Launchpad Entry: https://blueprints.launchpad.net/bzr/+spec/acl-transport
Created: 2007-12-10 by JohnMeinel
It would be good to add some functionality for allowing basic Access Control to branches as part of repositories. This spec is not discussing adding any form of Authentication at this point. That should still be done at a different level.
There are situations where it would be nice to limit access based on path, with more flexibility than is offered by the filesystem. Either because you want a single user connecting to the system, or because the system does not support ACLs and managing user+group permissions becomes difficult when the number of users and granularity of access is high.
1. Connecting over bzr+ssh could allow a user to read from project/trunk but not write. But allow them to write in their own personal space (eg. project/user/branch).
Depending on whether this is exposed to bzr serve there shouldn't be much in the way of UI changes. (Unless you consider the ACL file to be UI.)
My thought is to introduce an ACLServer along with ACLTransport like the ChrootServer/ChrootTransport is done right now.
I believe we can assume that only one user is going to be running at a time, so we don't need to change Transport to pass around User data. We probably will want some sort of AccessControl object passed into ACLServer so that the methods of configuring the access can be customized.
Transport level requests would need to be separated into read-only and write requests. (put/append versus get/get_bytes/list_dir/etc).
Because AccessControl can be restricted to the current user, it should be possible to implement it efficiently since it is only based on paths.
- At the moment, the spec is designed around distinguishing from Read-only access and Read-Write access. Would we also want to address "Not Accessible"?. So you could have branches that are only present for certain users. Also, how should this be presented at a higher level. (Are they hidden from list_dir(), or are you only restricted from accessing content underneath a directory?
- Do we allow individual files access control, or is it just at the directory-level? Directory level seems sufficient for general needs, (since really it is at a Branch and Repository level).
- What about wild-cards? How do wild-card rules take precedence over exact-path rules? (We could just consider precedence based on the order in the file, is that sufficient?)