how to set up authentication for a central repository

Asked by dmuir

I'm trying to use bzr on my webhost as a central repository. I've got bazaar installed, but I can't figure out how to set it up so that only certain users can pull/push. Just to clarify, I've got this running on a shared host (Dreamhost).

I initially figured I could just add a bunch of ssh users, and then add them to group. This seems to work, but requires me to install bzr for every user which is a pain. Is there a better way to handle this? With svn I'm able to set up a set of users for a particular repository, and access them via https. The documentation mentions a WebDAV plugin, but doesn't say much more than that.

Hope I can find a solution here, as I'd really like to move away from Subversion.

Question information

English Edit question
Bazaar Edit question
No assignee Edit question
Solved by:
Last query:
Last reply:
Revision history for this message
EmmaJane (emmajane) said :

Does everyone need to have their own branch on the server, or are you using a centralized model (in which case a single spot on teh server with users and group access should work)? If people are push/pulling from their own machines I'm not sure why each account would need to have Bazaar installed... can you describe your workflow as well?

Revision history for this message
dmuir (dmuir) said :

Looks like I've figured it out.

bzr+ssh requires bzr to be installed for every user
http+webdav doesn't work with servers requiring authentication


sftp works

To clarify what I've ended up doing* and to help any others who might be in the same boat:

1. I created a new group eg. "bzr_grp" (Dreamhost lets me do this in their web-panel)

2. I then created a new repository:
bzr init-repo repos

3. I then changed the group:
chgrp -R bzr_grp repos

4. I then used SGID to make sure all new files remain in the group:
chmod g+s repos

5. I can now use sftp to work with branches:
bzr init sftp://<email address hidden>/home/master-user/repos/new-branch

master-user is the account where you set up the repository (not the one you're logging in as
instead of using home, I could have used ~/../, but that looks a lot messier.

*I actually ended up making separate repositories for individual clients, but the workflow is the same

Revision history for this message
baxissimo (wbaxter) said :

Great info. This is *exactly* what I'm trying to do right now (right down to doing it on dreamhost).

One thing for dmuir: on dreamhost you can set up a subdomain like with / mapped to a particular subdirectory of your account. I've used that to set up a mercurial repo like

Thanks for writing out the steps to do this.

Revision history for this message
dmuir (dmuir) said :

I was getting errors about not finding bzr on the remote server when using bzr+ssh.
Bzr is installed in /home/master-user/bin, and so isn't automatically available. After looking through the user guide it seems that I can add the correct path to locations.conf, so will try that later.

Glad to hear it. Using a bzr subdomain is handy for public branches, but less so if you're only going to access it via ssh since you have to specify the full path. (unless I'm missing something)

To tell the truth, I ended up going the bzr-svn route in the end, simply because it worked without much fuss (especially since Dreamhost makes it so easy to work with svn repos). That and I couldn't figure out how to import from svn into bzr :-) Now that I get bzr a bit more, I'll be revisiting that soon.

Revision history for this message
baxissimo (wbaxter) said :

I hadn't realized the sub-domain trick only worked for http://. Oh well. That does dampen my enthusiasm for the bzr sftp:// approach a bit. Is webdav still unusable? I didn't see an obvious resolution to those two bugs you posted.

Revision history for this message
dmuir (dmuir) said :

Have a look at
sftp allows you to use /~/ which might help.

As for webdav, I haven't tried it since November, so don't know.
As far as I can tell bzr still can't handle a 401 response properly (all the bug reports I've seen say it's fixed, but I still get errors using the latest version), so probably not. Had similar issues with bzr-svn but ended up using svn+ssh to bypass the issues with using http.
I also never got around to asking dreamhost to modify the .htaccess file for webdav, so doing that might get things working for the other issue I was having with it. Let me know how you go.