doc/configuring-access
author Paul Crowley <paul@lshift.net>
Thu, 15 Oct 2009 11:00:32 +0100
changeset 150 02b464a6b433
parent 114 241475f6440c
permissions -rw-r--r--
Improvements to how it works section
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
83
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
     1
ACCESS.CONF
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
     2
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
     3
Out of the box, there are just two kinds of users: the ones with keys in
112
3035990989ee Documentation improvements
Paul Crowley <paul@lshift.net>
parents: 83
diff changeset
     4
"keys/root" and those in "keys/users". However, you can change this by
3035990989ee Documentation improvements
Paul Crowley <paul@lshift.net>
parents: 83
diff changeset
     5
editing "access.conf". There are two "access.conf" files, one in
3035990989ee Documentation improvements
Paul Crowley <paul@lshift.net>
parents: 83
diff changeset
     6
"/etc/mercurial-server" and one in "hgadmin"; the two are simply
3035990989ee Documentation improvements
Paul Crowley <paul@lshift.net>
parents: 83
diff changeset
     7
concatenated before being read.
83
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
     8
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
     9
Each line of access.conf has the following syntax:
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    10
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    11
<rule> <condition> <condition> ...
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    12
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    13
Rule is one of
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    14
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    15
init - allow any operation, including the creation of new repositories
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    16
write - allow reads and writes to this file in this repository
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    17
read - allow the repo to be read but reject matching writes
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    18
deny - deny all requests
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    19
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    20
A condition is a globpattern matched against a relative path. The two most
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    21
important conditions are
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    22
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    23
    user=<globpattern> - user's key
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    24
    repo=<globpattern> - repo (as the user supplies it)
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    25
112
3035990989ee Documentation improvements
Paul Crowley <paul@lshift.net>
parents: 83
diff changeset
    26
The first rule in the file which has all its conditions satisfied is used
3035990989ee Documentation improvements
Paul Crowley <paul@lshift.net>
parents: 83
diff changeset
    27
to determine whether an action is allowed. If no rule is matched the
3035990989ee Documentation improvements
Paul Crowley <paul@lshift.net>
parents: 83
diff changeset
    28
request is denied.
83
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    29
114
241475f6440c Remove no longer correct assertion about paths
Paul Crowley <paul@lshift.net>
parents: 112
diff changeset
    30
"*" only matches one directory level, where "**" matches as many as you
241475f6440c Remove no longer correct assertion about paths
Paul Crowley <paul@lshift.net>
parents: 112
diff changeset
    31
want. More precisely, "*" matches zero or more characters not including "/"
241475f6440c Remove no longer correct assertion about paths
Paul Crowley <paul@lshift.net>
parents: 112
diff changeset
    32
while "**" matches zero or more characters including "/".
83
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    33
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    34
Blank lines and lines that start with "#" are ignored.
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    35
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    36
access.conf ships with the following contents:
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    37
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    38
    init user=root/**
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    39
    deny repo=hgadmin
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    40
    write user=users/**
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    41
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    42
This means: keys in "root" can do anything; keys in "users" cannot create
112
3035990989ee Documentation improvements
Paul Crowley <paul@lshift.net>
parents: 83
diff changeset
    43
repositories, cannot even read the hgadmin repository, but can read and
3035990989ee Documentation improvements
Paul Crowley <paul@lshift.net>
parents: 83
diff changeset
    44
write any other repository; no other key has any access.
83
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    45
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    46
More advanced access configuration is covered in file-conditions.
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    47