head	1.9;
access;
symbols
	TIGRIS_1_1_0RC2:1.9
	TIGRIS_1_1_0RC1:1.9
	TIGRIS_1_1:1.9.0.4
	TIGRIS_1_0_8:1.9
	TIGRIS_1_0_8RC3:1.9
	TIGRIS_1_0_8RC2:1.9
	TIGRIS_1_0_8RC1:1.9
	TIGRIS_1_0_7:1.9
	TIGRIS_1_0_7RC3:1.9
	TIGRIS_1_0_7RC2:1.9
	TIGRIS_1_0_7RC1:1.9
	TIGRIS_1_0_6:1.9
	TIGRIS_1_0_6RC5:1.9
	TIGRIS_1_0_6RC4:1.9
	TIGRIS_1_0_6RC3:1.9
	TIGRIS_1_0_6RC2:1.9
	TIGRIS_1_0_6RC1:1.9
	TIGRIS_1_0_5:1.9
	TIGRIS_1_0_5RC6:1.9
	TIGRIS_1_0_5RC5:1.9
	TIGRIS_1_0_5RC4:1.9
	TIGRIS_1_0_5RC3:1.9
	TIGRIS_1_0_5RC2:1.9
	TIGRIS_1_0_5RC1:1.9
	TIGRIS_1_0_4:1.9
	TIGRIS_1_0_3:1.9
	TIGRIS_1_0_2:1.9
	TIGRIS_1_0_1:1.9
	TIGRIS_1_0:1.9.0.6
	TIGRIS_1_0_0:1.9
	TIGRIS_1_0_0_RC1:1.9.0.2
	dlr:1.1.1
	TIGRIS_0_9_2_4:1.8
	TIGRIS_0_9_2_3:1.8
	HELM_PEER_PORT_BRANCH:1.1.1.1
	TURBINE_PEER:1.8
	TIGRIS_0_9_2_1:1.8
	TIGRIS_0_9_2:1.8.0.10
	TIGRIS_0_9_0:1.8.0.8
	TIGRIS_0_8_4:1.8.0.6
	TIGRIS_NOV_12_2000:1.8
	OLDHELM:1.8.0.4
	TIGRIS_NOV_11_2000:1.8
	TIGRIS_SEP_13_2000:1.8.0.2
	TIGRIS_BASELINE:1.8;
locks; strict;
comment	@# @;


1.9
date	2001.01.31.02.31.39;	author kfogel;	state Exp;
branches;
next	1.8;

1.8
date	2000.07.27.22.55.59;	author kfogel;	state Exp;
branches
	1.8.12.1;
next	1.7;

1.7
date	2000.07.27.20.42.32;	author kfogel;	state Exp;
branches;
next	1.6;

1.6
date	2000.07.24.20.57.39;	author kfogel;	state Exp;
branches;
next	1.5;

1.5
date	2000.06.13.20.27.13;	author kfogel;	state Exp;
branches;
next	1.4;

1.4
date	2000.06.10.22.52.35;	author kfogel;	state Exp;
branches;
next	1.3;

1.3
date	2000.06.10.18.10.27;	author kfogel;	state Exp;
branches;
next	1.2;

1.2
date	2000.06.09.21.24.44;	author kfogel;	state Exp;
branches;
next	1.1;

1.1
date	2000.06.09.20.46.58;	author kfogel;	state Exp;
branches
	1.1.1.1;
next	;

1.1.1.1
date	2001.02.21.00.28.09;	author dlr;	state Exp;
branches;
next	;

1.8.12.1
date	2001.02.17.18.49.51;	author leonardr;	state Exp;
branches;
next	;


desc
@@


1.9
log
@Mention collab-new-perms.patch, since it's the most important thing in
here. :-)
@
text
@What's here:

   1. collab-new-perms.patch: A big patch adding a MySQL/Tigris
      permissioning system to CVS.  This used to be called
      "cvs.patch", so if you run cvs log here to figure out the
      history of this change, make sure you read the history for
      "cvs.patch" as well as "collab-new-perms.patch".

   2. A script (cvs-locks) that hunts stale repository lockfiles and
      mails someone if it finds any. 

   3. Some customized scripts in root/ (to be driven from
      CVSROOT/*info), most notably log_accum.in.
@


1.8
log
@moved to releng/rpm/cvs/SOURCES/cvs-tigris.patch
@
text
@d3 7
a9 1
   1. A script (cvs-locks) that hunts stale repository lockfiles and
d12 1
a12 1
   2. Some customized scripts in root/ (to be driven from
@


1.8.12.1
log
@Merged in from head.
@
text
@d3 1
a3 7
   1. collab-new-perms.patch: A big patch adding a MySQL/Tigris
      permissioning system to CVS.  This used to be called
      "cvs.patch", so if you run cvs log here to figure out the
      history of this change, make sure you read the history for
      "cvs.patch" as well as "collab-new-perms.patch".

