access control in bazaar

John Arbash Meinel john at arbash-meinel.com
Fri May 6 13:29:30 UTC 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


...

> It must be possible to set different rights for different people in different projects. Lets take the following example:
> 
> project1 has the following directories
>  -- User1 (working directory for User 1)
>  -- User2 (working directory for User 2)
>  -- trunk (the main project)
> 
> project2 has the following directories
>  -- User2 (working directory for User 2)
>  -- User3 (working directory for User 3)
>  -- trunk (the main project)
> 
> According to the gateway workflow User1..3 are not able to commit changes to trunk. They are only able to push their branches to their own working directories. Maybe they are not allowed to read the other developers working branches.

I would certainly recommend you look into Sloecode.
http://how-bazaar.blogspot.com/2011/03/announcing-sloecode.html

May not be everything you want, may not even be necessary, though.

It sort of depends what you mean by "project" and "User1" directories.
Subversion is basically one-big filesystem, which doesn't really have
the concept of a "branch". Bazaar is more particular about what is a
tree of user-files, and what is a branch (a series of changes to those
files).

If you want something at the level of: "I have a $PROJECT, which has a
docs/ directory and a src/ directory. I don't want USER1 to be able to
commit to docs/." Bazaar doesn't have that level of granularity (and it
generally goes against the principle of DVCS).

If you want to say: "I have $PROJECT which has several in-progress
branches. I want user to be able to upload changes to a subdirectory
$PROJECT/user1/* but not to upload changes to $PROJECT/trunk".

That can be done fairly trivially with just filesystem privileges.

bzr init-repo --no-trees $PROJECT
mkdir $PROJECT/User1
mkdir $PROJECT/User2
bzr init $PROJECT/trunk
find $PROJECT/.bzr -type d -print0 | xargs -0 chmod 2770 # rwxrws---
find $PROJECT/.bzr -type f -print0 | xargs -0 chmod 660  # rw-rw----
find $PROJECT/User1 -type d -print0 | xargs -0 chmod 6750 # rwsr-s--
find $PROJECT/User2 -type f -print0 | xargs -0 chmod 640  # rw-r----
find $PROJECT/trunk -type d -print0 | xargs -0 chmod 2750 # rwxr-s--
...

chown -R User1.Project $PROJECT/User1
chown -R User2.Project $PROJECT/User2
chown -R SuperUser.Project $PROJECT/trunk

At that point, User1 and User2 can write data to the repository at
$PROJECT/.bzr, they can only update branches under their individual
subdirectories, but can read each-other's branches. Everyone can read
trunk, but only SuperUser can write to it.

The setuid/setgid bits mean that files created under those directories
will preserve at least the group permissions, so that those permissions
stay preserved.

John
=:->
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk3D97oACgkQJdeBCYSNAAOREwCgxvP3Oa6lAyl2Vj1LUm0HvH0F
XPEAn1CR9FN1+6FwHNzAll6A8klrh3gN
=8U9i
-----END PGP SIGNATURE-----

More information about the bazaar mailing list