Issues related to authentication and authorization in a centralized workflow

Marcin Zajaczkowski mszpak at wp.pl
Thu Jan 8 13:41:19 GMT 2009 

Hi,


I'm experimenting with a migration from Subversion to Bazaar, because I 
see advantages of distributed VCS. Nevertheless it's important for me to 
stay with a centralized workflow.
The main problem I meet is related to authentication and authorization.
In current environment there is an authentication based on LDAP and an 
ability to specify who has the rights to access to given project.

After review the options available for Bazaar it seems the best would be 
SSH access. I don't like it very much because though SSH there is 
usually very direct access to files and the repository could be 
seriously damaged by an accident.
I have read about "bzr serve", but it seems to have lack of any 
authorization at all.
I have seen a contributed script bzr_access, but it is rather an 
expedient solution and seems to require using certificated to login (in 
my infrastructure there is an LDAP password based authentication and 
would be troublesome to introduce certs just for Bazaar).
Using SSH would also force me to use two groups (for read and RW) for 
every project (probably repository in Bazaar terminology), together with 
SGUID on a directory.

I have seen the tutorial about centralized workflow in Bazaar [1], a 
chapter in the User Guide about smart server [2] and a few posts on the 
list related to that problem, but I would like to ask about a few things.


1. Is there something more I can do (to achieve similar to SVN 
centralized environment) than use SSH and remote bzr calling with 
bzr_ssh_path_limiter and SGUID?
2. Is there planned to add any embedded solution to deal with 
authorization issue?
3. Is it possible to using Bazaar with SSH authentication and passwords 
(instead of keys) without a need to enter password on every operation?
4. I wonder how complex open source projects and companies using Bazaar 
deal with mentioned issues? Is there only Merge Manager and separate 
"production" branch without access for "normal" developers a solution?


[1] - 
http://doc.bazaar-vcs.org/bzr.dev/en/tutorials/centralized_workflow.html
[2] - 
http://doc.bazaar-vcs.org/bzr.dev/en/user-guide/index.html#running-a-smart-server


Best regards
Marcin

More information about the bazaar mailing list