Access controls...

John Szakmeister john at szakmeister.net
Sun May 2 20:42:48 BST 2010 

On Sun, May 2, 2010 at 2:25 PM, John Arbash Meinel
<john at arbash-meinel.com> wrote:
[snip]
> I don't remember the project right now, but there was someone who did
> most of the ACLTransport work. It shouldn't be particularly hard to
> implement yourself if we can't find it.

I'd definitely be interested in this work.

> In general, I would leave the repository open for writing to anyone who
> has access to write to a branch in that repo. I don't really know how
> you could be more fine-grained there.
>
> However, that shouldn't make it harder for you to prevent them from
> updating the 'trunk' branch. Yes, they can push data to the shared repo,
> but it goes 'unused' unless it is referenced by a branch. So I'm not
> sure why you need to proxy through the Branch.

It makes it harder to configure safely because I need a rule that says:
   Allow authenticated users to write to /url/for/my/project and below

And then turn around and add another that restricts trunk to just a few people:
   Allow bob and john access to /url/for/my/project/trunk, everyone
else gets read-only

Then I need to rinse and repeat for each of the stable branches.

These rules make access wide-open by default.  I'd rather it be the
other way around.  Limit access by default (write access to trunk for
some, read only for others), and then open up the branches area for
everyone else:

   Allow bob and john access to /url/for/my/project, readonly for everyone else
   Allow everyone write access to the branches area
(/url/for/my/project/branches)

But I can't do the latter since I don't know when the repository
access is tied to accessing a branch under /url/for/my/project.  I'm
stuck with the first version instead.

I'm not saying it can't be done, just that this behavior is making it
hard to configure and get right.  And I was surprised by the client
accessing the repo directly.  To me, it's a behind the scenes choice
about how I wanted to store my data.  I was surprised that it was
exposed on the wire at all.  But it has another implication, it also
means I can't truly have a branch that is readable by only a few
people.  They could simply download the repo and find the heads
themselves.  It doesn't happen much, but we've had to do such a thing
on occasion.  The only way to get around it here is to force the
branch to not use the shared repo.

In the end, what I'm saying is that I wish it were easier to host
Bazaar with access controls, and that there was some documentation
about what I can and cannot limit access to.  The process of getting
things hosted has taken much longer than I think it should have.  :-(

-John

More information about the bazaar mailing list