ACLs and Web Interfaces

Jeff Abbott fdiv_bug at sniping.org
Thu Mar 6 17:37:38 GMT 2008


Robert Collins wrote:

> On Tue, 2008-03-04 at 15:56 -0500, Jeff Abbott wrote:
> 
>> I've tried bzr-webserve and loggerhead (running under mod_python rather 
>> than as a separate daemon which is slooooooow), but neither of them seem 
>> to support something like the [collections] section of hgweb's config, 
>> nor do they effectively evaluate whether or not they can read from a 
>> given repository path before showing it to a user.  I could probably add 
>> such functionality to bzr-webserve if need be, but I wanted to know 
>> whether or not the Bazaar community had any other ideas.
> 
> loggerhead has an auto discovery feature; I don't know about acl's, but
> I'd certainly think that apache's acl stuff should layer on top quite
> smoothly.

I hadn't realized it did have that feature with the auto_publish_folder 
directive.  Thanks for pointing that out!  It also does honor the AFS 
ACLs with the token of the user running the standalone daemon as well as 
the logged-in user (via mod_auth_kerb and mod_waklog) when running with 
mod_python.  So, it does currently suit our needs quite well and I was 
mistaken in having said it wouldn't.

However, it is basically unusably slow when running with mod_python, and 
running it this way would almost be a necessity (the other option would 
be CGI... blech) in order to have it present the proper repositories in 
the context of the logged-in user with their Kerberos ticket; if it's 
running as a standalone daemon then it's doing so with the AFS token (if 
any) of whoever started the service, not as the user logged in via 
mod_auth_kerb.  I know it's kind of convoluted and a pain in the butt -- 
please let me know if I'm not explaining it well enough -- but we 
absolutely need to be able to prevent some people from seeing some 
branches; since Bazaar doesn't have its own ACL system then we're 
leveraging the one we've got.  It does seem to work well when using 
tools designed to be run in-process with Apache, like my modified 
bzr-webserve and hgweb, and if there were a way to make Loggerhead run 
fast enough in the same way then I'm sure we could use it instead.

Since TurboGears and mod_python tuning are far from being my forte, so 
there may be other things I could do to speed it up.  bzr-webserve, for 
what it's worth, works quite well with mod_python; I wouldn't call it 
blindingly fast, but it's certainly very usable.

Thanks,
Jeff



More information about the bazaar mailing list