ACLs and Web Interfaces
Jeff Abbott
fdiv_bug at sniping.org
Thu Mar 6 17:37:38 GMT 2008
Robert Collins wrote:
> On Tue, 2008-03-04 at 15:56 -0500, Jeff Abbott wrote:
>
>> I've tried bzr-webserve and loggerhead (running under mod_python rather
>> than as a separate daemon which is slooooooow), but neither of them seem
>> to support something like the [collections] section of hgweb's config,
>> nor do they effectively evaluate whether or not they can read from a
>> given repository path before showing it to a user. I could probably add
>> such functionality to bzr-webserve if need be, but I wanted to know
>> whether or not the Bazaar community had any other ideas.
>
> loggerhead has an auto discovery feature; I don't know about acl's, but
> I'd certainly think that apache's acl stuff should layer on top quite
> smoothly.
I hadn't realized it did have that feature with the auto_publish_folder
directive. Thanks for pointing that out! It also does honor the AFS
ACLs with the token of the user running the standalone daemon as well as
the logged-in user (via mod_auth_kerb and mod_waklog) when running with
mod_python. So, it does currently suit our needs quite well and I was
mistaken in having said it wouldn't.
However, it is basically unusably slow when running with mod_python, and
running it this way would almost be a necessity (the other option would
be CGI... blech) in order to have it present the proper repositories in
the context of the logged-in user with their Kerberos ticket; if it's
running as a standalone daemon then it's doing so with the AFS token (if
any) of whoever started the service, not as the user logged in via
mod_auth_kerb. I know it's kind of convoluted and a pain in the butt --
please let me know if I'm not explaining it well enough -- but we
absolutely need to be able to prevent some people from seeing some
branches; since Bazaar doesn't have its own ACL system then we're
leveraging the one we've got. It does seem to work well when using
tools designed to be run in-process with Apache, like my modified
bzr-webserve and hgweb, and if there were a way to make Loggerhead run
fast enough in the same way then I'm sure we could use it instead.
Since TurboGears and mod_python tuning are far from being my forte, so
there may be other things I could do to speed it up. bzr-webserve, for
what it's worth, works quite well with mod_python; I wouldn't call it
blindingly fast, but it's certainly very usable.
Thanks,
Jeff
More information about the bazaar
mailing list