bzr serve and access control?

[Josef Wolf]

Hello,

I am looking into ways to install bazaar with access control. AFAICS,
bzr-serve doesn't offer any access control by its own.

One way to get access control anyway, would be to use sshd's command="foobar"
option in authorized_keys file to start a "gatekeeper" script. This script is
passed the user name (can be deduced from the key). It then extracts more
information (which directory, read or write) from the SSH_ORIGINAL_COMMAND
environment variable. This information would be enough to implement
sophisticated access control.

I have implemented such a thing for git lately, and it works really great.

With git, implementing this is not a big deal, since the repository is
passed on the command line and different commands are run on different
access methods (git-upload-pack and git-upload-archive are run on read
access, git-receive-pack is run on write),

Unfortunately, bzr passes always the same parameters to bzr-serve, so there
is no way to find out which operation is to be done and which directory is
to be accessed.

Do I miss something important? How do I implement access control with bzr?
Any ideas?