author | Paul Crowley <paul@lshift.net> |
Sat, 19 Dec 2009 19:06:06 +0000 | |
changeset 245 | 04989b539651 |
parent 238 | 4747f2920666 |
child 252 | 75acaf1b1216 |
permissions | -rw-r--r-- |
119 | 1 |
<?xml version="1.0" encoding="utf-8"?> |
120 | 2 |
<article xmlns="http://docbook.org/ns/docbook" version="5.0" xml:lang="en" |
3 |
xmlns:xlink="http://www.w3.org/1999/xlink"> |
|
119 | 4 |
<info> |
5 |
<title>Sharing Mercurial repositories with mercurial-server</title> |
|
6 |
<author><firstname>Paul</firstname><surname>Crowley</surname></author> |
|
120 | 7 |
<copyright><year>2009</year><holder>Paul Crowley, LShift Ltd</holder></copyright> |
119 | 8 |
</info> |
9 |
<section> |
|
10 |
<title>About mercurial-server</title> |
|
11 |
<para> |
|
120 | 12 |
Home page: <link xlink:href="http://www.lshift.net/mercurial-server.html"/> |
13 |
</para> |
|
14 |
<para> |
|
133
a99ab5be891a
Let next para do the work of discussing what OS it runs on
Paul Crowley <paul@lshift.net>
parents:
132
diff
changeset
|
15 |
mercurial-server gives your developers remote read/write access to |
a99ab5be891a
Let next para do the work of discussing what OS it runs on
Paul Crowley <paul@lshift.net>
parents:
132
diff
changeset
|
16 |
centralized <link xlink:href="http://hg-scm.org/">Mercurial</link> |
a99ab5be891a
Let next para do the work of discussing what OS it runs on
Paul Crowley <paul@lshift.net>
parents:
132
diff
changeset
|
17 |
repositories using SSH public key authentication; it provides convenient |
a99ab5be891a
Let next para do the work of discussing what OS it runs on
Paul Crowley <paul@lshift.net>
parents:
132
diff
changeset
|
18 |
and fine-grained key management and access control. |
119 | 19 |
</para> |
20 |
<para> |
|
21 |
Though mercurial-server is currently targeted at Debian-based systems such |
|
22 |
as Ubuntu, other users have reported success getting it running on other |
|
23 |
Unix-based systems such as Red Hat. Running it on a non-Unix system such as |
|
24 |
Windows is not supported. You will need root privileges to install it. |
|
25 |
</para> |
|
26 |
</section> |
|
27 |
<section> |
|
28 |
<title>Step by step</title> |
|
29 |
<para> |
|
134
525976d2827c
Change the way we link to SSH tutorial
Paul Crowley <paul@lshift.net>
parents:
133
diff
changeset
|
30 |
mercurial-server authenticates users not using passwords but using SSH |
525976d2827c
Change the way we link to SSH tutorial
Paul Crowley <paul@lshift.net>
parents:
133
diff
changeset
|
31 |
public keys; everyone who wants access to a mercurial-server repository |
131
e8bf13d06582
Assume they have SSH set up; talk about hgadmin first
Paul Crowley <paul@lshift.net>
parents:
130
diff
changeset
|
32 |
will need such a key. In combination with <command>ssh-agent</command> (or |
120 | 33 |
equivalents such as the Windows program <link |
34 |
xlink:href="http://the.earth.li/~sgtatham/putty/0.60/htmldoc/Chapter9.html#pageant">Pageant</link>), |
|
35 |
this means that users will not need to type in a password to access the |
|
134
525976d2827c
Change the way we link to SSH tutorial
Paul Crowley <paul@lshift.net>
parents:
133
diff
changeset
|
36 |
repository. If you're not familiar with SSH public keys, the <link |
525976d2827c
Change the way we link to SSH tutorial
Paul Crowley <paul@lshift.net>
parents:
133
diff
changeset
|
37 |
xlink:href="http://sial.org/howto/openssh/publickey-auth/">OpenSSH Public |
525976d2827c
Change the way we link to SSH tutorial
Paul Crowley <paul@lshift.net>
parents:
133
diff
changeset
|
38 |
Key Authentication tutorial</link> may be helpful. |
119 | 39 |
</para> |
120 | 40 |
<section> |
185
f8f8b4018381
Remove all installation talk from docbook
Paul Crowley <paul@lshift.net>
parents:
179
diff
changeset
|
41 |
<title>Initial access to mercurial-server</title> |
119 | 42 |
<para> |
122
05b676684c7e
Call the user jay rather than user, and use pat instead of other-user
Paul Crowley <paul@lshift.net>
parents:
121
diff
changeset
|
43 |
In what follows, we assume that your username is <systemitem |
05b676684c7e
Call the user jay rather than user, and use pat instead of other-user
Paul Crowley <paul@lshift.net>
parents:
121
diff
changeset
|
44 |
class="username">jay</systemitem>, that you usually sit at a machine called |
185
f8f8b4018381
Remove all installation talk from docbook
Paul Crowley <paul@lshift.net>
parents:
179
diff
changeset
|
45 |
<systemitem class="systemname">spoon</systemitem> and you have |
f8f8b4018381
Remove all installation talk from docbook
Paul Crowley <paul@lshift.net>
parents:
179
diff
changeset
|
46 |
installed mercurial-server on <systemitem |
f8f8b4018381
Remove all installation talk from docbook
Paul Crowley <paul@lshift.net>
parents:
179
diff
changeset
|
47 |
class="systemname">jeeves</systemitem> using the package management system (see the README for more on installation). We assume that you have created your SSH public key, set up your SSH agent with this key, and that this key gives you access to <systemitem |
158
713c6cccbc2f
Use short meaningless hostnames
Paul Crowley <paul@lshift.net>
parents:
157
diff
changeset
|
48 |
class="systemname">jeeves</systemitem>. |
119 | 49 |
</para> |
185
f8f8b4018381
Remove all installation talk from docbook
Paul Crowley <paul@lshift.net>
parents:
179
diff
changeset
|
50 |
<screen><computeroutput>jay@spoon:~$ </computeroutput><userinput>ssh -A jeeves</userinput> |
f8f8b4018381
Remove all installation talk from docbook
Paul Crowley <paul@lshift.net>
parents:
179
diff
changeset
|
51 |
<computeroutput>jay@jeeves:~$ </computeroutput><userinput>ssh-add -L > my-key</userinput> |
158
