Q: howto require per-branch authentication to commit or, push changes
Mark Hammond
skippy.hammond at gmail.com
Sat Apr 4 22:31:37 BST 2009
On 5/04/2009 2:50 AM, Adrian Wilkins wrote:
>> A lot of Windows shops would probably like to put bzr behind IIS and
>> configure NTLM or Kerberos security to control access giving them
>> password-less authentication and centralized user management.
>
> I'm using an IIS smart server with Basic authentication. One caveat is
> that certain versions of IIS don't support smart and dumb access at the
> same time without additional effort.
I've got a fair bit of experience with IIS versions 5 and up and have
never come across this - what problems were they?
> For per-branch authentication, you can write permissions into your WSGI
> handler (see http://bazaar-vcs.org/ServerGuide/IIS) ; this presumably
> also works on Apache using the same WSGI technique.
>
> You could also use Apache on Windows, which is paradoxically easier to
> get SSPI working on because the mod_sspi module offers Basic as well as
> NTLM.
>
> If bzr supported it, I'd love client SSL certificate auth, something
> that both Apache and IIS support.
>
> I've also successfully configured SSH on windows (using a package of a
> Cygwin OpenSSH build).
While the above are all likely interesting to different people, I doubt
they will meet the requirements of many "Windows shops" (as opposed to
"shops with Windows boxes") - such shops are unlikely to have ssh
certificates (as Windows provides an alternative that is easier and
works better for them), and probably have no idea what WSGI is -
probably not even what *Python* is. They likely already have a Windows
environment that works well for them, doesn't include ssl or apache, and
they will evaluate how well tools fit their *current* environment, not
how many options the tool offers to change it.
I'm obviously not trying to suggest anyone must do this, but just
sharing my experiences of the expectations of such environments. I've
spent the last few years working for a company providing paid enhanced
Windows support and products for Plone and Zope. While the free
open-source versions of these products did run on Windows, they simply
didn't have *enough* Windows support to meet their requirements, and
didn't mind paying money if it met their needs better. These
environments did not *want* Apache, and paid us good money for a proxy
cache vastly inferior to squid/varnish simply as it ran under IIS (oh -
and you didn't need a PhD to configure it ;) Of course, bzr may choose
to explicitly *exclude* such environments from their target user base,
but I think that would be short-sited - one day these people may become
*real* programmers <wink>.
Cheers,
Mark
More information about the bazaar
mailing list