Managing commit rights in svn by delegating to project managers - apache

We have multiple projects in svn repo.And for each project there are many users.As number of users is large so its troublesome to manage their commit rights using "Auth file".
I have read somewhere that we can delegate user's rights to their managers by creating a text file.But i am not sure how to achieve this and perhaps hOOKS need to be configured for this .As i am new to SVN so need your expert advice.Please guide me how to achieve this and if you have hook already confgiured p,kindly provide.
How to setup access control in SVN?
I have seen this link and answer by VonC is great and perfect for me.But i dont know how to start .. can anybody help me out here as i am not pro in svn and unix .
Thanks in advance

Preface
Using single repository for multiple projects is Bad Idea (tm): one repo - one project
Forget immediately about old as mammoth's shit SVN 1.5 - use at least 1.6 on client and server (1.8 may be best choice)
Face
Simplified user-management for SVN-users can be reached using LDAP-based authentication instead of ordinary file (in case of "repository per project" <location> from answer will be location of each repo with SVNPath, in case of old structure <location> must be linked to every root of project) and having different groups for different repositories in Require ldap-group directive - read also Apache 2.2 docs in Apache Module mod_authnz_ldap part. From management POV, LDAP-auth and permissions means: each developer must be in LDAP-tree, included in one or more related to repositories groups
In case of additional requirement for Path-Based Authorization within repositories and using groups inside authz-file, you may find useful LDAP Groups to Subversion Authz Groups Bridge, which allow you to regenerate authz-groups from LDAP-data
As result, most (if not all) SVN-related ACLs can be managed in LDAP-side only

Related

Gerrit permission to review a specific path

Im currently working on a big project with more then one team.
Lets say in the project there are some modules that each team working on.
In addition we are using gerrit for sometime now and there is something i couldn't find out.
My question is the following:
Is there a way to tell Gerrit that only specific people/group(on Gerrit) will have permission to review code (+2) on specific path/module on the project?
This is possible, and can be achieved by using the Gerrit OWNERS Plugin. I haven't configured this plugin myself, but we use this in our codebase to protect certain areas of code.
Every folder that needs protection contains a file named OWNERS that has the following structure.
inherited: true
owners:
- user-a#example.com
- user-b#example.com
Here is the link to a readme for the plugin. Hope you can figure out how to configure it.
https://gerrit.googlesource.com/plugins/owners/+/refs/heads/master/README.md
I think you can do this by making two separate commits. You can later add the group that you want to review the code on that specific path using gerrit interface.

Issue Listing multiple SVN repositories from client

I've already setup Apache to manage svn requests.
Basically the structure of the svn related directory is this:
/Repository
-----OneRepo
-----TheOtherRepo
Repository is a "normal" directory, while OneRepo and TheOtherRepo are svn repositories.
I've used SVNParentPath and SVNListParentPath directives and if I go to localhost/Repository/ (with my browser) I can see all my repositories.
Now, if I try to access a single repository (for example: OneRepo) from a client (in my case Cornerstone but Versions is the same) everything works fine.
The problem is that I would like to access the repository listing from the client so that I have a big "folder" with all my projects in it. Does it make sense?
So, instead of writing http://192.168.x.x/Repository/OneRepo in my client (and it works) I would like to write http://192.168.x.x/Repository/ and view a listing of project and so checkout whatever project I would like to.
Is that possible?
Thanks
This works only in a http browser. So your standard SVN Client (commandline , TortoiseSVN, etc.) can not list your repositories

Apache Ivy: Where do I put all these JARs?

I'm trying to convince the higher-ups at my work place to migrate to Apache Ivy. I've managed to get a few sandbox projects working using Ivy to power the build, and now I have a greenlight to put together a migration proposal.
We all agree on one thing: we don't want to trust JARs that are located in public directories! I know, I know, a bit paranoid, yes. But we'd like to have a setup where we pull a JAR from a trusted source (either downloading it from the open source project itself, or most likely, gulp, a public repo), and use it for some time before we "certify" it (give it our blessing as a safe artifact to use).
Then we want to have a common repository for all JARs used by our many projects.
My original thinking was to place this repository up in version control (we have an SVN server). But I wasn't sure what best practices dictate. It might make more sense to put our JARs on a file server and FTP to them in the Ivy script.
Either way, SVN (HTTPS) or FTP, all of our servers are authenticated. So, a small number of questions:
Where should we be publishing all of our "certified" JARs (everything from `log4j` to any homegrown JARs we produce)? What do best practices dictate?
The "ivyrep" resolver-type does not take username or passwd atrributes. If our "JAR server" (FTP, SVN, etc.) is authenticated, how do I configure the Ivy scripts to login?
I must echo Brian's recommendation to use a repository manager like Nexus. It's a lot less work in the long run. You'll also discover that the professional version of Nexus enables you to create approval processes around repositories which you plan to use in your build. See the procurement suite functionality.
If, on the other hand, you are determined to build your own repository, then ivy has the tools for the job. You need to become very familiar with the ivy settings file and how it declares and uses resolvers.
If repository is accessible via HTTPS the the url resolver should be able to access it. The resolver will assume that each version of an artifact is in a different directory and you'll need to specify the URL pattern that ivy will need to use when accessing the repository:
<url name="two-patterns-example">
<ivy pattern="http://ivyrep.mycompany.com/[module]/[revision]/ivy-[revision].xml" />
<artifact pattern="http://ivyrep.mycompany.com/[module]/[revision]/[artifact]-[revision].[ext]" />
</url>
The pattern is fully flexible to how you store the artifacts.
Authentication is also handled in the settings file using the credentials tag.
Finally, the FTP protocol is also supported. It's hard to find in the doco, but it's supported by the vfs resolver.
I think that's enough information on an option I don't recommend :-) Having said that I once created an FTP based repository for managing releases to clients. It's useful to have a tool this powerful :-)
Why not use something like Sonatype's Nexus. I've seen it used for Maven, and I believe it'll work for Ivy.
You can set it up to download from remote repositories into (say) a 'test' repository. You can then evaluate those .jars, and if they're good, upload them into an 'approved' repository for general consumption. There's some authentication surrounding this, but you'd have to evaluate that in greater depth. Certainly you can restrict the uploading into repositories via a username/password pair.

