...
- Manage the authorized_keys file of a user account, and allow public key authentication for SSH.
- Configure commit emails for a repository.
- Manage access control for a repository.
- Manage integration of a repository with other MAP infrastructure such as Bamboo.
- Receive a partial or complete dump file of a repository.
- Post a dump file to be loaded into a repository.
- Automatically provision a new repository for an existing -users and -admin ownership group, to faciliate one project per repository.
...
- Support for users without Kerberos principals. Touchstone and CAMS are prerequisites for this.
- -svnadmin groupsAdmin lists; these are subsets of - committers groups and control who has access to manage a repository through the web application. If a -svnadmin groups does not exist, all members of the -committers group will have accessBy default, the admin list is the commiters group itself.
Issue: Security architecture and hook scripts
...
The third option is probably not acceptable to us, particularly after we add support for non-Kerberos users, but it's worth noting that web hosting has a similar security issue and most web hosting providers have taken the third approach.
Inventory of Configurable State
User configuration
- What public keys are allowed for SSH access
- Whether the MAP password exists and what it is
Group configuration
- Whether commit access through DAV is possible for repositories owned by this group
- Whether commit access through the svnserve daemon is possible for repositories owned by this group
- What this group's admin list is (not user-configurable)
- What this group's shell account is, if any (not user-configurable)
- The namespace prefix for automatic provisioning of repositories, if any (not user-configurable)
Repository configuration
Some of these can only apply to a repository using the standard hook scripts.
- Whether the repository is world-readable on the server (allows read-only DAV/svnserve access if commits through DAV/svnserve are disabled)
- The access control file for the repository
- Where commit emails for the repository go, if anywhere