   2. A script (cvs-locks) that hunts stale repository lockfiles and
d6 1
a6 1
   3. Some customized scripts in root/ (to be driven from
@


1.7
log
@Sync up with dist CVS (prior to applying Ed's perm patch).
@
text
@d1 1
a1 1
There are several things here:
d3 2
a4 3
   1. A patch (cvs.patch) containing our local customizations to CVS.
   2. A script (cvs-locks) that hunts stale repository lockfiles.
   3. Some customized scripts in root/ (to be driven from CVSROOT/*info).
d6 2
a7 167
They are not related, this just seemed like a good place to put them
all.  Most are pretty self-explanatory, except #1, so the rest of this
README is about that one.

---------------------------------------------------------------------------
This patch allows the CVS server to authenticate off a MySQL database.

How To Build:
=============

   cd ccvs/                                       /* Top of CVS source tree */
   patch -p0 < ../wherever/cvs.patch              /* Apply this patch. */
   ./configure --enable-mysql --with-mysql=/usr   /* Configure. */
   make                                           /* Build. */
   make check                                     /* OPTIONAL: test local */
   make remotecheck                               /* OPTIONAL: test remote */
   make install                                   /* Install it. */


How To Use It:
==============

Put a line like this in /etc/inetd.conf:

   cvspserver stream tcp nowait tigrisc /usr/local/bin/cvs cvs -L \
   --allow-root=/home/tigrisc --allow-root=/cvs pserver

The new "-L" flag above comes from this patch.  It stands for "local
authentication", a somewhat unintuitive name for authenticating off a
MySQL database.  The reasons to go with the generic name are a)
compatibility with the larger patch from which this is derived, and b)
the new authentication mechanism is easily extendible to systems other
than MySQL.

Next, make the appropriate tables in MySQL.  Documentation on MySQL
authentication may be found in cvs.texinfo (after you apply the patch,
of course).  Search for "@@subsubheading Database Authentication".

Note that the relevant table in our Tigris database seems to have many
columns that our setup doesn't actually use, such as `unix_user'.
Although CVS *could* use that information, we don't tell it to, so
that column is basically ignored and CVS always runs as `tigrisc' (at
least as of 9 June 2000).


Notes On The Patch:
===================

This patch adds two new files, `local_auth.c' and `mysqlsubr.c', and
modifies many files to use the new routines.  This patch is derived
from a much larger patch that also added per-directory ownership and
permissions control in the repository.  We (Tigris) weren't using that
extra code, and it was creating spurious `owner' and `perms' files in
repository directories and possibly causing authentication problems.
So the patch was rewritten to do just MySQL authentication, plus a
skeleton to allow us to add per-directory control very easily (just
stick some more information in the database, and have CVS examine it).

No ChangeLog entries are included, because they almost always cause
conflicts when the patch is applied.  If this patch were ever checked
into the master CVS tree, then that would be the time to add the
ChangeLog entries.  Here is what they might say:

ccvs/ChangeLog:

	* config.h.in, configure, configure.in: changes for MySQL
	("local") authentication.
	Configure now takes --enable-mysql and --with-mysql=DIR options.

ccvs/doc/ChangeLog:

	* cvs.texinfo: document MySQL ("local") authentication.

ccvs/src/ChangeLog:

        * local_auth.c, mysqlsubr.c: new files, for MySQL ("local")
	authentication. 

        * Makefile.in, add.c, admin.c, checkout.c, client.c, commit.c,
	cvs.h, diff.c, edit.c, error.c, import.c, lock.c, log.c,
	main.c, mkmodules.c, parseinfo.c, patch.c, rcs.c, recurse.c,
	remove.c, rtag.c, server.c, status.c, tag.c, update.c,
	watch.c: changes for MySQL authentication.
	(verify_admin, verify_owner, verify_read, verify_write,
	verify_create): new functions.
	(start_recursion): take one of above as new argument.


How does CVS behave with this patch?
====================================

First, go read the new "Database Authentication" section in
cvs.texinfo.  Then, read this:

The three MySQL tables in question are

   domain_privs
   project_privs
   module_privs

with the column `commit_priv' set to either 'Y' or 'N'.  (The special
value `-' indicates the case where no row in that table matches this
user/project/module.)

Notice how domain privileges dominate, then project privs, then
finally module privs, and that it is possible to grant module privs
without granting wider project privs.

