ACLTransport and Other ACL Thoughts
Alexander Belchenko
bialix at ukr.net
Thu Feb 28 09:19:18 GMT 2008
I comment some of your thoughts. But I could be wrong in some aspects.
Jeff Abbott пишет:
> Folks,
>
> In doing more thinking about ACLs in Bazaar, I was looking over the
> ACLTransport spec (http://bazaar-vcs.org/Specs/ACLTransport) and digging
> through source seeing what I could learn, and a thought occurred to me:
>
> Could this be done with a TransportDecorator?
I'm not expert in bzr+http, but may be (just may be as an idea) it's
better to implement as subclass (or maybe mixin) of RemoteTransport?
So it will be deeper pluggable into all bzr+*:// combinations?
> My inspiration came largely from ReadonlyTransportDecorator, except
> instead of universally saying "no" to some operations it would check a
> config file before doing so. I was figuring that
> ..bzr/branch/branch.conf could be used for this purpose with sections like:
>
> [read]
> ** = *
>
> [write]
> ** = alice
> docs/* = bob, charlie
> src/** = david
>
> [deny]
> ** = edward
>
> In that example, everyone except edward would have "pull" and "branch"
> access, and the other people listed in the [write] section would have
> "push" access to the respective portions of the branch (i.e. alice can
> push to anywhere, bob and charlie can only push to the docs directory
> but none of its subdirectories, and david can push to src and anywhere
> below).
One problem here is on the server you don't touch actually working tree
for push/pull/branch/commit operations. So it seems like provide fine
grained access within working tree of one branch will be very hard.
Because now bzr works with branch as a single whole.
But splitting big project into subprojects will works fine. And it's easiest
path IMO. Then next step is using NestedTrees. Unfortunately bzr still
don't have them.
> I'm not sure if we'd need, or even want, that level of granularity, but
> it seems like it'd be better to implement that now rather than do it
> more coarsely and have to re-think things again in the future when
> someone finds a good case for it being more precise. I'm also not
> convinced that .bzr/branch/branch.conf is the right place for this
> information; perhaps .bzr/branch/access.conf would work better?
As I said above it's better to place on repository level and control
access to particular branches.
> I've started fiddling with some code but I was wondering what other
> people thought of the idea of, say, ACLTransportDecorator, before I go
> too far along. If it turns out that doing it as a full-fledged
> ACLTransport would be the better choice then, John, if you're around,
> I'd be keen on working on that with you. Otherwise... where do we go
> from here?
>
> Thanks,
> Jeff
>
>
More information about the bazaar
mailing list