From users-return-27676-archive-asf-public=cust-asf.ponee.io@subversion.apache.org Wed Dec 12 11:39:46 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 4509118064E for ; Wed, 12 Dec 2018 11:39:46 +0100 (CET) Received: (qmail 47818 invoked by uid 500); 12 Dec 2018 10:39:45 -0000 Mailing-List: contact users-help@subversion.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@subversion.apache.org Received: (qmail 47808 invoked by uid 99); 12 Dec 2018 10:39:44 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 12 Dec 2018 10:39:44 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 1C717CA668 for ; Wed, 12 Dec 2018 10:39:44 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -0.192 X-Spam-Level: X-Spam-Status: No, score=-0.192 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, T_MIXED_ES=0.01] autolearn=disabled Authentication-Results: spamd1-us-west.apache.org (amavisd-new); dkim=pass (1024-bit key) header.d=visualsvn.com Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id T3EVuuHiYOex for ; Wed, 12 Dec 2018 10:39:42 +0000 (UTC) Received: from mail-qk1-f196.google.com (mail-qk1-f196.google.com [209.85.222.196]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id 3150C5F32F for ; Wed, 12 Dec 2018 10:39:42 +0000 (UTC) Received: by mail-qk1-f196.google.com with SMTP id 131so10411330qkd.4 for ; Wed, 12 Dec 2018 02:39:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=visualsvn.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=deEr0mNBcscq9WeOYfc/x96DKS0rSTErnsi9Pmlfcho=; b=E3l8VLMyr2DysqPtTxpVAfqGEVyWhIY8b74irYJWVCaVijhf3Xf/cSVyYe3KuLCtKA HDm56JbatGI673Hses7yU+fXv0HjfkK1RQBcK5/uuj2FY+Hn9bVNx0yC1ZxcHj/WO3Wa defibwfwXADtvhHAUGq74xmp9BzOkf51BUqUQ= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=deEr0mNBcscq9WeOYfc/x96DKS0rSTErnsi9Pmlfcho=; b=kSuoZ98aBEgXMe0tK6bKl2KewuvNHEa3AlCZPlk/AMrzyNrpo9S+oCK1ZgjxB5s45H NvvMs8fLVBbLpgFUCmL5C7q8WDkb74hip0nKMOi42gjoIi5JVdJPphoCm+lO2vCmAqtN BBJxNu8eNEIQLP9lXnpJia9RNG4zwglCsT3me8+cCWlSpS72i1kZAHQfxIIOXIPKAtuD aIzlLGD6SvWzEDgTZGQPYSfvDlX0IaBcQQmkBQEKx4bX2nHuaXDLAyn0HlRLH9iLox/l Jv1McHpZBuyeEVk5djBP/pMF0HM7Mf54wRBCkP1w/gsAEgm/WfB7TZXjY4PG/AhrCN5V 9oxQ== X-Gm-Message-State: AA+aEWZHjHHddaRZ4cdc+d6x7UmPgNEqcDtHRVTN+fKPLADF/vT3MurJ HEN0rIrOidXfEw1KPJh4YSOkTSufgUMdJ6GoBwm3LQ== X-Google-Smtp-Source: AFSGD/U4nDZEoBR+QBH8laFLSw2yOk0dch5K/Wm6nS27zP9raUp9OEmat5Qp2gkPteFl+oZRuA8HtJgYsld4CjvjEeo= X-Received: by 2002:ae9:eb4c:: with SMTP id b73mr16859114qkg.88.1544611175876; Wed, 12 Dec 2018 02:39:35 -0800 (PST) MIME-Version: 1.0 References: <88a57cc0-e877-1fe2-1478-020080b79af1@apache.org> In-Reply-To: From: Pavel Lyalyakin Date: Wed, 12 Dec 2018 13:38:59 +0300 Message-ID: Subject: Re: Check Path based authorization To: thomas.stuempfig@siemens.com Cc: brane@apache.org, users@subversion.apache.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hello Thomas, On Tue, Dec 11, 2018 at 8:40 PM Stuempfig, Thomas wrote: > > Hi Brane, > well after testing the tool does not actually do what i would like. But i= t is giving me a starting point / work around. > I tested the tool with Visualsvn Server on windows VisualSVN Server includes a PowerShell module[1] that provides a set of cmdlets[2] for server and repository administration. You may want to try the `Get-SvnAccessRule`[3] and `Select-SvnAccessRule`[4] cmdlets - I guess that they can partially meet your requirements. However, they do not consider AD user's group membership and therefore do not display effective access for a particular user account. Do I understand you correctly that you want a reporting tool that will display actual effective access for AD user DOMAIN\Username considering his group membership? How complex is the access rule configuration in your repositories? Could you please show us an example (run Get-SvnAccessRule and show us the output)? You can reply me privately or contact support@visualsvn.com and we will examine your case further. [1]: https://www.visualsvn.com/server/features/powershell/ [2]: https://www.visualsvn.com/support/topic/00088/ [3]: https://www.visualsvn.com/support/topic/00088/#Get-SvnAccessRule [4]: https://www.visualsvn.com/support/topic/00088/#Select-SvnAccessRule > Steps to reproduce > 1) configure basic windows authentication > > 2) grant" rw" access to the repository root path for AD group > Visualsvn server places the objectSid S-1-1-11-111111111-11111111= 1-11111111-11111 of the group in the VisualSVN-WinAuthz.ini file of the r= epository > > 3) svnauthz.exe accessof --username S-2-2-22-222222222-22222222-222222222= -22222 d:\repositories\test\conf\VisualSVN-WinAuthz.ini > Where username is a member of the AD group objectSid S-1-1-11-111111111= -111111111-11111111-11111 > Result no > > But > 4) svnauthz.exe accessof --username S-1-1-11-111111111-111111111-11111111= -11111 22222 d:\repositories\test\conf\VisualSVN-WinAuthz.ini > Gives "rw" > > > This is not what I am looking for. > > I could probably use some ldap query in order to find out the groups wher= e user S-2--- is member of and test these against the svn file, I personall= y don't like ldap queries but if needed I will stick with that. > > So I am seeking for better ideas... or if anybody already did the job of = cycling through ones user AD groups recursively... calling svnauthz for eac= h of the groups I would offer some beer ... > > regards > Thomas > > -----Original Message----- > From: [ext] Stuempfig, Thomas [mailto:thomas.stuempfig@siemens.com] > Sent: Dienstag, 11. Dezember 2018 17:22 > To: Branko =C4=8Cibej ; users@subversion.apache.org > Subject: RE: Check Path based authorization > > Hi Brane, > thank you for the quick response. This is probably what I would seek for.= I'll test it and will come back with my findings. > > Best regards > Thomas > > -----Original Message----- > From: Branko =C4=8Cibej [mailto:brane@apache.org] > Sent: Dienstag, 11. Dezember 2018 11:00 > To: users@subversion.apache.org > Subject: Re: Check Path based authorization > > On 11.12.2018 10:24, Stuempfig, Thomas wrote: > > Hi all, > > We have a large organization many projects and quite a bit of history (= 10years) with one of the repos=E2=80=A6 and after a while path based author= ization becomes quite difficult. > > I would like to ask if it is possible as an admin to check path based a= uthorization for a user x (ldap). > > > > It would be great if one could give (=E2=80=9Cnone=E2=80=9D,=E2=80=9Drw= =E2=80=9D,=E2=80=9Dr=E2=80=9D) or alike for path. > > Kind executing a call like the call below as admin. > > > > getactiveprivs usertocheck > > http(s)://server.domain.com//svn/myproject/branches/branch_dev/ > > > > I mean this is the core, there could be several variations of this call= . Get privs of ldap group members =E2=80=A6 as different members belong to = different other groups each of them have possibly different access rights. = It would be really great to have some table of active priviledges. > > > Is the 'svnauthz' tool not good enough? It's usually installed separately= from the core binaries, in some 'subversion-tools' package, but it's inten= ded for exactly this kind of test. > > > -- Brane > > $ svnauthz accessof --help > accessof: Print or test the permissions set by an authz file. > usage: 1. svnauthz accessof TARGET > 2. svnauthz accessof -t TXN REPOS_PATH FILE_PATH > > 1. Prints the access of USER to PATH based on authorization file at TAR= GET. > TARGET can be a path to a file or an absolute file:// URL to an auth= z > file in a repository, but cannot be a repository relative URL (^/). > > 2. Prints the access of USER to PATH based on authz file at FILE_PATH i= n the > transaction TXN in the repository at REPOS_PATH. > > USER is the argument to the --username option; if that option is not > provided, then access of an anonymous user will be printed or tested. > > PATH is the argument to the --path option; if that option is not provid= ed, > the maximal access to any path in the repository will be considered. > > Outputs one of the following: > rw write access (which also implies read) > r read access > no no access > > Returns: > 0 when syntax is OK and '--is' argument (if any) matches. > 1 when syntax is invalid. > 2 operational error > 3 when '--is' argument doesn't match > > Valid options: > -t [--transaction] ARG : transaction id > --username ARG : username to check access of > --path ARG : path within repository to check access of > --repository ARG : repository authz name > --is ARG : instead of outputting, test if the access is > exactly ARG > ARG can be one of the following values: > rw write access (which also implies re= ad) > r read-only access > no no access > --groups-file ARG : use the groups from file ARG > -R [--recursive] : determine recursive access to PATH > > ----------------- > Siemens Industry Software GmbH; Anschrift: Franz-Geuer-Str. 10, 50823 K= =C3=B6ln; Gesellschaft mit beschr=C3=A4nkter Haftung; Gesch=C3=A4ftsf=C3=BC= hrer: Urban August, Daniel Trebes; Sitz der Gesellschaft: K=C3=B6ln; Regist= ergericht: Amtsgericht K=C3=B6ln, HRB 84564 > ----------------- > Siemens Industry Software GmbH; Anschrift: Franz-Geuer-Str. 10, 50823 K= =C3=B6ln; Gesellschaft mit beschr=C3=A4nkter Haftung; Gesch=C3=A4ftsf=C3=BC= hrer: Urban August, Daniel Trebes; Sitz der Gesellschaft: K=C3=B6ln; Regist= ergericht: Amtsgericht K=C3=B6ln, HRB 84564 -- With best regards, Pavel Lyalyakin VisualSVN Team