713c6cccbc2f
Use short meaningless hostnames
Paul Crowley <paul@lshift.net>
parents:
157
diff
changeset
|
52 |
<computeroutput>jay@jeeves:~$ </computeroutput><userinput>sudo mkdir -p /etc/mercurial-server/keys/root/jay</userinput> |
713c6cccbc2f
Use short meaningless hostnames
Paul Crowley <paul@lshift.net>
parents:
157
diff
changeset
|
53 |
<computeroutput>jay@jeeves:~$ </computeroutput><userinput>sudo cp my-key /etc/mercurial-server/keys/root/jay/spoon</userinput> |
713c6cccbc2f
Use short meaningless hostnames
Paul Crowley <paul@lshift.net>
parents:
157
diff
changeset
|
54 |
<computeroutput>jay@jeeves:~$ </computeroutput><userinput>sudo -u hg /usr/share/mercurial-server/refresh-auth</userinput> |
713c6cccbc2f
Use short meaningless hostnames
Paul Crowley <paul@lshift.net>
parents:
157
diff
changeset
|
55 |
<computeroutput>jay@jeeves:~$ </computeroutput><userinput>exit</userinput> |
713c6cccbc2f
Use short meaningless hostnames
Paul Crowley <paul@lshift.net>
parents:
157
diff
changeset
|
56 |
<computeroutput>Connection to jeeves closed. |
713c6cccbc2f
Use short meaningless hostnames
Paul Crowley <paul@lshift.net>
parents:
157
diff
changeset
|
57 |
jay@spoon:~$ </computeroutput></screen> |
119 | 58 |
<para> |
120 | 59 |
You can now create repositories on the remote machine and have complete |
131
e8bf13d06582
Assume they have SSH set up; talk about hgadmin first
Paul Crowley <paul@lshift.net>
parents:
130
diff
changeset
|
60 |
read-write access to all of them. |
119 | 61 |
</para> |
120 | 62 |
</section> |
63 |
<section> |
|
64 |
<title>Creating repositories</title> |
|
131
e8bf13d06582
Assume they have SSH set up; talk about hgadmin first
Paul Crowley <paul@lshift.net>
parents:
130
diff
changeset
|
65 |
<para> |
e8bf13d06582
Assume they have SSH set up; talk about hgadmin first
Paul Crowley <paul@lshift.net>
parents:
130
diff
changeset
|
66 |
To store a repository on the server, clone it over. |
e8bf13d06582
Assume they have SSH set up; talk about hgadmin first
Paul Crowley <paul@lshift.net>
parents:
130
diff
changeset
|
67 |
</para> |
159
609d1d4ec773
Use shorter name for clone example project
Paul Crowley <paul@lshift.net>
parents:
158
diff
changeset
|
68 |
<screen><computeroutput>jay@spoon:~$ </computeroutput><userinput>cd myproj</userinput> |
160
72cb7a42650a
Use shorter remote repo name
Paul Crowley <paul@lshift.net>
parents:
159
diff
changeset
|
69 |
<computeroutput>jay@spoon:~/myproj$ </computeroutput><userinput>hg clone . ssh://hg@jeeves/jays/project</userinput> |
119 | 70 |
<computeroutput>searching for changes |
71 |
remote: adding changesets |
|
72 |
remote: adding manifests |
|
73 |
remote: adding file changes |
|
74 |
remote: added 119 changesets with 284 changes to 61 files |
|
160
72cb7a42650a
Use shorter remote repo name
Paul Crowley <paul@lshift.net>
parents:
159
diff
changeset
|
75 |
jay@spoon:~/myproj$ </computeroutput><userinput>hg pull ssh://hg@jeeves/jays/project</userinput> |
72cb7a42650a
Use shorter remote repo name
Paul Crowley <paul@lshift.net>
parents:
159
diff
changeset
|
76 |
<computeroutput>pulling from ssh://hg@jeeves/jays/project |
119 | 77 |
searching for changes |
78 |
no changes found |
|
159
609d1d4ec773
Use shorter name for clone example project
Paul Crowley <paul@lshift.net>
parents:
158
diff
changeset
|
79 |
<computeroutput>jay@spoon:~/myproj$ </computeroutput><userinput>cd ..</userinput> |
158
713c6cccbc2f
Use short meaningless hostnames
Paul Crowley <paul@lshift.net>
parents:
157
diff
changeset
|
80 |
jay@spoon:~$ </computeroutput></screen> |
120 | 81 |
</section> |
82 |
<section> |
|
83 |
<title>Adding other users</title> |
|
119 | 84 |
<para> |
145 | 85 |
At this stage, no-one but you has any access to any repositories you |
120 | 86 |
create on this system. In order to give anyone else access, you'll need a |
87 |
copy of their SSH public key; we'll assume you have that key in |
|
161
475a05ed5f0e
Sam's machine is called saucer
Paul Crowley <paul@lshift.net>
parents:
160
diff
changeset
|
88 |
<filename>~/sam-saucer-key.pub</filename>. To manage access, you make changes to the special <filename |
154
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
89 |
class='directory'>hgadmin</filename> repository. |
119 | 90 |
</para> |
158
713c6cccbc2f
Use short meaningless hostnames
Paul Crowley <paul@lshift.net>
parents:
157
diff
changeset
|
91 |
<screen><computeroutput>jay@spoon:~$ </computeroutput><userinput>hg clone ssh://hg@jeeves/hgadmin</userinput> |
119 | 92 |
<computeroutput>destination directory: hgadmin |
93 |
no changes found |
|
94 |
updating working directory |
|
95 |
0 files updated, 0 files merged, 0 files removed, 0 files unresolved |
|
158
713c6cccbc2f
Use short meaningless hostnames
Paul Crowley <paul@lshift.net>
parents:
157
diff
changeset
|
96 |
jay@spoon:~$ </computeroutput><userinput>cd hgadmin</userinput> |
713c6cccbc2f
Use short meaningless hostnames
Paul Crowley <paul@lshift.net>
parents:
157
diff
changeset
|
97 |
<computeroutput>jay@spoon:~/hgadmin$ </computeroutput><userinput>mkdir -p keys/users/sam</userinput> |
161
475a05ed5f0e
Sam's machine is called saucer
Paul Crowley <paul@lshift.net>
parents:
160
diff
changeset
|
98 |
<computeroutput>jay@spoon:~/hgadmin$ </computeroutput><userinput>cp ~/sam-saucer-key.pub keys/users/sam/saucer</userinput> |
158
713c6cccbc2f
Use short meaningless hostnames
Paul Crowley <paul@lshift.net>
parents:
157
diff
changeset
|
99 |
<computeroutput>jay@spoon:~/hgadmin$ </computeroutput><userinput>hg add</userinput> |
161
475a05ed5f0e
Sam's machine is called saucer
Paul Crowley <paul@lshift.net>
parents:
160
diff
changeset
|
100 |
