~bzr-pqm/bzr/bzr.dev

« back to all changes in this revision

Viewing changes to doc/developers/authentication-ring.txt

Committer: Canonical.com Patch Queue Manager
Date: 2007-11-04 18:51:39 UTC
mfrom: (2961.1.1 trunk)
Revision ID: pqm@pqm.ubuntu.com-20071104185139-kaio3sneodg2kp71

Authentication ring implementation (read-only)

files added:
doc/en/user-guide/authentication_conf.txt

files modified:
NEWS

bzrlib/config.py

bzrlib/debug.py

bzrlib/help_topics.py

bzrlib/plugins/launchpad/lp_registration.py

bzrlib/smtp_connection.py

bzrlib/tests/HTTPTestUtil.py

bzrlib/tests/blackbox/test_whoami.py

bzrlib/tests/test_config.py

bzrlib/tests/test_ftp_transport.py

bzrlib/tests/test_http.py

bzrlib/tests/test_smart_transport.py

bzrlib/tests/test_smtp_connection.py

bzrlib/tests/test_transport.py

bzrlib/tests/test_transport_implementations.py

bzrlib/transport/__init__.py

bzrlib/transport/ftp.py

bzrlib/transport/http/_urllib.py

bzrlib/transport/http/_urllib2_wrappers.py

bzrlib/transport/ssh.py

doc/developers/authentication-ring.txt

doc/en/user-guide/configuration.txt

Show diffs side-by-side

added added

removed removed

doc/developers/authentication-ring.txt

Authentication definitions

--------------------------

There are two kinds of authentication used by the various schemes:

There are two kinds of authentication used by the various schemes supported by

bzr:

1. user and password

101

102

``password``).

102

103

104

* ``scheme``: can be empty (meaning the rest of the definition can be used

104

for any scheme),

105

for any scheme), ``SFTP`` and ``bzr+ssh`` should not be used here, ``ssh``

106

should be used instead since this is the real scheme regarding

107

authentication,

105

108

106

109

* ``host``: can be empty (to act as a default for any host),

107

110

108

111

* ``port`` can be empty (useful when an host provides several servers for the

109

same scheme), only numerical values are allowed,

112

same scheme), only numerical values are allowed, this should be used only

113

when the server uses a port different than the scheme standard port,

110

114

111

115

* ``path``: can be empty (FTP or SFTP will never user it),

112

116

113

* ``user``: can be empty (and will use the same default as ``bzr``, python's

114

``getpass.get_user()``),

117

* ``user``: can be empty (``bzr`` will defaults to python's

118

``getpass.get_user()`` and attempt another matching(see below)),

115

119

116

120

* ``password``: can be empty (for security reasons, a user may use the

117

definitions without storing the passwords but want to be prompted).

121

definitions without storing the passwords but want to be prompted ; or the

122

password will be provided by an external plugin via the

123

``password_encoding`` mechanism decribed below).

118

124

119

125

* ``password_encoding``: can be empty (default is ``plaintext``).

120

126

131

137

132

138

3. ``scheme`` matches even if decorators are used in the requested URL,

133

139

134

4. ``host`` matches if included in the requested URL. ``foo.net`` will match a

135

requested ``bzr.foo.net``.

140

4. ``host`` matches exactly or act as a domain if it starts with '.'

141

(``project.bzr.sf.net`` will match ``.bzr.sf.net`` but ``projectbzr.sf.net``

142

will not match ``bzr.sf.net``).

136

143

137

144

5. ``port`` matches if included in the requested URL (exact matches only)

138

145

158

165

159

166

.. [#password_encoding] Additional password encoding methods may be defined

160

167

that will rely on external means to store the password which, in these

161

cases, will not appear anymore in the definition but be provided. An

162

encoding named ``netrc`` for example will provide passwords by using the

163

``.netrc`` file.

168

cases, will not appear anymore in the definition. It is assumed that

169

additional password encodings will provide a storage outside of the file

170

described here. An encoding named ``netrc`` for example will provide

171

passwords by retrieving them in the ``.netrc`` file.

164

172

165

173

File format

166

174

-----------

181

189

``~/.bazaar/authentication.conf`` will use the same file format than

182

190

``~/.bazaar/bazaar.conf``.

183

191

184

Each section will define an authentication definition.

192

Each section describes an authentication definition.

185

193

186

194

The section name is an arbitrary string, only the ``DEFAULT`` value is reserved

187

195

and should appear as the *last* section.

212

220

213

221

This section could define:

214

222

215

* ``user``: default user to be used.

223

* ``user``: default user to be used (if not defined the usual

224

bzr way applies, see below).

216

225

217

226

* ``password_encoding``: default password encoding.

218

227

236

245

bzr branch ftp://foo.net/bzr/branch

237

246

bzr pull ftp://bzr.foo.net/bzr/product/branch/trunk

238

247

239

* all connections are done with the same ``user`` (the local one) and the

240

password is always prompted with some exceptions::

248

* all connections are done with the same ``user`` (the remote one for which

249

the default bzr one is not appropriate) and the password is always prompted

250

with some exceptions::

241

251

242

252

# Pet projects on hobby.net

243

253

[hobby]

244

scheme=https

245

254

host=r.hobby.net

246

verify_certificates=no

247

255

user=jim

248

256

password=obvious1234

249

257

250

258

# Home server

251

259

[home]

260

scheme=https

252

261

host=home.net

253

262

user=joe

254

263

password='c2VjcmV0LXBhc3M='

255

264

password_encoding=base64

265

verify_certificates=no # Still searching a free certificate provider

256

266

257

267

[DEFAULT]

268

# Our local user is barbaz, on all remote sites we're known as foobar

258

269

user=foobar

259

270

260

* an HTTP server that also acts as a proxy (weird)::

271

* an HTTP server and a proxy::

261

272

262

273

# development branches on dev server

263

274

[dev]

275

286

user=user2

276

287

password=pass2

277

288

278

# Pesky proxy

289

# proxy

279

290

[proxy]

280

291

scheme=http

281

host=dev.company.com

292

host=proxy.company.com

293

port=3128

282

294

user=proxyuser1

283

295

password=proxypass1

284

285

Note that the proxy should be specified last because it uses no path. An

286

alternative is to specify the port used by the proxy.

296

297

* source hosting provider declaring sub-domains for each project::

298

299

[sfnet domain]

300

# we use sftp, but ssh is the scheme used for authentication

301

scheme=ssh

302

# The leading '.' ensures that 'sf.net' alone doesn't match

303

host=.sf.net

304

user=georges

305

password=ben...son

306

287

307

288

308

UI Changes

289

309

----------

305

325

Get a user from ``~/.bazaar/authentication.conf`` or prompt for one if none is

306

326

found. Continue as 2.

307

327

308

Note: A user will be queried only if the server requires it for ``HTTP``, other

309

protocols always require a user.

328

Note: A user will be queried only if the server requires it for ``HTTP`` or

329

``HTTPS``, other protocols always require a user.

310

330

311

331

In any case, if the server refuses the authentication, bzr reports to the user

312

332

and terminates.

315

335

--------------------------

316

336

317

337

* bzr should be able to prompt for a ``user`` for a given (``scheme``, ``host``

318

[, ``realm``]). Note that ``realm`` may be available only after a first

338

[, ``realm``]). Note that ``realm`` is available only after a first

319

339

connection attempt to the server.

320

340

321

341

* No assumptions should be made about the clients of this service

Older »