Access Control with contrib/bzr_access
bzr_access is a Python script bundled with Bazaar's source that allows for SSH key-based access control. Users are restricted to running bzr with read or read and write access to a particular directory based on their SSH key pair.
The bzr_access script can be found in the contrib directory of the Bazaar source package.
Upload the script to a directory of your choice. Remember to change the permissions of the script so that it is executable.
Add a user account with SSH access on the server. In this user account's ~/.ssh directory, create the authorized_keys file. For each user that will be granted access to the directory /path/to/repository, add a line to authorized_keys:
command="/path/to/bzr_access /path/to/bzr /path/to/repository <username>",no-port-forwarding,no-X11-forwarding,no-agent-forwarding ssh-<type> <key>
<username> must be alphanumeric. The path to bzr must be given as a Bazaar smart server will be started by bzr_access.
In /path/to/repository, create a bzr_access.conf configuration file. This configuration file uses ini syntax with a required and an optional section. The required section is the [/] section, which defines the permissions themselves. The optional section is [groups], which allows you to define user groups with usernames separated by commas. The usernames associated with the permissions correspond to the <username> provided in authorized_keys. The permission is either r for read or rw for read/write. When defining permissions, group names are prefixed with @.
A sample bzr_access.conf:
[groups] admins = alpha devels = beta, gamma, delta [/] @admins = rw @devels = r
Users place their private keys in a default location (e.g., ~/.ssh/id_rsa) and/or use an SSH authentication agent. They then run Bazaar commands with the locations accessed with the bzr+ssh protocol, e.g.,
bzr branch bzr+ssh://email@example.com/trunk
Where account is the name of the user account on the server and trunk is a branch relative to the specified directory that the user is allowed access to, e.g., it could correspond to /home/account/trunk if the user has access to /home/account. If example.com is configured as described above, bazaar would look for the branch at /path/to/repository/trunk on the example.com server.
Currently, each bzr_access.conf configuration file is limited to specifying the access control for the directory that it is in. As such, to cater for a setup with multiple projects that should be segregated, one must either
- Create a user account for each project, thus duplicating the configuration for each user account but allowing each user to maintain just one SSH key pair.
- Create a single user account, but require each user to have an SSH key pair for each project. They will then have to select the appropriate private key to access the desired directory. Each of these directories will have its own bzr_access.conf, but there need be only one authorized_keys file.
- Create an SSH key pair for each project and have users share private keys. However, removing the access of a user from a given directory will mean revoking a key pair and issuing a new private key to the other users with access to that directory.