<computeroutput>adding keys/users/sam/saucer |
162 | 101 |
jay@spoon:~/hgadmin$ </computeroutput><userinput>hg commit -m "Add Sam's key"</userinput> |
158
713c6cccbc2f
Use short meaningless hostnames
Paul Crowley <paul@lshift.net>
parents:
157
diff
changeset
|
102 |
<computeroutput>jay@spoon:~/hgadmin$ </computeroutput><userinput>hg push</userinput> |
713c6cccbc2f
Use short meaningless hostnames
Paul Crowley <paul@lshift.net>
parents:
157
diff
changeset
|
103 |
<computeroutput>pushing to ssh://hg@jeeves/hgadmin |
119 | 104 |
searching for changes |
105 |
remote: adding changesets |
|
106 |
remote: adding manifests |
|
107 |
remote: adding file changes |
|
108 |
remote: added 1 changesets with 1 changes to 1 files |
|
158
713c6cccbc2f
Use short meaningless hostnames
Paul Crowley <paul@lshift.net>
parents:
157
diff
changeset
|
109 |
jay@spoon:~/hgadmin$ </computeroutput></screen> |
119 | 110 |
<para> |
123 | 111 |
Sam can now read and write to your |
160
72cb7a42650a
Use shorter remote repo name
Paul Crowley <paul@lshift.net>
parents:
159
diff
changeset
|
112 |
<uri>ssh://hg@jeeves/jays/project</uri> repository. |
120 | 113 |
Most other changes to access control can be made simply by making and |
154
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
114 |
pushing changes to <filename |
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
115 |
class='directory'>hgadmin</filename>, and you can use Mercurial to |
120 | 116 |
cooperate with other root users in the normal way. |
117 |
</para> |
|
131
e8bf13d06582
Assume they have SSH set up; talk about hgadmin first
Paul Crowley <paul@lshift.net>
parents:
130
diff
changeset
|
118 |
<para> |
e8bf13d06582
Assume they have SSH set up; talk about hgadmin first
Paul Crowley <paul@lshift.net>
parents:
130
diff
changeset
|
119 |
If you prefer, you could give them access by |
158
713c6cccbc2f
Use short meaningless hostnames
Paul Crowley <paul@lshift.net>
parents:
157
diff
changeset
|
120 |
logging into <systemitem class="systemname">jeeves</systemitem>, |
131
e8bf13d06582
Assume they have SSH set up; talk about hgadmin first
Paul Crowley <paul@lshift.net>
parents:
130
diff
changeset
|
121 |
putting the key in the right place under <filename |
e8bf13d06582
Assume they have SSH set up; talk about hgadmin first
Paul Crowley <paul@lshift.net>
parents:
130
diff
changeset
|
122 |
class='directory'>/etc/mercurial-server/keys</filename>, and re-running |
e8bf13d06582
Assume they have SSH set up; talk about hgadmin first
Paul Crowley <paul@lshift.net>
parents:
130
diff
changeset
|
123 |
<userinput>sudo -u hg /usr/share/mercurial-server/refresh-auth</userinput>. |
154
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
124 |
However, using <filename |
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
125 |
class='directory'>hgadmin</filename> is usually more convenient if you need to make more than a very few changes; it also makes it easier to share administration with others and provides a log of all changes. |
131
e8bf13d06582
Assume they have SSH set up; talk about hgadmin first
Paul Crowley <paul@lshift.net>
parents:
130
diff
changeset
|
126 |
</para> |
120 | 127 |
</section> |
132
a5850a63390f
Move basic access control to the start of access control
Paul Crowley <paul@lshift.net>
parents:
131
diff
changeset
|
128 |
</section> |
120 | 129 |
<section> |
132
a5850a63390f
Move basic access control to the start of access control
Paul Crowley <paul@lshift.net>
parents:
131
diff
changeset
|
130 |
<title>Access control</title> |
120 | 131 |
<para> |
132 |
Out of the box, mercurial-server supports two kinds of users: "root" users and normal users. If you followed the steps above, you are a "root" user because your key is under <filename class='directory'>keys/root</filename>, while the other user you gave access to is a normal user since their key is under <filename class='directory'>keys/users</filename>. Keys that are not in either of these directories will by default have no access to anything. |
|
133 |
</para> |
|
134 |
<para> |
|
154
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
135 |
Root users can edit <filename |
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
136 |
class='directory'>hgadmin</filename>, create new repositories and read and write to existing ones. Normal users cannot access <filename |
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
137 |
class='directory'>hgadmin</filename> or create new repositories, but they can read and write to any other repository. |
120 | 138 |
</para> |
132
a5850a63390f
Move basic access control to the start of access control
Paul Crowley <paul@lshift.net>
parents:
131
diff
changeset
|
139 |
<section> |
a5850a63390f
Move basic access control to the start of access control
Paul Crowley <paul@lshift.net>
parents:
131
diff
changeset
|
140 |
<title>Using access.conf</title> |
120 | 141 |
<para> |
154
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
142 |
mercurial-server offers much more fine-grained access control than this division into two classes of users. Let's suppose you wish to give Pat access to the <filename |
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
143 |
class='directory'>widget</filename> repository, but no other. We first copy Pat's SSH public key into the <filename |
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
144 |
class='directory'>keys/pat</filename> directory in <filename |
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
145 |
class='directory'>hgadmin</filename>. This tells mercurial-server about Pat's key, but gives Pat no access to anything because the key is not under either <filename |
