[cvsnt] required access rights to the raw repository
John Peacock
jpeacock at rowman.com
Tue Nov 5 22:13:11 GMT 2002
Bernhard Weichel wrote:
> I describe the scenario in more detail:
>
> 1. we have a fileserver in which I want to place the raw repository as well
> as a reference copy of the most recent version (for management which has no
> sandbox). The file server is professionally backed up. So all project data
> is maintained there. No application service is allowed on \\fs0007.
If you pitch cvsnt as a "server process" instead of an "application service" do
you think you could get your MIS department to install it? ;~)
>
> \\fs007\myproject\CVS-repository\workproducts
>
> \\fs007\myproject\reference-copy
The repository is only accessed by the server. Doesn't matter where you store
it, only the server needs access. You can place the "reference-copy" on any
drive (but I don't know what you want with it, no client needs it).
>
> 2. we will have an application server (called myappsvr) on which we will run
> the CVSNT service. The fileserver shares are mapped to drives there:
>
> r: is mapped to \\fs007\myproject\CVS-repository
>
> Repository prefix is set to r:/CVS-repository
Nope, doesn't work. A service cannot have a drive map, only a user.
This is also not how cvsnt operates; the repository must on a local drive to the
server process to prevent repository corruption.
Additionally, the repository encompasses projects, not vice versa. Your
architecture seems to be based on flawed understanding of how CVS itself works
(not just WinCVS).
>
>
> 3. each developer has his sandbox, lets say on C:
>
> c:\myproject
>
> The project manager will perform CVS update on the reference-copy on a
> regular basis (perhaps controlled by a scheduler. For this purpose, he will
> als map
>
> x: will be mapped to \\fs007\myproject\reference-copy
>
> and maintain a readonly sandbox here for reference purposes.
Again, I don't have any idea why you think you need a reference-copy. The
repository HEAD tag will always be the most recent changes. A tag can be
applied to the files at specific release intervals. A reference-copy is of no
use whatsoever to any developer.
>
> 4. because of the access policy, all project members have per default
> read/write access to \\fs007\myproject and its descendant directories.there
> is an NT group called myproject_team_members which controls the access to
> \\fs0007\myproject. It is all controlled by a domain controller. No local
> user accounts are used.
No project members require any access to the repository itself. Ever. You can
use the domain account rights to establish ACL's within the repository, but the
users never access the files directly. Only the server process accesses the
repository (with the rights of the appropriate user).
>
> 5. I want to make sure, that users do not use the raw CVS-Repository even if
> it is visible in the myproject. They should use
> CVSROOT=:sspi:mappsvr:/workproducts
> they shall not use
> CVSROOT=:local:\\fs007\myproject\CVS-repository\workproducts
The best way to do this is not to give the user any access to the repository at all.
>
> 6. I want that only the members of myproject_team_members may perform CVS
> operations on the CVS service provided by myappsvr. But they shall not
> manipulate files within \\fs0007\myproject\CVS-repository
>
> How can I setup this?
>
You cannot (at least with current CVS). You may want to read through something
like this link:
http://cvsbook.red-bean.com/
to learn about the philosophy of CVS.
John
--
John Peacock
Director of Information Research and Technology
Rowman & Littlefield Publishing Group
4720 Boston Way
Lanham, MD 20706
301-459-3366 x.5010
fax 301-429-5747
More information about the cvsnt
mailing list