On Fri, Sep 27, 2013 at 12:40 AM, Ben Reser <b...@reser.org> wrote: > On 9/26/13 12:45 PM, Mark Moe wrote: >> We found that about half the performance issue was solved by using >> "SVNPathAuthz off" while the other half was solved by skipping that >> big revision when doing svn log -v. Just the sheer transfer of all >> those lines of text was a big hit even with SVNPathAuthz off. > > First of all I would like to note that I wouldn't recommend anyone having > performance problems with log and commits that changed a lot of paths > implementing SVNPathAuthz off without putting some serious thought into this.
Except if you don't need path-base authorization of course :-). As "the book" says [1]: "Do you really need path-based access control?" If you have large logical groups of people, and within those groups everyone more or less trusts each other, there is really no need to employ path-base authz. You can separate the large groups by using different repositories. In our company we have around 100 developers. Though they are divided in different teams working on different parts, we don't see the need to authz-enforce the separation between teams. We just have one single repository for the entire development group, and rely on social convention for teams not stepping on each other's toes (without at least having a chat about it). We have a couple of security sensitive components, and those are put in a separate repository (restricted to a smaller group of people). A couple of other (non-IT) divisions within the company also have their own repository. So far we haven't had the need to enable path-based authz, and just rely on 'Require ldap-group XXX' for full-access to the entire repository. Should the need arise, we can always add another <Location> to our httpd.conf, serving the same repository with path-based authz, via another url. The "full-access group" can then still use the non-path-based-authz'ed path to the repository, while a larger audience might be able to access the same repository restricted by path-based authz. [1] http://svnbook.red-bean.com/nightly/en/svn.serverconfig.pathbasedauthz.html -- Johan