120 | 146 |
class='directory'>keys/root</filename> or <filename |
154
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
147 |
class='directory'>keys/users</filename>. To grant this key access, we must give mercurial-server a new access rule, so we create a file in <filename |
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
148 |
class='directory'>hgadmin</filename> called <filename>access.conf</filename>, with the following contents:</para> |
146 | 149 |
<programlisting># Give Pat access to the "widget" repository |
238
4747f2920666
Use wildcard in rule to match instructions
Paul Crowley <paul@lshift.net>
parents:
221
diff
changeset
|
150 |
write repo=widget user=pat/* |
120 | 151 |
</programlisting> |
152 |
<para> |
|
154
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
153 |
Pat will have read and write access to the <filename |
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
154 |
class='directory'>widget</filename> repository as soon as we add, commit, and push these files. |
120 | 155 |
</para> |
156 |
<para> |
|
124 | 157 |
Each line of <filename>access.conf</filename> has the following syntax: |
120 | 158 |
</para> |
144
2dbaddde1fd5
programlisting also needs no initial blank lines
Paul Crowley <paul@lshift.net>
parents:
143
diff
changeset
|
159 |
<programlisting><replaceable>rule</replaceable> <replaceable>condition</replaceable> <replaceable>condition...</replaceable> |
120 | 160 |
</programlisting> |
161 |
<para> |
|
157 | 162 |
Blank lines and lines that start with <code>#</code> are ignored. Rule is |
163 |
one of |
|
120 | 164 |
</para> |
165 |
<itemizedlist> |
|
166 |
<listitem> |
|
167 |
<literal>init</literal>: allow reads, writes, and the creation of new repositories |
|
168 |
</listitem> |
|
169 |
<listitem> |
|
170 |
<literal>write</literal>: allow reads and writes |
|
171 |
</listitem> |
|
172 |
<listitem> |
|
173 |
<literal>read</literal>: allow only read operations |
|
174 |
</listitem> |
|
175 |
<listitem> |
|
176 |
<literal>deny</literal>: deny all requests |
|
177 |
</listitem> |
|
178 |
</itemizedlist> |
|
179 |
<para> |
|
180 |
A condition is a globpattern matched against a relative path. The two most |
|
181 |
important conditions are |
|
182 |
</para> |
|
183 |
<itemizedlist> |
|
184 |
<listitem> |
|
156
34925ee06f90
Silly to use literal inside code
Paul Crowley <paul@lshift.net>
parents:
155
diff
changeset
|
185 |
<code>user=<replaceable>globpattern</replaceable></code>: path to the user's key |
120 | 186 |
</listitem> |
187 |
<listitem> |
|
156
34925ee06f90
Silly to use literal inside code
Paul Crowley <paul@lshift.net>
parents:
155
diff
changeset
|
188 |
<code>repo=<replaceable>globpattern</replaceable></code>: path to the repository |
120 | 189 |
</listitem> |
190 |
</itemizedlist> |
|
191 |
<para> |
|
157 | 192 |
<code>*</code> only matches one directory level, where <code>**</code> |
193 |
matches as many as you want. More precisely, <code>*</code> matches zero or |
|
194 |
more characters not including <code>/</code> while <code>**</code> matches |
|
195 |
zero or more characters including <code>/</code>. So |
|
152
f4688940fe15
Improvements to access.conf documentation
Paul Crowley <paul@lshift.net>
parents:
151
diff
changeset
|
196 |
<code>projects/*</code> matches <filename |
f4688940fe15
Improvements to access.conf documentation
Paul Crowley <paul@lshift.net>
parents:
151
diff
changeset
|
197 |
class='directory'>projects/foo</filename> but not <filename |
f4688940fe15
Improvements to access.conf documentation
Paul Crowley <paul@lshift.net>
parents:
151
diff
changeset
|
198 |
class='directory'>projects/foo/bar</filename>, while |
f4688940fe15
Improvements to access.conf documentation
Paul Crowley <paul@lshift.net>
parents:
151
diff
changeset
|
199 |
<code>projects/**</code> matches both. |
120 | 200 |
</para> |
147
b29a7088b132
Move conditions next to rules
Paul Crowley <paul@lshift.net>
parents:
146
diff
changeset
|
201 |
<para> |
152
f4688940fe15
Improvements to access.conf documentation
Paul Crowley <paul@lshift.net>
parents:
151
diff
changeset
|
202 |
When considering a request, mercurial-server steps through all the rules in |
f4688940fe15
Improvements to access.conf documentation
Paul Crowley <paul@lshift.net>
parents:
151
diff
changeset
|
203 |
<filename>/etc/mercurial-server/access.conf</filename> and then all the |
154
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
204 |
rules in <filename>access.conf</filename> in <filename |
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
205 |
class='directory'>hgadmin</filename> |
152
f4688940fe15
Improvements to access.conf documentation
Paul Crowley <paul@lshift.net>
parents:
151
diff
changeset
|
206 |
looking for a rule which matches on every condition. The first match |
f4688940fe15
Improvements to access.conf documentation
Paul Crowley <paul@lshift.net>
parents:
151
diff
changeset
|
207 |
determines whether the request will be allowed; if there is no match in |
f4688940fe15
Improvements to access.conf documentation
Paul Crowley <paul@lshift.net>
parents:
151
diff
changeset
|
208 |
either file, the request will be denied. |
147
b29a7088b132
Move conditions next to rules
Paul Crowley <paul@lshift.net>
parents:
146
diff
changeset
|
209 |
</para> |
b29a7088b132
Move conditions next to rules
Paul Crowley <paul@lshift.net>
parents:
146
diff
changeset
|
210 |
<para> |
152
f4688940fe15
Improvements to access.conf documentation
Paul Crowley <paul@lshift.net>
parents:
151
diff
changeset
|
211 |
By default, <filename>/etc/mercurial-server/access.conf</filename> has the |
