bzr serve and access control?

[Maritza Mendez]

Exactly.

On 1/30/10, Josef Wolf <jw at raven.inka.de> wrote:
> On Thu, Jan 28, 2010 at 07:12:10PM -0600, Neil Martinsen-Burrell wrote:
>> On 2010-01-28 16:57 , Josef Wolf wrote:
>>> Hello,
>>>
>>> I am looking into ways to install bazaar with access control. AFAICS,
>>> bzr-serve doesn't offer any access control by its own.
>>>
>>> One way to get access control anyway, would be to use sshd's
>>> command="foobar"
>>> option in authorized_keys file to start a "gatekeeper" script. This
>>> script is
>>> passed the user name (can be deduced from the key). It then extracts more
>>> information (which directory, read or write) from the
>>> SSH_ORIGINAL_COMMAND
>>> environment variable. This information would be enough to implement
>>> sophisticated access control.
>>>
>>> I have implemented such a thing for git lately, and it works really
>>> great.
>>>
>>> With git, implementing this is not a big deal, since the repository is
>>> passed on the command line and different commands are run on different
>>> access methods (git-upload-pack and git-upload-archive are run on read
>>> access, git-receive-pack is run on write),
>>>
>>> Unfortunately, bzr passes always the same parameters to bzr-serve, so
>>> there
>>> is no way to find out which operation is to be done and which directory
>>> is
>>> to be accessed.
>>>
>>> Do I miss something important? How do I implement access control with
>>> bzr?
>>> Any ideas?
>>
>> Check out
>> http://doc.bazaar.canonical.com/bzr.2.1/en/admin-guide/security.html#access-control
>>
>> for description of the bzr_access script that does precisely this.
>
> It's not the same. Users need a separate ssh key for every repository with
> this method.
>
>> There is
>> a limitation with respect to git because Bazaar does not pass a lot of
>> information in the initial command, relying instead on its wire protocol
>> after the session is initiated.
>
> Yeah, that's exactly the problem...
>
>