[Fwd: Re: Access control]

Jeffrey Cunningham jeffrey.k.cunningham at boeing.com
Tue Feb 27 18:31:38 GMT 2007 

John Arbash Meinel wrote:
> Jeffrey Cunningham wrote:
>> John Arbash Meinel wrote:
>>> Jeffrey Cunningham wrote:
>>>> I am experimenting with using Bazaar to manage a software project at
>>>> work. Is there a way to control who has 'access rights' to the
>>>> repository? What I would like to see is two sets of privileges: one set
>>>> for developers who can both read and write the repository, and another
>>>> set for users who can only read. Ideally, specific users privileges to
>>>> read (create a branch) from the repository could be revoked if they left
>>>> the company, for example.
>>>>
>>>> Thanks for any suggestions.
>>>>
>>>> -Jeff
>>> The short answer is that permissions are generally handled outside of
>>> bzr itself. Either by HTTP access permissions or by filesystem
>>> permissions.
>>>
>>>
>>> Generally, this is done using regular filesystem permissions. So if you
>>> use regular unix permissions, then you would set up 2775 on the
>>> directories. Which is rwx for User (doesn't really matter) rwx for Group
>>> (which is the devel group) and rx for everyone else. The 2 is the setgid
>>> bit, which keeps the files and directories owned by the original group.
>>>
>>> Which should work for anyone who you allow to access your particular
>>> machine over sftp. You can also set up HTTP authentication for read-only
>>> access.
>>>
>>> So another way to do it would be to only give users http access if you
>>> want them to have read-only access, and then allow them access over sftp
>>> if you want to give them read/write access. (sftp and/or bzr+ssh access).
>>>
>>>
>>> There is one further possibility if you want to install a bzr server on
>>> the machine over http, but it is a bit more involved, and until some of
>>> the 'hpss' changes land, doesn't help a lot yet.
>>
>> Thanks for the reply, John. I know how to control the access via ssh
>> combined with file permissions. For that piece of it I was fishing for
>> whether or not there was any administrative capability planned for BZR.
>>
>> But using apache to control read access looks like more of a problem.
>> The only way I know to do this would be to password protect reading the
>> url, and the problem with that is the difficulty in revoking access to
>> one user without forcing all the other users to learn a new password. I
>> can think of ways to program a different sort of webserver to do it, but
>>  I was hoping it was on the developers list of things to do.
> 
> At this point, we have shelved Access Control off to the side as being
> handled at a higher level.
> 
> You could configure apache to have a different password for everyone. I
> think you can even hook it into PAM, so that they can use the same
> passwords everywhere. I do remember that it can use a plain .htpassword
> file, or you can get trickier and authenticate against a full database.
> 
>> This is a great list, incidentally. Very civil.
>>
> 
> Thanks. Hopefully we can work out a way for you to get what you need. We
> aren't really looking into writing another access control mechanism that
> people are going to need to learn how to configure and keep up to date,
> and synchronize with their other access control mechanisms.  But if you
> have ideas about how this could be done, please post to the mailing list.
> 
>> Regards,
>>
>> Jeff Cunningham
>>
> 
> John
> =:->
> 
> PS> I'm replying off list because you did. But generally we recommend
> "reply-to-all" so that other people have a chance to join into the
> conversation.
> 


That's funny - I replied off-list because it looked to me like you had 
emailed me
off-list! I even looked in the extended email header and could find no
sign of the list. I just looked again - there is nothing. I think maybe
the list server is set up incorrectly. Usually there is a List-Id:
header and/or something like [bazaar-devel] in the subject, but not in
this case.

I agree about not wanting to have to implement
yet-another-access-control-mechanism. I'm not that familiar with what
all apache can do and am reading up on that right now. That might be the
  best bet.

I'd really like to make this work. I have at least one other developer
her pretty excited about it.

-Jeff

More information about the bazaar mailing list