[cvsnt] Re: Latest updates

Tony Hoyle tmh at nodomain.org
Mon Aug 23 01:54:33 BST 2004 

Glen Starrett wrote:

> I like the sound of this.  Will branches inherit from MAIN, have their 
> own default, or be separate defaulting to default:RWC as it is now?

Basically it matches the best it can and gives each ACL entry a score.

It looks at the file, then directory and all parent directories until it 
finds something that matches.

If there are multiple matches, then each ACL is scored depending on how 
many things it matches, and the highest score wins (you can override the 
scoring system per-acl if required).

Each acl has things it can match with:
1. The username or group (username scores highest)
2. The branch
3. For merges, which branch is being merged.

If a match isn't specified it essentially means 'all' (if no matches are 
specified on an ACL it's the equivalent of 'default').

This sounds complex but is actually quite intuitive (well I find it so 
anyway...)

eg. if you have:

<default> noread,nowrite,nocreate,notag
<user=tmh,branch=foo> read,tag,control
<user=tmh,branch=foo,merge=bar> read,tag,control
<user=tmh> read,write,create,tag,control
<branch=foo> read

This means that for user tmh, he gets read/write access to anything 
except branch foo, which he only gets read access to unless he's also 
doing a merge with branch bar.  Nobody else gets any access to anything 
except read only access to branch foo.

  Since Domain1\foo isn't the same as Domain2\foo and could very well be 2
> totally different people, you shouldn't assume they are the same.  When 
> you say "cross-domain authentication can cause the username to change", 
> do you mean they would now have the domain pre-pended to them instead of 
> plain username?

Yes.  CVSNT strips the 'default' domain where it occurs (either domain 
or machine depending on whether the machine is a member of a domain or 
not) so most users will hopefully not see a difference.  However where 
the CVSNT server is on a different domain or standalone it will make 
quite a lot of difference to the usernames that are seen.

Tony

More information about the cvsnt mailing list