Under Construction
Path-based access control (or path-based authorisation) is a feature that allows repository administrators to control access to parts of the repository (i.e., the path in the repository) for certain users or groups of users.


File Syntax

The syntax of the authz and groups files is similar to the syntax of Subversion's configuration files, but there are some important differences:

  • Authorisation files can not be empty and must contain at least one section header.
  • Section and option names are case-sensitive.
  • Sections can not be reopened — this means that rules can be defined only once.
  • Value expansion is not performed.
  • Default values, and the [DEFAULT] section itself, can not be used.


Future change: SVN-4795 proposes changing how section headers are parsed.


Differences from previous versions:

  • Section and option names are case-sensitive since version 1.7; they were case-insensitive in previous versions.
  • Before version 1.10, rules could be redefined, and value expansion and [DEFAULT] values were supported.

Groups

Aliases

Rules

Formal Definition

The following is a formal definition of the authorisation file syntax, in BNF:

Subversion Authorisation File Syntax
<authz-file>    ::= <records> | <ignored> <records>
<ignored>       ::= <empty> | <comment> | <ignored> ( <empty> | <comment> )
<records>       ::= <section> | <records> <record>
<record>        ::= <empty> | <comment> | <section> | <entry>
<empty>         ::= <opt-space> <line-end>
<comment>       ::= "#" <opt-text> <line-end>
<section>       ::= "[" <section-name> "]" <opt-text> <line-end>
<entry>         ::= <option> | <option> <continued>
<option>        ::= <key> <opt-space> <key-sep> <opt-text> <line-end>
<continued>     ::= <continuation> | <continued> <continuation>
<continuation>  ::= <space> <text> <line-end>

<section-name>  ::= "groups" | "aliases" | <rule>
<rule>          ::= <opt-glob> <opt-repos> <path>
<opt-glob>      ::= ":glob:" | ""
<opt-repos>     ::= <repos> ":" | ""
<repos>         ::= <repos-char> | <repos> <repos-char>
<path>          ::= "/" | <path> <path-char>

<line-end>      ::= <LF> | <end-of-file>
<space>         ::= <space-char> | <space> <space-char>
<text>          ::= <non-space> | <text> <text-char>
<key>           ::= <key-start> | <key-start> <key-cont> <key-end>
<key-cont>      ::= <key-char> | <key-cont> <key-char> | ""
<opt-space>     ::= <space> | ""
<opt-text>      ::= <opt-space> <text> | ""
<end-of-file>   ::= (the end of the file)
 
; Character classes
<space-char>    ::= <BS> | <TAB> | <VT> | <FF> | <CR> | <SPC>
<text-char>     ::= (any character except <LF>)
<path-char>     ::= (any <text-char> except "]")
<repos-char>    ::= (any <path-char> except ":")
<non-space>     ::= (any <text-char> except <space-char>)
<key-sep>       ::= "=" | ":"
<key-start>     ::= (any <non-space> except <key-sep>, "#" and "[")
<key-end>       ::= (any <non-space> except <key-sep>)
<key-char>      ::= (any <text-char> except <key-sep>)
 
; Characters (ASCII and Unicode names)
<BS>            ::= U+0008  BACKSPACE
<TAB>           ::= U+0009  CHARACTER TABULATION
<LF>            ::= U+000A  LINE FEED
<VT>            ::= U+000B  LINE TABULATION
<FF>            ::= U+000C  FORM FEED
<CR>            ::= U+000D  CARRIAGE RETURN
<SPC>           ::= U+0020  SPACE

HowTo

Validating In-Repository Authorisation Files


References

  • No labels