Access control for shared repository

John Arbash Meinel john at arbash-meinel.com
Mon Dec 10 15:29:46 GMT 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Balint Aradi wrote:
>>>  I was thinking to write a Python wrapper in the spirit of hg-login [1]
>>> in order to restrict access to selected repositories. One could specify
>>> for each repository rw or r flags for users or group of users.
>> I think that would be very helpful to have. I'm not super amazed at the perl
>> script, but I guess it does what it needs to.
> 
> I've written something alike (in Python, of course):
> 
>   http://www.bccms.uni-bremen.de/uploads/media/bzr_access
> 
> However, that doesn't work, since it tries to extract the directory name
> from the --directory option in the command passed to ssh. :-( This
> means, permission control should be implemented in bzr itself, and not
> added as a wrapper. I'm not sure, if there is any effort in that
> direction going on.
> 
>   Best regards
> 
>     Bálint
> 
> 

Thanks Bálint. I would mention one possibility...

You could do:

local_repository_base = '/path/to/foo'

And then when you find the string "--directory=/" in the arguments, just
replace that with: '--directory=/path/to/foo'

I did test this:

  bzr serve --directory=/Users/jameinel/dev/bzr

  bzr log bzr://localhost/bzr.dev

And it worked very well.

This also would address some of Andrew Cowie's complaint that they have to use
extra-long URLs because we require absolute paths. Basically, the bzr_access
wrapper gives a bit of a "chroot" to the bzr process which is spawned. It isn't
exactly like a chroot, but the effect is very similar.

(Internally, we should be limiting all paths to only subdirectories of whatever
is supplied to --directory, so it should be a reasonable thing to do.)

I might work out a patch for you.

Again, thanks for your efforts.

John
=:->

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHXVtqJdeBCYSNAAMRAkZYAJ40fQ9XmLT2t6TGYuxEzITdu4oBGACfYRE8
PCNT40SfL7/Sj2gWnVR9/rU=
=z+8s
-----END PGP SIGNATURE-----



More information about the bazaar mailing list