Hi Eric,

In the current release, yes, you'll need to have a different installation
per repository if you want this level of restriction. Patching LDAP/AD is an
option, though an annoying one certainly. You could also require that users
create a new account manually on that server if that would work, though it
means no central password management.

Access control is a goal for the 1.6 release. I am currently implementing
support for invite-only groups, which would prevent users from either
joining a group or seeing review requests sent only to that group unless
they've been added by an administrator.

The next task I have planned is to do the same for repositories. After this
goes in, you'd be able to set a setting on each repository limiting the
users/groups that can view review requests on it. In this setup, you would
only need a single Review Board installation, with each repository entry set
to be locked down. Any users that join would be unable to view any of the
review requests until added to the repository. You wouldn't need to lock
down LDAP/AD, as even if they had an account on the server, they wouldn't be
able to access anything.

I'm hoping to have this done within two weeks, and it would be part of the
first 1.6 alpha.

Christian

-- 
Christian Hammond - chip...@chipx86.com
Review Board - http://www.reviewboard.org
VMware, Inc. - http://www.vmware.com


On Mon, Nov 1, 2010 at 4:31 PM, Eric Johnson
<ericjohn...@alumni.brown.edu>wrote:

>  We have numerous subversion servers in our organization, specifically so
> that we can have different access controls for each repo.
>
> I'm trying to figure out if the way I'm thinking of deploying ReviewBoard
> even makes sense, and if it does, I've got some questions.
>
> Specifically, we want to make sure that the people allowed to access a
> given repository in any way is just as restricted in reviewboard as it is in
> Subversion.  For Subversion, each repository has a list of owners, and we
> generate the access control list for svn from those files.
>
> For ReviewBoard, I'm planning to have a reviewboard configuration for each
> Subversion repository (a separate database, primarily), and different
> subsets of Apache configuration for each repository.  Each reviewboard
> configuration needs to authenticate against LDAP, and prepopulate the list
> of users allowed for that review instance.
>
> Does this make sense?  Is there a better way?
>
> It looks like, to prepopulate users, I can write a script that will update
> the tables in MySQL.  Is this a safe assumption?
>
> How can I prevent people who have valid Active Directory credentials from
> logging in?  It looks like the LDAP support in backends.py will
> automatically add users, but that's not what I want.  Looks like the way to
> prevent that is to patch the LDAP auth already there so that it doesn't
> automatically create users.  Is there some other way?  Should I submit an
> enhancement to disallow automatic creation of accounts?
>
> Thanks for any help/direction you can offer.
>
> -Eric Johnson
>
> --
> Want to help the Review Board project? Donate today at
> http://www.reviewboard.org/donate/
> Happy user? Let us know at http://www.reviewboard.org/users/
> -~----------~----~----~----~------~----~------~--~---
> To unsubscribe from this group, send email to
> reviewboard+unsubscr...@googlegroups.com<reviewboard%2bunsubscr...@googlegroups.com>
> For more options, visit this group at
> http://groups.google.com/group/reviewboard?hl=en

-- 
Want to help the Review Board project? Donate today at 
http://www.reviewboard.org/donate/
Happy user? Let us know at http://www.reviewboard.org/users/
-~----------~----~----~----~------~----~------~--~---
To unsubscribe from this group, send email to 
reviewboard+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/reviewboard?hl=en

Reply via email to