Access control for shared repository

Balint Aradi balint.aradi at bccms.uni-bremen.de
Mon Dec 10 16:52:22 GMT 2007


Dear John,

>> I've written something alike (in Python, of course):
> 
>>   http://www.bccms.uni-bremen.de/uploads/media/bzr_access
> 
>> However, that doesn't work, since it tries to extract the directory name
>> from the --directory option in the command passed to ssh. :-( This
>> means, permission control should be implemented in bzr itself, and not
>> added as a wrapper. I'm not sure, if there is any effort in that
>> direction going on.
> 
> Thanks Bálint. I would mention one possibility...
> 
> You could do:
> 
> local_repository_base = '/path/to/foo'
> 
> And then when you find the string "--directory=/" in the arguments, just
> replace that with: '--directory=/path/to/foo'
> 
> I did test this:
> 
>   bzr serve --directory=/Users/jameinel/dev/bzr
> 
>   bzr log bzr://localhost/bzr.dev
> 
> And it worked very well.

  I agree, this indeed solves the issue with the absolute paths.
However, what happens, if the given ssh-account contains many
repositories, and you would like to give the people access rights to the
different repositories individually.

  When sshd starts the wrapper script, you don't know, which repository
the user would like to access, since the --directory option comming
through ssh contains always "/". So, the users have either access to all
repositories or to none of them. Alternatively, you could ask them to
use separate ssh-key for accessing separate repositories, or one could
create separate accounts for separate repositories, but none of those
both solutions really matches my taste.

  Therefore, in my oppinion, the access control should rather be
implemented inside bzr. (bzr serve could look up an optional
authorization file and then decide if the incoming query is served or
not. This would be pretty similar what svnserve is doing for subversion.

  Best regards

    Bálint


-- 
Dr. Bálint Aradi
Bremen Center for Computational Materials Science, University of Bremen,
TAB A/3.10, Am Fallturm 1, 28359 Bremen, Germany, Tel.: +49 421 2187421
http://www.bccms.uni-bremen.de/en/employees/b_aradi/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
Url : https://lists.ubuntu.com/archives/bazaar/attachments/20071210/cdc4bc45/attachment.pgp 


More information about the bazaar mailing list