Q: Access Control Options

Max Bowsher maxb at f2s.com
Wed Sep 29 00:39:36 BST 2010 

On 28/09/10 16:47, Maritza Mendez wrote:
> Hi.  There are a couple current threads here (ok, including one I
> started) which include discussion of ACL-like properties for branches. 
> So I assume there is interest in this topic.  I have had typically bad
> expereinces with the ACL layer tacked onto some commercial version
> control systems.  So I am very cautious about suggesting similar
> "enhancements" to bzrlib.  Instead, I've been thinking about the Un*x
> way -- many "little" tools, each of which does one job extremely well --
> and leveraging the expertise and architecture already baked into every
> Linux box.
>  
> Currently, I provide access controls for centralized "trunk" branches
> for about a dozen projects in my organization.  In the simplest case, I
> set up a new branch a server and 'chown -R' the root of the branch to a
> specific dummy user and 'chmod og-rwx'.  More generally, a single dummy
> user may own a "bzr group" of branches.  My developers publish their RSA
> public keys.  I then manage access by adding/removing their keys from
> the .ssh/authorized_keys in each dummy user's homedir. 
>  
> This scheme works fine for a small number of branches but quickly gets
> tedious.  I started to imagine an administration tool, using a PyQt GUI
> with an SQLite backend to track the registered branches, dummy accounts
> across multiple severs and developer's public keys.   As I went through
> the use cases, I realized right away that I wanted more fine-grained
> control.  Namely, per-branch rather than per-dummy-user, because the
> membership of a "bzr group" may change.  The only way I can think of
> getting per-branch control is by adding a user for *every* branch.  I
> suppose that's not too bad (as long as users are deleted when their
> brnach is deleted) but it does seem a little clumsy. 
>  
> So can anyone think of a better way to get from per-user access control
> to per-branch access control with the tools we already have, i.e.
> without modifying bzrlib?

Have you tried the contrib/bzr_access script within the bzr source tree?
I have not, but it looks exactly like the kind of thing I think I'd be
aiming for if I ever manage to promote Bazaar sufficiently within my own
workplace.

Max.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
Url : https://lists.ubuntu.com/archives/bazaar/attachments/20100929/58b8e9ca/attachment.pgp

More information about the bazaar mailing list