bzr serve and access control?
Andrew Bennetts
andrew.bennetts at canonical.com
Thu Feb 4 01:38:32 GMT 2010
Josef Wolf wrote:
> Hello,
>
> I am looking into ways to install bazaar with access control. AFAICS,
> bzr-serve doesn't offer any access control by its own.
>
> One way to get access control anyway, would be to use sshd's command="foobar"
> option in authorized_keys file to start a "gatekeeper" script. This script is
> passed the user name (can be deduced from the key). It then extracts more
> information (which directory, read or write) from the SSH_ORIGINAL_COMMAND
> environment variable. This information would be enough to implement
> sophisticated access control.
It would be possible to implement this for bzr. Launchpad in fact already
implements something like this already for its code-hosting service, although
for various reasons the code is a lot more complicated than necessary you'd
need. The code is found in lib/lp/codehosting in the Launchpad tree, especially
lib/lp/codehosting/vfs/branchfs.py.
If I were to implement this, it would look like this:
* set command="bzr acl-serve /path/to/acl-config" in your authorized_keys,
* have that config file define read/write permissions for various combinations
of paths and users,
* and write (and install system-wide) a plugin that implements 'bzr acl-serve'.
The plugin would:
* register the 'acl-serve' command, which would:
* parse the config file determine the SSH user,
* using that info register an 'aclbzr' server in
bzrlib.transport.transport_server_registry, then
* run 'bzr serve --inet --protocol=aclbzr --directory=something'
* the 'aclbzr' server would be a function that works much like
bzrlib.smart.serve.serve_bzr (the default implementation), but uses a
custom transport decorator to enforce ACLs before passing requests to the
underlying LocalTransport.
It's the custom transport part that is the key here. You could pretty easily
use PathFilteringTransport (from bzrlib.transport.pathfilter) to enforce “can
see this path or not”. You'd need to do something a little more complicated to
enforce “can only read from this path, regardless of filesystem permissions” I
think, but probably pretty easy by simply subclassing PathFilteringTransport and
overriding the handful of write methods (append_file, delete, delete_tree,
lock_read, mkdir, open_write_stream, put_file, rename, rmdir). The
ClueBzrServer mentioned elsewhere in this thread also uses a custom transport at
its core.
I'd be happy to elaborate further if someone is interested in implementing this.
I don't think it's actually very hard, but there's a fair bit of glue code
involved, as my terse description above suggests.
-Andrew.
More information about the bazaar
mailing list