f4688940fe15
Improvements to access.conf documentation
Paul Crowley <paul@lshift.net>
parents:
151
diff
changeset
|
212 |
following rules: |
147
b29a7088b132
Move conditions next to rules
Paul Crowley <paul@lshift.net>
parents:
146
diff
changeset
|
213 |
</para> |
b29a7088b132
Move conditions next to rules
Paul Crowley <paul@lshift.net>
parents:
146
diff
changeset
|
214 |
<programlisting>init user=root/** |
b29a7088b132
Move conditions next to rules
Paul Crowley <paul@lshift.net>
parents:
146
diff
changeset
|
215 |
deny repo=hgadmin |
b29a7088b132
Move conditions next to rules
Paul Crowley <paul@lshift.net>
parents:
146
diff
changeset
|
216 |
write user=users/** |
b29a7088b132
Move conditions next to rules
Paul Crowley <paul@lshift.net>
parents:
146
diff
changeset
|
217 |
</programlisting> |
b29a7088b132
Move conditions next to rules
Paul Crowley <paul@lshift.net>
parents:
146
diff
changeset
|
218 |
<para> |
152
f4688940fe15
Improvements to access.conf documentation
Paul Crowley <paul@lshift.net>
parents:
151
diff
changeset
|
219 |
These rules ensure that root users can do any operation on any repository, |
154
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
220 |
that no other users can access the <filename |
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
221 |
class='directory'>hgadmin</filename> repository, |
152
f4688940fe15
Improvements to access.conf documentation
Paul Crowley <paul@lshift.net>
parents:
151
diff
changeset
|
222 |
and that those with keys in <filename |
f4688940fe15
Improvements to access.conf documentation
Paul Crowley <paul@lshift.net>
parents:
151
diff
changeset
|
223 |
class='directory'>keys/users</filename> can read or write to any repository |
153
aa57f48c7585
replace generalities with specific examples
Paul Crowley <paul@lshift.net>
parents:
152
diff
changeset
|
224 |
but not create repositories. Some examples of how these rules work: |
147
b29a7088b132
Move conditions next to rules
Paul Crowley <paul@lshift.net>
parents:
146
diff
changeset
|
225 |
</para> |
152
f4688940fe15
Improvements to access.conf documentation
Paul Crowley <paul@lshift.net>
parents:
151
diff
changeset
|
226 |
<itemizedlist> |
f4688940fe15
Improvements to access.conf documentation
Paul Crowley <paul@lshift.net>
parents:
151
diff
changeset
|
227 |
<listitem> |
153
aa57f48c7585
replace generalities with specific examples
Paul Crowley <paul@lshift.net>
parents:
152
diff
changeset
|
228 |
User <filename class='directory'>root/jay</filename> creates a repository |
aa57f48c7585
replace generalities with specific examples
Paul Crowley <paul@lshift.net>
parents:
152
diff
changeset
|
229 |
<filename class='directory'>foo/bar/baz</filename>. This matches the first |
aa57f48c7585
replace generalities with specific examples
Paul Crowley <paul@lshift.net>
parents:
152
diff
changeset
|
230 |
rule and so will be allowed. |
152
f4688940fe15
Improvements to access.conf documentation
Paul Crowley <paul@lshift.net>
parents:
151
diff
changeset
|
231 |
</listitem> |
f4688940fe15
Improvements to access.conf documentation
Paul Crowley <paul@lshift.net>
parents:
151
diff
changeset
|
232 |
<listitem> |
153
aa57f48c7585
replace generalities with specific examples
Paul Crowley <paul@lshift.net>
parents:
152
diff
changeset
|
233 |
User <filename class='directory'>root/jay</filename> changes repository |
aa57f48c7585
replace generalities with specific examples
Paul Crowley <paul@lshift.net>
parents:
152
diff
changeset
|
234 |
<filename class='directory'>hgadmin</filename>. Again, this matches the |
aa57f48c7585
replace generalities with specific examples
Paul Crowley <paul@lshift.net>
parents:
152
diff
changeset
|
235 |
first rule and so will be allowed; later rules have no effect. |
aa57f48c7585
replace generalities with specific examples
Paul Crowley <paul@lshift.net>
parents:
152
diff
changeset
|
236 |
</listitem> |
aa57f48c7585
replace generalities with specific examples
Paul Crowley <paul@lshift.net>
parents:
152
diff
changeset
|
237 |
<listitem> |
aa57f48c7585
replace generalities with specific examples
Paul Crowley <paul@lshift.net>
parents:
152
diff
changeset
|
238 |
User <filename class='directory'>users/sam</filename> tries to read |
aa57f48c7585
replace generalities with specific examples
Paul Crowley <paul@lshift.net>
parents:
152
diff
changeset
|
239 |
repository <filename class='directory'>hgadmin</filename>. This does not |
aa57f48c7585
replace generalities with specific examples
Paul Crowley <paul@lshift.net>
parents:
152
diff
changeset
|
240 |
match the first rule, but matches the second, and so will be denied. |
152
f4688940fe15
Improvements to access.conf documentation
Paul Crowley <paul@lshift.net>
parents:
151
diff
changeset
|
241 |
</listitem> |
f4688940fe15
Improvements to access.conf documentation
Paul Crowley <paul@lshift.net>
parents:
151
diff
changeset
|
242 |
<listitem> |
153
aa57f48c7585
replace generalities with specific examples
Paul Crowley <paul@lshift.net>
parents:
152
diff
changeset
|
243 |
User <filename class='directory'>users/sam</filename> tries to create |
aa57f48c7585
replace generalities with specific examples
Paul Crowley <paul@lshift.net>
parents:
152
diff
changeset
|
244 |
repository <filename class='directory'>sams-project</filename>. This does |
aa57f48c7585
replace generalities with specific examples
Paul Crowley <paul@lshift.net>
parents:
152
diff
changeset
|
245 |
not match the first two rules, but matches the third; this is a |
aa57f48c7585
replace generalities with specific examples
Paul Crowley <paul@lshift.net>
parents:
152
diff
changeset
|
246 |
