bzr serve and access control?
Josef Wolf
jw at raven.inka.de
Sat Jan 30 15:15:24 GMT 2010
On Thu, Jan 28, 2010 at 07:12:10PM -0600, Neil Martinsen-Burrell wrote:
> On 2010-01-28 16:57 , Josef Wolf wrote:
>> Hello,
>>
>> I am looking into ways to install bazaar with access control. AFAICS,
>> bzr-serve doesn't offer any access control by its own.
>>
>> One way to get access control anyway, would be to use sshd's command="foobar"
>> option in authorized_keys file to start a "gatekeeper" script. This script is
>> passed the user name (can be deduced from the key). It then extracts more
>> information (which directory, read or write) from the SSH_ORIGINAL_COMMAND
>> environment variable. This information would be enough to implement
>> sophisticated access control.
>>
>> I have implemented such a thing for git lately, and it works really great.
>>
>> With git, implementing this is not a big deal, since the repository is
>> passed on the command line and different commands are run on different
>> access methods (git-upload-pack and git-upload-archive are run on read
>> access, git-receive-pack is run on write),
>>
>> Unfortunately, bzr passes always the same parameters to bzr-serve, so there
>> is no way to find out which operation is to be done and which directory is
>> to be accessed.
>>
>> Do I miss something important? How do I implement access control with bzr?
>> Any ideas?
>
> Check out
> http://doc.bazaar.canonical.com/bzr.2.1/en/admin-guide/security.html#access-control
> for description of the bzr_access script that does precisely this.
It's not the same. Users need a separate ssh key for every repository with
this method.
> There is
> a limitation with respect to git because Bazaar does not pass a lot of
> information in the initial command, relying instead on its wire protocol
> after the session is initiated.
Yeah, that's exactly the problem...
More information about the bazaar
mailing list