You've seen how a repository can be accessed in many different ways. But is it possible—or safe—for your repository to be accessed by multiple methods simultaneously? The answer is yes, provided you use a bit of foresight.
At any given time, these processes may require read and write access to your repository:
-
regular system users using a Subversion client (as themselves) to access the repository directly via file:/// URLs;
-
regular system users connecting to SSH-spawned private svnserve processes (running as themselves) which access the repository;
-
an svnserve process—either a daemon or one launched by inetd—running as a particular fixed user;
-
an Apache httpd process, running as a particular fixed user.
The most common problem administrators run into is repository ownership and permissions. Does every process (or user) in the previous list have the rights to read and write the Berkeley DB files? Assuming you have a Unix-like operating system, a straightforward approach might be to place every potential repository user into a new svn group, and make the repository wholly owned by that group. But even that's not enough, because a process may write to the database files using an unfriendly umask—one that prevents access by other users.
So the next step beyond setting up a common group for repository users is to force every repository-accessing process to use a sane umask. For users accessing the repository directly, you can make the svn program into a wrapper script that first sets umask 002 and then runs the real svn client program. You can write a similar wrapper script for the svnserve program, and add a umask 002 command to Apache's own startup script, apachectl. For example:
$ cat /usr/bin/svn
#!/bin/sh
umask 002
/usr/bin/svn-real "$@"
Another common problem is often encountered on Unix-like systems. As a repository is used, Berkeley DB occasionally creates new log files to journal its actions. Even if the repository is wholly owned by the svn group, these newly created files won't necessarily be owned by that same group, which then creates more permissions problems for your users. A good workaround is to set the group SUID bit on the repository's db directory. This causes all newly-created log files to have the same group owner as the parent directory.
Once you've jumped through these hoops, your repository should be accessible by all the necessary processes. It may seem a bit messy and complicated, but the problems of having multiple users sharing write-access to common files are classic ones that are not often elegantly solved.
Fortunately, most repository administrators will never need to have such a complex configuration. Users who wish to access repositories that live on the same machine are not limited to using file:// access URLs—they can typically contact the Apache HTTP server or svnserve using localhost for the server name in their http:// or svn:// URLs. And to maintain multiple server processes for your Subversion repositories is likely to be more of a headache than necessary. We recommend you choose the server that best meets your needs and stick with it!
The svn+ssh:// server checklist
It can be quite tricky to get a bunch of users with existing SSH accounts to share a repository without permissions problems. If you're confused about all the things that you (as an administrator) need to do on a Unix-like system, here's a quick checklist that resummarizes some of things discussed in this section:
-
All of your SSH users need to be able to read and write to the repository. Put all the SSH users into a single group. Make the repository wholly owned by that group, and set the group permissions to read/write.
-
Your users need to use a sane umask when accessing the repository. Make sure that svnserve (/usr/bin/svnserve, or wherever it lives in $PATH) is actually a wrapper script which sets umask 002 and executes the real svnserve binary. Take similar measures when using svnlook and svnadmin. Either run them with a sane umask, or wrap them as described above.
[27] Эта проблема описана в FAQ, она является результатом плохой конфигурации сервера.
[28] И опять-таки, частой ошибкой является неправильная конфигурация сервера, при которой сервер никогда не посылает запрос об установлении личности. Когда пользователи используют ключи --username и --password, они могут быть неприятно удивлены, увидев, что ключи не используются, что новые правки зафиксированы анонимными пользователями.
[29] See RFC 2195.
[30] They really hate doing that.
[31] While self-signed server certificates are still vulnerable to a «man in the middle» attack, such an attack is still much more difficult for a casual observer to pull off, compared to sniffing unprotected passwords.
[32] More security-conscious folk might not want to store the client certificate password in the runtime servers file.
[33] Back then, it was called «ViewCVS».
Глава 7. Профессиональное использование Subversion
Содержание
Параметры времени выполнения
Структура области конфигурации
Конфигурация и реестр Windows
Параметры конфигурации
Servers
Config
Свойства
Зачем нужны свойства?
Использование свойств
Специальные свойства
svn:executable
svn:mime-type
svn:ignore
svn:keywords
svn:eol-style
svn:externals
svn:special
svn:needs-lock
Automatic Property Setting
Locking
Creating locks
Discovering locks
Breaking and stealing locks
Lock Communication
Peg and Operative Revisions
Externals Definitions
Vendor branches
General Vendor Branch Management Procedure
svn_load_dirs.pl
Localization
Understanding locales
Subversion's use of locales
Using External Differencing Tools
External diff
External diff3
Subversion Repository URLs
Если эту книгу вы читали главу за главой, от начала до конца, то к настоящему моменту должны иметь достаточно знаний для использования Subversion клиента при выполнении типичных управлению версиями операций. Вы понимаете, как создавать рабочую копию. Знаете как используя команды svn commit и svn update отправлять и получать изменения. Возможно у вас уже даже выработался рефлекс бессознательного запуска svn status. Вы готовы применять Subversion в большинстве возможных типовых ситуаций.
Однако предоставляемая Subversion функциональность не ограничивается «типовыми операциями управления версиями».
Эта глава рассказывает о не часто используемых возможностях Subversion. В ней мы рассмотрим поддержку свойств (или «метаданных») и способы изменения стандартного поведения Subversion изменяя ее параметры времени выполнения. Мы расскажем как используя внешние зависимости заставить Subversion получать информацию из нескольких хранилищ. Подробно рассмотрим клиентские и серверные инструменты, входящие в поставку Subversion.
Перед чтением этой главы, необходимо хорошо представлять механизмы версионированния файлов и директорий в Subversion. Если вы еще этого не прочитали или просто хотите освежить в памяти эту информацию, рекомендуем просмотреть Глава 2, Основные понятия и Глава 3, Экскурсия по Subversion. После того как вы овладеете основами и примами, рассмотренными в этой главе, вы станете продвинутым пользователем Subversion!
Достарыңызбен бөлісу: |