based authorization in = Subversion is inherently slow, and the recommended solution would be to = split the different projects in different repositories and use blanket = access control for each repository: [1] = http://svnbook.red-bean.com/nightly/en/svn-book.html#svn.serverconfig.http= d.authz.pathauthzoff However, almost by accident, I now discovered that there is another = option. Hidden deep in the reference information of chapter 9 [2], there = is mention of the directive "SVNPathAuthz short_circuit". [2] http://svnbook.red-bean.com/nightly/en/svn.ref.mod_dav_svn.conf.html The "short_circuit" option solves most of the performance issues, but = the explanation is very terse, and I'm not sure what the security impact = is. My interpretation is that "short_circuit" will check access for = history items only against mod_authz_svn, whereas normal path-based = authorization will query the entire Apache authorization infrastructure. = In that case, "short_circuit" would be all right for us, since we only = use mod_authz_svn and AuthzSVNAccessFile. Is my interpretation of "short_circuit" v.s. regular path-based = authorization correct? Or if not, what is the impact of "short_circuit"? = Since performance problems are so apparent with path-based = authorization, why is this seemingly useful option given so little = attention? Regards, Bruno De Fraine=