Fisheye / Crucible: SVN Repository password storage and permissions Questions

Adam White August 2, 2013

1. 1. Is there any way to not store a password in clear text for the repository config settings? We can see the user’s password in the Fisheye config file. We see this as a big security risk.

2. 2. Is there any way for Fisheye to look up a user’s AD or SVN permission to determine what things they can see on the repository? We have an elaborate security scheme set up for our repository where only some users can see part of the repository. I realize that you can either add different parts of the repository using paths and give permissions that way, but it would get messy rather quickly given how our repository is set up.

4 answers

1 accepted

2 votes
Answer accepted
Nick
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
August 15, 2013

Hi Adam,

Regarding FishEye storing svn passwords in the config.xml: The following options are available to you:

  1. Make the config file only readable by the FishEye user. (Most recommended and robust option)
  2. Use svnsync to sync your svn repositories to the local FishEye server and then use the file:/// to allow FishEye to access your repositories. This will also be a performance boost for your instance.
  3. Configure the Native JavaHL client with FishEye, then log in to each svn server on the FishEye server as the same run user as FishEye. Svn will then cache the auth token and this will be used by FishEye when accessing the repo. You then don't need to enter a username or password in the repository configuration screen.

Hope this helps.

Regards

Nick Pellow.

Adam White August 15, 2013

Thank you Nick, that is very helpful. Do you have more information on #3?

We also have an issue where many of our developers have different permissions to the repository, in some cases it is rather elaborate. Do you have any suggestions for how to deal with this within Fisheye other than creating multiple paths/usernames for the repository?

0 votes
Adam White August 15, 2013

We can't be the only ones that find this unacceptable... There's got to be a workaround. Whoever has that password can technically copy the entire repository.

0 votes
Felipe Kraemer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
August 2, 2013

Hi Adam,

As for 1.1, this was already requested here:

https://jira.atlassian.com/browse/CRUC-1415

Please take a look at Partha's comment about why this improvement will not be implemented.

As for 2.2, it is possible to configure LDAP restrictions for your repositories, but you can only allow or deny access to the entire repository, not to only parts of it.

I hope this helps!

0 votes
Felipe Kraemer
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
August 2, 2013

Hi Adam,

As for 1.1, this was already requested here:

https://jira.atlassian.com/browse/CRUC-1415

Please take a look at Partha's comment about why this improvement will not be implemented.

As for 2.2, it is possible to configure LDAP restrictions for your repositories, but you can only allow or deny access to the entire repository, not to only parts of it.

I hope this helps!

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events