Access control for shared repository

John Arbash Meinel john at arbash-meinel.com
Mon Dec 10 16:13:32 GMT 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

John Arbash Meinel wrote:
> Balint Aradi wrote:
>>>>  I was thinking to write a Python wrapper in the spirit of hg-login [1]
>>>> in order to restrict access to selected repositories. One could specify
>>>> for each repository rw or r flags for users or group of users.
>>> I think that would be very helpful to have. I'm not super amazed at the perl
>>> script, but I guess it does what it needs to.
>> I've written something alike (in Python, of course):
> 
>>   http://www.bccms.uni-bremen.de/uploads/media/bzr_access
> 
>> However, that doesn't work, since it tries to extract the directory name
>> from the --directory option in the command passed to ssh. :-( This
>> means, permission control should be implemented in bzr itself, and not
>> added as a wrapper. I'm not sure, if there is any effort in that
>> direction going on.
> 
>>   Best regards
> 
>>     Bálint
> 
> 
> 
> Thanks Bálint. I would mention one possibility...
> 
> You could do:
> 
> local_repository_base = '/path/to/foo'
> 
> And then when you find the string "--directory=/" in the arguments, just
> replace that with: '--directory=/path/to/foo'
> 
> I did test this:
> 
>   bzr serve --directory=/Users/jameinel/dev/bzr
> 
>   bzr log bzr://localhost/bzr.dev
> 
> And it worked very well.
> 
> This also would address some of Andrew Cowie's complaint that they have to use
> extra-long URLs because we require absolute paths. Basically, the bzr_access
> wrapper gives a bit of a "chroot" to the bzr process which is spawned. It isn't
> exactly like a chroot, but the effect is very similar.
> 
> (Internally, we should be limiting all paths to only subdirectories of whatever
> is supplied to --directory, so it should be a reasonable thing to do.)
> 
> I might work out a patch for you.
> 
> Again, thanks for your efforts.
> 
> John
> =:->
> 

Hmm... In looking closer it looks like you are already doing this. Just doing
it by using a command-line argument. Specifically you seem to be using:

bzr_access /path/to/bzr /path/to/repository_collection username


So I guess what you are asking for is more of a way to give proper access to
individual sub-directories of "repository_collection".

I'll have to think about it a little bit. But certainly it should be possible.
I'm trying to think how to do it. Maybe by implementing an ACLTransport and
ACLServer instead of our current ChrootTransport and ChrootServer.

Right now we have _safe_relpath in ChrootTransport which makes sure that any
given request is always a child of the Chroot, so it can be passed to the
underlying transport safely.

ACLTransport would thus just add one more check that the relative path is
read-or-write allowed at that level.

There are some things that we need to think carefully about, though.

If you have a collection of branches in a shared repository, then to have write
access to one of them, you need write access to the repository. I don't think
this should be much of a problem, but people need to keep it in mind when
setting up their layout. (If you are enabling anonymous write access for some
subsection of your branches, you should make sure that they are separated off
into their own repository.) At the moment, the smart server still exposes a
virtual filesystem, with the ability to read and write directly to files. I
believe you can disable that completely, but I believe some operations will
then not work.

If it is just wanting to deny people write-access to the "trunk" branch,
though, it should work just fine. You can write data into the repository, but
you can't point the trunk branch at it.

John
=:->
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHXWWrJdeBCYSNAAMRApuhAKDMawEr2ZBmHtouKbZcLSS2RDEOVgCgpdN7
vp/LTY0D27OLDhMywJZaHQw=
=rGyC
-----END PGP SIGNATURE-----



More information about the bazaar mailing list