bzr serve and access control?

[Eugene Wee]

Hi,

On Wed, Feb 3, 2010 at 12:27 AM, Josef Wolf <jw at raven.inka.de> wrote:
> The problem with bzr_access is that the /path/to/repository is directly
> associated with the ssh key. So if you want to give the same user access
> to a second repository, you have to ask him to create a second key. Ten keys
> for ten repositories. Then it starts to get really painful for the user,
> since they have to constantly add/remove their keys to ssh-agent or use
> ssh's -i option (BTW: how would they specify the ssh identity with bzr?)

I know. You mentioned it several times, and I discovered the problem
myself when I was first trying to find out how to do ssh access
control with bzr (there was a time when the bzr_access docs actually
talked about fine grained control over subdirectories, but it was just
a sham). Unfortunately, I do not know how to specify the ssh identity
with bzr; I just add/remove keys as needed. That said...

> This method has the other drawback I wrote in my previous mail: users are
> not able to create new repositories on the fly. You always have to create
> the system account for the repository first.

Because I do not have a terribly large number of projects, I was able
to use a one project per ssh user approach effectively. So, what
bzr_access provides to you in this scenario is the possibility of
read/write access for some users and readonly access for others.

Basically, I think that this is a dead end for bzr access control via
ssh, at least along the lines that you are aiming for. You should look
into the use of other protocols with other access control mechanisms.

Regards,
Eugene Wee