<literal>write</literal> rule, which doesn't grant the privilege to create |
aa57f48c7585
replace generalities with specific examples
Paul Crowley <paul@lshift.net>
parents:
152
diff
changeset
|
247 |
repositories, so the request will be denied. |
152
f4688940fe15
Improvements to access.conf documentation
Paul Crowley <paul@lshift.net>
parents:
151
diff
changeset
|
248 |
</listitem> |
f4688940fe15
Improvements to access.conf documentation
Paul Crowley <paul@lshift.net>
parents:
151
diff
changeset
|
249 |
<listitem> |
153
aa57f48c7585
replace generalities with specific examples
Paul Crowley <paul@lshift.net>
parents:
152
diff
changeset
|
250 |
User <filename class='directory'>users/sam</filename> writes to existing |
aa57f48c7585
replace generalities with specific examples
Paul Crowley <paul@lshift.net>
parents:
152
diff
changeset
|
251 |
repository <filename class='directory'>projects/main</filename>. Again, |
aa57f48c7585
replace generalities with specific examples
Paul Crowley <paul@lshift.net>
parents:
152
diff
changeset
|
252 |
this matches the third rule, which allows the request. |
152
f4688940fe15
Improvements to access.conf documentation
Paul Crowley <paul@lshift.net>
parents:
151
diff
changeset
|
253 |
</listitem> |
f4688940fe15
Improvements to access.conf documentation
Paul Crowley <paul@lshift.net>
parents:
151
diff
changeset
|
254 |
<listitem> |
153
aa57f48c7585
replace generalities with specific examples
Paul Crowley <paul@lshift.net>
parents:
152
diff
changeset
|
255 |
User <filename class='directory'>pat</filename> tries to write to existing |
aa57f48c7585
replace generalities with specific examples
Paul Crowley <paul@lshift.net>
parents:
152
diff
changeset
|
256 |
repository <filename class='directory'>widget</filename>. Until we change |
aa57f48c7585
replace generalities with specific examples
Paul Crowley <paul@lshift.net>
parents:
152
diff
changeset
|
257 |
the <filename>access.conf</filename> file in <filename |
aa57f48c7585
replace generalities with specific examples
Paul Crowley <paul@lshift.net>
parents:
152
diff
changeset
|
258 |
class='directory'>hgadmin</filename>, this will match no rule, and so will |
aa57f48c7585
replace generalities with specific examples
Paul Crowley <paul@lshift.net>
parents:
152
diff
changeset
|
259 |
be denied. |
152
f4688940fe15
Improvements to access.conf documentation
Paul Crowley <paul@lshift.net>
parents:
151
diff
changeset
|
260 |
</listitem> |
f4688940fe15
Improvements to access.conf documentation
Paul Crowley <paul@lshift.net>
parents:
151
diff
changeset
|
261 |
<listitem> |
f4688940fe15
Improvements to access.conf documentation
Paul Crowley <paul@lshift.net>
parents:
151
diff
changeset
|
262 |
Any request from a user whose key not under the <filename |
f4688940fe15
Improvements to access.conf documentation
Paul Crowley <paul@lshift.net>
parents:
151
diff
changeset
|
263 |
class='directory'>keys</filename> directory at all will always be denied, |
f4688940fe15
Improvements to access.conf documentation
Paul Crowley <paul@lshift.net>
parents:
151
diff
changeset
|
264 |
no matter what rules are in effect; because of the way SSH authentication |
f4688940fe15
Improvements to access.conf documentation
Paul Crowley <paul@lshift.net>
parents:
151
diff
changeset
|
265 |
works, they will be prompted to enter a password, but no password will |
f4688940fe15
Improvements to access.conf documentation
Paul Crowley <paul@lshift.net>
parents:
151
diff
changeset
|
266 |
work. This can't be changed. |
f4688940fe15
Improvements to access.conf documentation
Paul Crowley <paul@lshift.net>
parents:
151
diff
changeset
|
267 |
</listitem> |
f4688940fe15
Improvements to access.conf documentation
Paul Crowley <paul@lshift.net>
parents:
151
diff
changeset
|
268 |
</itemizedlist> |
132
a5850a63390f
Move basic access control to the start of access control
Paul Crowley <paul@lshift.net>
parents:
131
diff
changeset
|
269 |
</section> |
120 | 270 |
<section> |
125
fc5b8fc1040e
Explain why we configure access twice
Paul Crowley <paul@lshift.net>
parents:
124
diff
changeset
|
271 |
<title>/etc/mercurial-server and hgadmin</title> |
fc5b8fc1040e
Explain why we configure access twice
Paul Crowley <paul@lshift.net>
parents:
124
diff
changeset
|
272 |
<para> |
fc5b8fc1040e
Explain why we configure access twice
Paul Crowley <paul@lshift.net>
parents:
124
diff
changeset
|
273 |
mercurial-server consults two distinct locations to collect information about what to allow: <filename |
154
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
274 |
class='directory'>/etc/mercurial-server</filename> and its own <filename |
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
275 |
class='directory'>hgadmin</filename> repository. This is useful for several reasons: |
125
fc5b8fc1040e
Explain why we configure access twice
Paul Crowley <paul@lshift.net>
parents:
124
diff
changeset
|
276 |
</para> |
fc5b8fc1040e
Explain why we configure access twice
Paul Crowley <paul@lshift.net>
parents:
124
diff
changeset
|
277 |
<itemizedlist> |
fc5b8fc1040e
Explain why we configure access twice
Paul Crowley <paul@lshift.net>
parents:
124
diff
changeset
|
278 |
<listitem> |
148
5da43b596bac
Fixes to /etc/mercurial-server discussion
Paul Crowley <paul@lshift.net>
parents:
147
diff
changeset
|
279 |
Some users may not need the convenience of access control via mercurial; for these users updating <filename |
125
fc5b8fc1040e
Explain why we configure access twice
Paul Crowley <paul@lshift.net>
parents:
124
diff
changeset
|
280 |
class='directory'>/etc/mercurial-server</filename> may offer a simpler route. |
fc5b8fc1040e
Explain why we configure access twice
