bzr_access installation and usage
john at szakmeister.net
Sun Oct 18 10:23:17 BST 2009
On Sun, Oct 18, 2009 at 5:12 AM, Eugene Wee <crystalrecursion at gmail.com> wrote:
> On Sun, Oct 18, 2009 at 4:28 AM, Vincent Ladeuil <v.ladeuil+lp at free.fr> wrote:
>> You specify all the identify files you need (the keys you need
>> for the all repos you want to access) in your ~/.ssh/config file
>> and they will be tried until one succeeds.
>> You use the key to enter the repo, no key, no repo, from there,
>> bzr_access limits your access or not, then your committer id is
>> really identifying you as the one creating the revisions you
>> push, so any key is good.
> Okay, after trying it out, I now remember the problem I had in mind
> when I stated that "with multiple repositories, I will need either
> multiple key pairs or multiple user accounts" last night. The problem
> is that the repository (collection) has to be provided as an argument
> to bzr_access so bzr_access can find the appropriate bzr_access.conf
> file. This means that if I have more than one repository, they all
> have to be under the same repository collection, and a user with
> access to one has access to all. As such, if I have another shared
> repository repo3, and I want to allow alice access to repo1 and repo3,
> I cannot stop her from also accessing repo2 if my setup only has one
> user account and one key pair per user.
Ah, I just read why too... the only section supported in
bzr_access.conf is [/]. If that we changed to support a path relative
to the collection, then you could point everyone to the same
collection of repositories, and filter off by which path they were
taking. And since <user> is passed in on the command line via
command="..." in the authorized_keys file, you don't have to worry
about spoofing user names.
Seems like this would be a nice feature for bzr_access to grow.
More information about the bazaar