There's a difference between authentication and authorization. Authentication refers to the act of making sure a user is who they say they are (examples are passwords, keys, SecureID, biometrics, ...). Authorization refers to what that user can do once they've been authenticated. IMO, authentication should definitely be handled by an agent that's outside of CVS. Authentication is tough to get right even for security professionals, CVS should stay out of this realm 'cos, chances are, it'll get it wrong. Instead, CVS should allow for pluggable authentication (eg CVS_RSH). Depending on how fine-grained the authorization needs are, it may be delegated to an outside agent (eg file permissions, file ACLs, wrapper scripts, ...). If, however, the authorization needs are too fine-grained (eg only these two users are allowed to create branches off of this specific revision), it _must_ be handled by the tool. IMHO, the kind of authorization you're looking for can be handled by wrapper scripts (although you'll have to do some work parsing the input) or via taginfo scripts (a little better for what you're asking, but less general). I think a more elegant and general solution would be to have CVS handle command authorizations since they are highly tied to the tool (eg if one were using a wrapper script, one would have to keep up with any modifications to the existing set of CVS commands). Noel [EMAIL PROTECTED] on 06/09/2000 07:43:50 AM To: [EMAIL PROTECTED] cc: (bcc: Noel L Yap) Subject: Command level access control I there any way to control access to certain CVS commands on a user by user basis? We have been tightening the permissions on our repository and there are certain users that should never be able to add a tag or at least change an existing tag. Is this possible? It would seem that this kind of control would go against recent threads on this list about externalizing the authentication by requiring CVS to understand more about users and permissions than it does now. TIA ------------------------------------------------------ Tony Cleveland Development Manager - MicroStation Schematics Bentley Systems, Incorporated voice: (301)926-0802 fax: (301)926-2313 email: [EMAIL PROTECTED] ------------------------------------------------------Title: Command level access control
I there any way to control access to certain CVS commands on a user by user basis? We have been tightening the permissions on our repository and there are certain users that should never be able to add a tag or at least change an existing tag. Is this possible?
It would seem that this kind of control would go against recent threads on this list about externalizing the authentication by requiring CVS to understand more about users and permissions than it does now.
TIA
------------------------------------------------------
Tony Cleveland
Development Manager - MicroStation Schematics
Bentley Systems, Incorporated
voice: (301)926-0802 fax: (301)926-2313
email: [EMAIL PROTECTED]
------------------------------------------------------