Paul Crowley <paul@lshift.net>
parents:
124
diff
changeset
|
281 |
</listitem> |
fc5b8fc1040e
Explain why we configure access twice
Paul Crowley <paul@lshift.net>
parents:
124
diff
changeset
|
282 |
<listitem> |
148
5da43b596bac
Fixes to /etc/mercurial-server discussion
Paul Crowley <paul@lshift.net>
parents:
147
diff
changeset
|
283 |
<filename class='directory'>/etc/mercurial-server</filename> is suitable |
5da43b596bac
Fixes to /etc/mercurial-server discussion
Paul Crowley <paul@lshift.net>
parents:
147
diff
changeset
|
284 |
for management with tools such as <link |
125
fc5b8fc1040e
Explain why we configure access twice
Paul Crowley <paul@lshift.net>
parents:
124
diff
changeset
|
285 |
xlink:href="http://reductivelabs.com/products/puppet">Puppet</link> |
fc5b8fc1040e
Explain why we configure access twice
Paul Crowley <paul@lshift.net>
parents:
124
diff
changeset
|
286 |
</listitem> |
fc5b8fc1040e
Explain why we configure access twice
Paul Crowley <paul@lshift.net>
parents:
124
diff
changeset
|
287 |
<listitem> |
154
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
288 |
If a change to <filename |
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
289 |
class='directory'>hgadmin</filename> leaves you "locked out", <filename |
125
fc5b8fc1040e
Explain why we configure access twice
Paul Crowley <paul@lshift.net>
parents:
124
diff
changeset
|
290 |
class='directory'>/etc/mercurial-server</filename> allows you a way back in. |
fc5b8fc1040e
Explain why we configure access twice
Paul Crowley <paul@lshift.net>
parents:
124
diff
changeset
|
291 |
</listitem> |
fc5b8fc1040e
Explain why we configure access twice
Paul Crowley <paul@lshift.net>
parents:
124
diff
changeset
|
292 |
<listitem> |
fc5b8fc1040e
Explain why we configure access twice
Paul Crowley <paul@lshift.net>
parents:
124
diff
changeset
|
293 |
At install time, all users are "locked out", and so some mechanism to allow some users in is needed. |
fc5b8fc1040e
Explain why we configure access twice
Paul Crowley <paul@lshift.net>
parents:
124
diff
changeset
|
294 |
</listitem> |
fc5b8fc1040e
Explain why we configure access twice
Paul Crowley <paul@lshift.net>
parents:
124
diff
changeset
|
295 |
</itemizedlist> |
fc5b8fc1040e
Explain why we configure access twice
Paul Crowley <paul@lshift.net>
parents:
124
diff
changeset
|
296 |
<para> |
154
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
297 |
Rules in <filename>/etc/mercurial-server/access.conf</filename> are checked before those in <filename |
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
298 |
class='directory'>hgadmin</filename>, and keys in <filename class='directory'>/etc/mercurial-server/keys</filename> will be present no matter how <filename |
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
299 |
class='directory'>hgadmin</filename> changes. |
125
fc5b8fc1040e
Explain why we configure access twice
Paul Crowley <paul@lshift.net>
parents:
124
diff
changeset
|
300 |
</para> |
fc5b8fc1040e
Explain why we configure access twice
Paul Crowley <paul@lshift.net>
parents:
124
diff
changeset
|
301 |
<para> |
fc5b8fc1040e
Explain why we configure access twice
Paul Crowley <paul@lshift.net>
parents:
124
diff
changeset
|
302 |
We anticipate that once mercurial-server is successfully installed and |
154
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
303 |
working you will usually want to use <filename |
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
304 |
class='directory'>hgadmin</filename> for most |
125
fc5b8fc1040e
Explain why we configure access twice
Paul Crowley <paul@lshift.net>
parents:
124
diff
changeset
|
305 |
access control tasks. Once you have the right keys and |
154
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
306 |
<filename>access.conf</filename> set up in <filename |
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
307 |
class='directory'>hgadmin</filename>, you |
125
fc5b8fc1040e
Explain why we configure access twice
Paul Crowley <paul@lshift.net>
parents:
124
diff
changeset
|
308 |
can delete <filename>/etc/mercurial-server/access.conf</filename> and all |
fc5b8fc1040e
Explain why we configure access twice
Paul Crowley <paul@lshift.net>
parents:
124
diff
changeset
|
309 |
of <filename class='directory'>/etc/mercurial-server/keys</filename>, |
154
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
310 |
turning control entirely over to <filename |
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
311 |
class='directory'>hgadmin</filename>. |
125
fc5b8fc1040e
Explain why we configure access twice
Paul Crowley <paul@lshift.net>
parents:
124
diff
changeset
|
312 |
</para> |
127 | 313 |
<para> |
221 | 314 |
<filename>/etc/mercurial-server/remote-hgrc.d</filename> is in the |
127 | 315 |
<systemitem>HGRCPATH</systemitem> for all remote access to mercurial-server |
221 | 316 |
repositories. This directory contains the hooks that mercurial-server uses for |
317 |
access control and logging. You can add hooks to this directory, but obviously |
|
127 | 318 |
breaking the existing hooks will disable the relevant functionality and |
319 |
isn't advisable. |
|
320 |
</para> |
|
125
fc5b8fc1040e
Explain why we configure access twice
Paul Crowley <paul@lshift.net>
parents:
124
diff
changeset
|
321 |
</section> |
fc5b8fc1040e
Explain why we configure access twice
Paul Crowley <paul@lshift.net>
parents:
124
diff
changeset
|
322 |
<section> |
121
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
323 |
<title>File and branch conditions</title> |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
324 |
<para> |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
