Access controls...
Parth Malwankar
parth.malwankar at gmail.com
Sun May 2 18:13:40 BST 2010
On Sun, May 2, 2010 at 7:42 PM, John Szakmeister <john at szakmeister.net> wrote:
> In my environment, we have the need for limiting access to various
> branches and projects. I've been working diligently to try and
> implement a Bazaar setup that allows us to do this, but have run into
> yet another hurdle.
>
> So, I have setup my server using a shared repository for each project,
> and placing the branches inside. I figured that would us save some
> space. Unfortunately, it opens another security hole.
>
> Let me explain, I've written a tool that sits in front of the smart
> server that will do some basic access controls (read, write, none).
> This works really well with plain branches (no shared repository).
> Unfortunately, with a shared repository in the mix, things get harder.
> It turns out that when you push to a branch, instead of proxying
> through <branch-url>/.bzr/smart, it opens a connection to the shared
> repository via <repository-url>/.bzr/smart.
>
> Now, it makes sense... the repository is there to store all the
> revisions. However, from an access control standpoint, this is
> bothersome. It makes it difficult to say things like "make trunk
> writable by just a few people". If someone was persistent enough,
> they could modify the repository directly, because I'd have to leave
> the repository url writeable so that other users can create branches
> and manipulate them. So this is either going to force me to use
> stacked branches (and given the issues I've had with them in the past,
> this makes me uncomfortable), or I'm going to have to use plain
> unstacked branches and waste more disk space.
>
> So, I'd like to put this question out there: has anyone set up a
> server that does NOT provide read-only access to everyone, but does
> provide read-only access to some individuals and write access to a
> selected group of people? Additionally, is it easy to maintain?
>
> Does any of this work better with SSH? Will it re-use the same
> session for accessing the shared repo instead of trying to open a new
> url?
>
Hi John,
I haven't tried it personally but there is some documentation on
setting up fine grained access here.
http://doc.bazaar.canonical.com/bzr.2.1/en/admin-guide/security.html#access-control
Is that something that might be useful?
Regards,
Parth
> Also, I saw this up on the wiki:
> <http://wiki.bazaar.canonical.com/Specs/ACLTransport>
>
> Has any more thought been given to it? How hard is it to write a new
> transport/server?
>
> Sorry for all the questions and the long email, but I really want to
> get this set up and working in our environment, and there are a lot of
> road blocks to getting there. :-(
>
> -John
>
>
> -John
>
>
More information about the bazaar
mailing list