Issues related to authentication and authorization in a centralized workflow
Marcin Zajaczkowski
mszpak at wp.pl
Thu Jan 8 13:41:19 GMT 2009
Hi,
I'm experimenting with a migration from Subversion to Bazaar, because I
see advantages of distributed VCS. Nevertheless it's important for me to
stay with a centralized workflow.
The main problem I meet is related to authentication and authorization.
In current environment there is an authentication based on LDAP and an
ability to specify who has the rights to access to given project.
After review the options available for Bazaar it seems the best would be
SSH access. I don't like it very much because though SSH there is
usually very direct access to files and the repository could be
seriously damaged by an accident.
I have read about "bzr serve", but it seems to have lack of any
authorization at all.
I have seen a contributed script bzr_access, but it is rather an
expedient solution and seems to require using certificated to login (in
my infrastructure there is an LDAP password based authentication and
would be troublesome to introduce certs just for Bazaar).
Using SSH would also force me to use two groups (for read and RW) for
every project (probably repository in Bazaar terminology), together with
SGUID on a directory.
I have seen the tutorial about centralized workflow in Bazaar [1], a
chapter in the User Guide about smart server [2] and a few posts on the
list related to that problem, but I would like to ask about a few things.
1. Is there something more I can do (to achieve similar to SVN
centralized environment) than use SSH and remote bzr calling with
bzr_ssh_path_limiter and SGUID?
2. Is there planned to add any embedded solution to deal with
authorization issue?
3. Is it possible to using Bazaar with SSH authentication and passwords
(instead of keys) without a need to enter password on every operation?
4. I wonder how complex open source projects and companies using Bazaar
deal with mentioned issues? Is there only Merge Manager and separate
"production" branch without access for "normal" developers a solution?
[1] -
http://doc.bazaar-vcs.org/bzr.dev/en/tutorials/centralized_workflow.html
[2] -
http://doc.bazaar-vcs.org/bzr.dev/en/user-guide/index.html#running-a-smart-server
Best regards
Marcin
More information about the bazaar
mailing list