bzr serve and access control?
Neil Martinsen-Burrell
nmb at wartburg.edu
Fri Jan 29 01:12:10 GMT 2010
On 2010-01-28 16:57 , Josef Wolf wrote:
> Hello,
>
> I am looking into ways to install bazaar with access control. AFAICS,
> bzr-serve doesn't offer any access control by its own.
>
> One way to get access control anyway, would be to use sshd's command="foobar"
> option in authorized_keys file to start a "gatekeeper" script. This script is
> passed the user name (can be deduced from the key). It then extracts more
> information (which directory, read or write) from the SSH_ORIGINAL_COMMAND
> environment variable. This information would be enough to implement
> sophisticated access control.
>
> I have implemented such a thing for git lately, and it works really great.
>
> With git, implementing this is not a big deal, since the repository is
> passed on the command line and different commands are run on different
> access methods (git-upload-pack and git-upload-archive are run on read
> access, git-receive-pack is run on write),
>
> Unfortunately, bzr passes always the same parameters to bzr-serve, so there
> is no way to find out which operation is to be done and which directory is
> to be accessed.
>
> Do I miss something important? How do I implement access control with bzr?
> Any ideas?
Check out
http://doc.bazaar.canonical.com/bzr.2.1/en/admin-guide/security.html#access-control
for description of the bzr_access script that does precisely this.
There is a limitation with respect to git because Bazaar does not pass a
lot of information in the initial command, relying instead on its wire
protocol after the session is initiated.
-Neil
>
More information about the bazaar
mailing list