anonymous and authenticated http smart server on the same host is hard
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Bazaar |
Confirmed
|
Medium
|
Unassigned | ||
Breezy |
Triaged
|
Medium
|
Unassigned |
Bug Description
affects bzr
importance medium
status confirmed
anonymous and authenticated http smart server on the same host is hard:
- apache etc need to be told to 'ask for auth but permit anonymous'
on the .bzr/smart url
- bzr then needs to check for auth details and disable writing if they
are absent
- bzr the client needs to know to try again after auth is requested
without auth
One way to approach this:
We can make this better by defining an explicit anonymous resource -
e.g.
.bzr/
Then, the following should be decent:
- if we know we're not writing, try for .bzr/smart-readonly
- if we don't know whether we're writing or not, try for .bzr/smart
- if we don't have the correct credentials, fall back to -readonly,
- which will fail cleanlyish if we do try to write.
Users wanting anonymous servers do:
- setup wsgi on smart-readonly, no auth
Users wanting writable authenticated only do:
- setup smart only
Users wanting all users authenticated, but some read and some write
- setup smart and smart-readonly, but both with auth.
This isn't entirely satisfactory for permission control, as its not fine
grained.
A better approach:
Extend the smart server to be able to inform apache/bzr that the current
user has been denied access to do what they want.
Then:
- .bzr/smart with no http credentials gets readonly
- attempts to write trigger some auth-needed codepath (perhaps simply
by the bzr client interpreting readonly errors as 'you need to
authenticate'
- apache needs to be configured with a user database but no requirement
for authentication.
I suspect the latter approach is better.
--
tags: | added: authentication hpss http |
tags: | added: check-for-breezy |
tags: | removed: check-for-breezy |
Changed in brz: | |
status: | New → Triaged |
importance: | Undecided → Medium |