bzr serve and access control?

Maritza Mendez martitzam at gmail.com
Fri Jan 29 01:37:08 GMT 2010 

fwiw...in a windows deployment I set up bzr-serve with ssh.  This was
a pain (if you have ever set up ssh with domain servers on windows you
know) and the result was so complex to maintain that I decided it was
safer to set ntfs permissions for 25 users.  It is a pain and having
some security in the network layer would be very nice.

~M


On 1/28/10, Josef Wolf <jw at raven.inka.de> wrote:
> Thanks for your quick response, Ben!
>
> On Fri, Jan 29, 2010 at 10:28:46AM +1100, Ben Finney wrote:
>> Josef Wolf <jw at raven.inka.de> writes:
>>
>> > I am looking into ways to install bazaar with access control. AFAICS,
>> > bzr-serve doesn't offer any access control by its own.
>>
>> Could you be more specific about what control you want?
>
> I want to set up a server with multiple remote repositories and have fine
> grained control who can read or write which repositories without creating
> real users on the server.
>
>> > Do I miss something important? How do I implement access control with
>> > bzr?
>>
>> As you are probably aware, Bazaar will be bound by the filesystem access
>> controls for the repository and branch, and the transport access
>> controls for network traffic.
>
> AFAICS, write access is possible only via sftp and bzr+ssh protocols. Since
> filesystem access is used here, I would have to create a login on the server
> for every user with access to any repository.
>
>> But it sounds like you want control over something else.
>
> Not at all. I just want to have it more fine-grained than filesystem
> controls
> and I don't want to create myriards of real users on the server just to give
> them access to one of the repositories.
>
> So the idea (that I actually implemented in git, and which works great) was
> to have one special user (e.g. bazaaruser) and all the ssh keys of all the
> real users would be put into ~bazaaruser/.ssh/authorized_keys like that:
>
>   command="bzraccess jw",more,options ssh-dss AAAB...ASD jw at raven
>
> With this entry, the bzraccess script is started whenever I try to access
> bzruser at raven. This script gets passed my real user name (jw), so it knows
> who I am. And this script can find out which command I tired to execute by
> checking the SSH_ORIGINAL_COMMAND variable.
>
> Given all that, if bzr would pass enough information when it calls the
> remote
> bzr-serv, the script would be able to do real sophisticated access checks.
>
>

More information about the bazaar mailing list