Using groups in mercurial's allow_read, allow_push etc

I was wondering if it is possible to use groups specified in e.g., an apache authgroup file in allow_read and/or allow_push etc.
So basically what I do is I am using apache with an authfile and authgroup file to authenticate users.
Now I want to restrict some repositories using allow_read from being shown to users in a specific group specified in the authgroup file.
Let's say I have sam, frodo and sauron in my auth file and I have a group hobbits containing sam and frodo in the authgroup file.
So instead of writing:
allow_read = frodo, sam
I tried
allow_read = #hobbits
but that does not seem to work. Does anybody know whether this is actually supported? The idea is if I have say 10 Repositories only readable for hobbits and I add a hobbit I only have to change the authgroup and auth file and not each repository hgrc file.
Thanks in advance
Mercurial does not have any builtin support for groups. There is a patch from a user that adds group support, but the coders seemed hesitant to include it by default, they want the contributor to make a plugin out of it instead. As of April 2013 they seem to have accepted it, but I still see no trace of it in the version currently shipped with Ubuntu (2.7).
Controlling groups in Apache, as suggested by Joel, doesn't give you any fine granular control when you have more than one repository, so it's no use (at least not for me).
I ended up using the open source tool SCM-Manager for it. SCM-Manager acts as a frontend for SVN, Git and Mercurial and has support for various user directories (including LDAP and Crowd) as well as its own user directory.
I'm using mod_proxy to integrate it in my Apache configuration and it works quite well.
It appears you'll need to do your group controlling in Apache rather than in hgrc files, as the documentation for hgrc mentions only user names.
You'll want to have a read of Configuring Apache on the Publishing Repositories page. Section 7.4 seems to contain the information you'll need to set up what you want.

Should I use an FTP server as a maven host?

I would like to host a Maven repository for a framework we're working on and its dependencies. Can I just deploy my artifacts to my FTP host using mvn deploy, or should I manually deploy and/or setup some things before being able to deploy artifacts? I only have FTP access to server I want to host the Maven repo on.
The online repository I want to use is not hosted by myself. As I say, I only have FTP access, so if possible, I would like to use that FTP space as a Maven repository. The tools mentioned seem to work when you have full control over the host machine, or at least more than just FTP access since you need to configure the local directories where the repositories will be placed. Is this possible?
You might want to have a look at Nexus, a Maven repository manager. We've replaced our local Maven repository with a Nexus-based one and find it tremendously useful.
I've successfully used Archiva as my repository for several years ... see http://archiva.apache.org/. It's easy to administer and allows you to configure as many repositories as you need (SNAPSHOT, internal, external, etc).
According to the book "Better Builds with Maven", the most common type of repository is HTTP, this paragraph describes what I think you need:
This chapter will assume the repositories are running from http://localhost:8081/ and that artifacts are deployed to the repositories using the file system. However, it is possible to use a repository on another server with any combination of supported protocols including http, ftp, scp, sftp and more. For more information, refer to Chapter 3.
A Maven 2 repository is simply a specific directory structure, so once you get the transport and server specifications right for the repository and deployment portion of your POMs, it should be completely transparent to your users.
You can even use Dropbox. All that you need is a public address to access the files generated with mvn deploy, with any of the protocols in the accepted answer.
I guess there are more services that can work in the same way, but I'm not certain about the URL schemes that alternatives to Dropbox may use.
https://maven.apache.org/wagon/wagon-providers/wagon-ftp/ will tell you that you can use ftp to read from an existing repository, but not to create a new one. I don't think that it is impossible in principle, but no one has cared to write all the fiddly code to do the directory management via ftp.