Issues related to authentication and authorization in a centralized workflow

John Arbash Meinel john at arbash-meinel.com
Thu Jan 8 16:49:31 GMT 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Marcin Zajaczkowski wrote:
> Hi,
> 
> 
> I'm experimenting with a migration from Subversion to Bazaar, because I
> see advantages of distributed VCS. Nevertheless it's important for me to
> stay with a centralized workflow.
> The main problem I meet is related to authentication and authorization.
> In current environment there is an authentication based on LDAP and an
> ability to specify who has the rights to access to given project.

So in general, it seems like you want 3 values for a given user

1) Completely hidden
2) Read only access
3) Read write access

It also sounds like you are doing this on a "per project" basis (versus
per-branch, or some other dividing line).

To start with, I would make sure that each "project" has its own Bazaar
repository. There are other ways to group it, but that is the easiest.

Going out from there, there are a few possibilities.

a) As mentioned elsewhere, there is at least some amount of integration
between HTTP(S) access (via Apache) and LDAP authentication. I don't
know that Apache is smart enough to be able to use custom fields in LDAP
to indicate access.

b) Use bzr+ssh with a custom script, similar to "bzr_access". This is,
   essentially, how Launchpad does it. (Technically they start with a
   custom SSH server.)

   Basically, you use ssh's ability to restrict connections to always
   run a specific program. In the 'bzr_access' example, we also used the
   ability that you can customize this program based on the ssh key
   used.

   Right now, bzr_access uses a config file (bzr_access.conf) to
   determine the read/read-write ability for different users. This would
   need to be changed to contact your LDAP server and query it.

   The easiest way to get it working *right now* would be to use a
   custom group/user for each project (one with -readwrite and one with
   -readonly access), and then have the custom program seteuid() to the
   appropriate user after connecting.


   However, there is also this spec around:
     http://bazaar-vcs.org/Specs/ACLTransport
   Which sounds like it would fit quite easily with what you want. At
   the moment, nobody has stepped forward to implement it, because it
   hasn't gotten high enough on someone's priority list.

   I honestly think it would take only a couple days to really
   implement, and I would be happy to mentor someone who was interested
   in doing so.

John
=:->
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Cygwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAklmLpsACgkQJdeBCYSNAANyDACgrvC8/N8woet/ONZfTNmSSGdD
6+0AoLdA69IDLR15taFMOb6HInx3COwK
=hCaV
-----END PGP SIGNATURE-----

More information about the bazaar mailing list