      =========
      domain  Y           <---- Result: can commit
      project Y
      module  -

      =========
      domain  Y           <---- Result: can commit
      project N
      module  -

      =========
      domain  N           <---- Result: can commit
      project Y
      module  -

      =========
      domain  N           <---- Result: CAN NOT COMMIT
      project N
      module  -

      =========
      domain  Y           <---- Result: can commit
      project Y
      module  Y
      
      =========
      domain  Y           <---- Result: can commit
      project Y
      module  N
      
      =========
      domain  Y           <---- Result: can commit
      project N
      module  Y
      
      =========
      domain  N           <---- Result: can commit
      project Y
      module  Y
      
      =========
      domain  Y           <---- Result: can commit
      project N
      module  N
      
      =========
      domain  N           <---- Result: can commit
      project Y
      module  N
      
      =========
      domain  N           <---- Result: can commit
      project N
      module  Y
      
      =========
      domain  N           <---- Result: CAN NOT COMMIT
      project N
      module  N
@


1.6
log
@be more accurate
@
text
@d5 1
a5 1
   3. Some customized scripts in root/ (to be driven from CVSROOT/loginfo).
d7 3
a9 3
They are not related, this just seemed like a good place to put them.
All but #1 are pretty self-explanatory, so the rest of this README is
about the patch.
@


1.5
log
@New lock-scrunger script for Niels (in progress).
@
text
@d1 1
a1 1
There are two things here:
d5 1
d7 3
a9 3
They are not related, this just seemed like a good place to put them
both.  The script is pretty self-explanatory, so the rest of this
README is about the patch.
@


1.4
log
@Document new behavior, by showing the results from the testing matrix.
@
text
@d1 10
@


1.3
log
@Tweak a few things in local_auth.c, in preparation for debugging the
domain_privs vs project_privs issue.
@
text
@d82 81
@


1.2
log
@Add "--with-mysql=/usr" to configure instructions.
@
text
@d63 1
a63 1
	Configure now takes --enable-mysql option.
@


1.1
log
@Modify patch to just do MySQL stuff, removed the in-repos
per-directory perm control code.

The following excerpt from README explains it in more detail:

--------------------8-<-------cut-here---------8-<-----------------------

Notes On The Patch:
===================

This patch adds two new files, `local_auth.c' and `mysqlsubr.c', and
modifies many files to use the new routines.  This patch is derived
from a much larger patch that also added per-directory ownership and
permissions control in the repository.  We (Tigris) weren't using that
extra code, and it was creating spurious `owner' and `perms' files in
repository directories and possibly causing authentication problems.
So the patch was rewritten to do just MySQL authentication, plus a
skeleton to allow us to add per-directory control very easily (just
stick some more information in the database, and have CVS examine it).

No ChangeLog entries are included, because they almost always cause
conflicts when the patch is applied.  If this patch were ever checked
into the master CVS tree, then that would be the time to add the
ChangeLog entries.  Here is what they might say:

ccvs/ChangeLog:

	* config.h.in, configure, configure.in: changes for MySQL
	("local") authentication.
	Configure now takes --enable-mysql option.

ccvs/doc/ChangeLog:

	* cvs.texinfo: document MySQL ("local") authentication.

ccvs/src/ChangeLog:

        * local_auth.c, mysqlsubr.c: new files, for MySQL ("local")
	authentication.

        * Makefile.in, add.c, admin.c, checkout.c, client.c, commit.c,
	cvs.h, diff.c, edit.c, error.c, import.c, lock.c, log.c,
	main.c, mkmodules.c, parseinfo.c, patch.c, rcs.c, recurse.c,
	remove.c, rtag.c, server.c, status.c, tag.c, update.c,
	watch.c: changes for MySQL authentication.
	(verify_admin, verify_owner, verify_read, verify_write,
	verify_create): new functions.
	(start_recursion): take one of above as new argument.
@
text
@d6 7
a12 7
   cd ccvs/                            /* Go to top of CVS source tree */
   patch -p0 < ../wherever/cvs.patch   /* Apply this patch. */
   ./configure --enable-mysql          /* Configure with DB support. */
   make                                /* Build. */
   make check                          /* OPTIONAL: test local */
   make remotecheck                    /* OPTIONAL: test remote */
   make install                        /* Install it. */
@


1.1.1.1
log
@Replacing the HEAD with the HELM_PEER_PORT_BRANCH.
@
text
@d1 1
a1 1
What's here:
d3 2
a4 5
   1. collab-new-perms.patch: A big patch adding a MySQL/Tigris
      permissioning system to CVS.  This used to be called
      "cvs.patch", so if you run cvs log here to figure out the
      history of this change, make sure you read the history for
      "cvs.patch" as well as "collab-new-perms.patch".
d6 7
a12 2
   2. A script (cvs-locks) that hunts stale repository lockfiles and
      mails someone if it finds any. 
d14 68
a81 2
   3. Some customized scripts in root/ (to be driven from
      CVSROOT/*info), most notably log_accum.in.
@


