[RFC] proposed client command-line interface for dealing withACL

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

CVS CLIENT COMMAND-LINE INTERFACE TO ACL
=========================================

Notation used in this document:

  <user>

        CVS user name, a-la UNIX username.  E.g.:

                alice
                bob-johnson

  <group>

        CVS group name, a-la UNIX group, with leading "percent" (this
        is subject to discussion).  E.g.:

                %devel
                %support-staff

        There are special groups called %all and %nobody with obvious
        meaning.

  <users>

        Comma-separated list of <user>s and <group>s.  Note that there
        could be a whitespace after the comma.  E.g.:

                alice, bob-johnson, %devel.

  <files>

        Space-separated list of files in current directory (for the
        "acl" subcommand) or from the top of repository (for the
        "racl" subcommand).

  <dirs>

	Space-separated list of directories in current directory (for
	the "acl" subcommand) or from the top of repository (for the
	"racl" subcommand).  Each directory should have trailing
	"slash" character for clarity.

  <file-perms>

        Comma-separated list of branch-level file permissions.  E.g.:

                checkin
                checkout

        There are common aliases for that: "ci", "co".

  <dir-perms>

        Comma-separated list of directory permissions.  E.g.:

                access
                modify

  <module-perms>

        Comma-separated list of module-level permissions.  E.g.:

                tag
                tag:PREFIX
                branch
                branch:PREFIX   (questionable, but simple to
                                 implement)

        The "tag:PREFIX" construct permits some user creating tags
        with names starting from PREFIX.  Rationale: you could give
        release engineer rights to create tags with names starting
        from "RELEASE".  

Command lines for groups management:

a. Creating a group:

	$ cvs group create <group>

b. Deleting a group:

	$ cvs group delete <group>

   Note that when you delete a group which is listed somewhere in ACLs
   of some directory or a file it is not deleted from there: those
   entries are just ignored.  This could turn out to be a caveat.
   There should probably be an "ACL checker" that should be run from
   time to time that cleans up obsolete entries.

c. Adding users (or entire groups) to a group:

	$ cvs group add <users>

   Note that adding of entire groups is "symlink-style", not
   "copying-style".

d. Deleting users (or entire groups) to a group:

	$ cvs group remove <users>

Command lines for ACL management:

Note that there are two flavours of the "acl" subcommand: "acl" and
"racl".  The latter is used outside any working copy and requires that
files and directory names be specified starting from the top-level
repository directory.

a. Setting ACL on files:

        $ cvs acl <users> <file-perms> <files>

b. Setting ACL on directories:

        $ cvs acl <users> <dir-perms> <dirs>

c. Setting default file ACLs:

        $ cvs acl <users> default::<file-perms> <dirs>

   (The "default::" line is used there verbatim.)

d. Setting ACL on modules:

        $ cvs acl <users> <module-perms> <modules>

Notes:

Please not that "recursive" operations are not implemented, and that's
intentionally.  Use default file operations instead.  Remember that
directory permissions are checked from the top.

--alexm