325 |
mercurial-server supports file and branch conditions, which restrict an |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
326 |
operation depending on what files it modifies and what branch the work is |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
327 |
on. </para> |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
328 |
<caution> |
128 | 329 |
The way these conditions work is subtle and can be counterintuitive. Unless |
330 |
you need what they provide, ignore this section, stick to user and repo |
|
140 | 331 |
conditions, and then things are likely to work the way you would expect. If |
332 |
you do need what they provide, read what follows very carefully. |
|
121
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
333 |
</caution> |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
334 |
<para> |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
335 |
File and branch conditions are added to the conditions against which a rule |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
336 |
matches, just like user and repo conditions; they have this form: |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
337 |
</para> |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
338 |
<itemizedlist> |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
339 |
<listitem> |
156
34925ee06f90
Silly to use literal inside code
Paul Crowley <paul@lshift.net>
parents:
155
diff
changeset
|
340 |
<code>file=<replaceable>globpattern</replaceable></code>: file within the repo |
121
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
341 |
</listitem> |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
342 |
<listitem> |
156
34925ee06f90
Silly to use literal inside code
Paul Crowley <paul@lshift.net>
parents:
155
diff
changeset
|
343 |
<code>branch=<replaceable>globpattern</replaceable></code>: Mercurial branch name |
121
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
344 |
</listitem> |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
345 |
</itemizedlist> |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
346 |
<para> |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
347 |
However, in order to understand what effect adding these conditions will |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
348 |
have, it helps to understand how and when these rules are applied. |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
349 |
</para> |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
350 |
<para> |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
351 |
The rules file is used to make three decisions: |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
352 |
</para> |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
353 |
<itemizedlist> |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
354 |
<listitem> |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
355 |
Whether to allow a repository to be created |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
356 |
</listitem> |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
357 |
<listitem> |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
358 |
Whether to allow any access to a repository |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
359 |
</listitem> |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
360 |
<listitem> |
139
b7e78f9705e6
There are only three decisions, honest
Paul Crowley <paul@lshift.net>
parents:
138
diff
changeset
|
361 |
Whether to allow a changeset |
121
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
362 |
</listitem> |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
363 |
</itemizedlist> |
120 | 364 |
<para> |
121
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
365 |
When the first two of these decisions are being made, nothing is known |
139
b7e78f9705e6
There are only three decisions, honest
Paul Crowley <paul@lshift.net>
parents:
138
diff
changeset
|
366 |
about any changsets that might be pushed, and so all file and branch |
b7e78f9705e6
There are only three decisions, honest
Paul Crowley <paul@lshift.net>
parents:
138
diff
changeset
|
367 |
conditions automatically succeed for the purpose of such decisions. For the |
b7e78f9705e6
There are only three decisions, honest
Paul Crowley <paul@lshift.net>
parents:
138
diff
changeset
|
368 |
third condition, every file changed in the changeset must be allowed by a |
b7e78f9705e6
There are only three decisions, honest
Paul Crowley <paul@lshift.net>
parents:
138
diff
changeset
|
369 |
<literal>write</literal> or <literal>init</literal> rule for the changeset |
b7e78f9705e6
There are only three decisions, honest
Paul Crowley <paul@lshift.net>
parents:
138
diff
changeset
|
370 |
to be allowed. |
b7e78f9705e6
There are only three decisions, honest
Paul Crowley <paul@lshift.net>
parents:
138
diff
changeset
|
371 |
</para> |
b7e78f9705e6
There are only three decisions, honest
Paul Crowley <paul@lshift.net>
parents:
138
diff
changeset
|
372 |
<para> |
b7e78f9705e6
There are only three decisions, honest
Paul Crowley <paul@lshift.net>
parents:
138
diff
changeset
|
373 |
This means that doing tricky things with file conditions can have |
b7e78f9705e6
There are only three decisions, honest
Paul Crowley <paul@lshift.net>
parents:
138
diff
changeset
|
374 |
counterintuitive consequences: |
121
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
375 |
</para> |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
376 |
<itemizedlist> |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
377 |
<listitem> |
149
dc4ed4edb458
Improvements to file conditions section
Paul Crowley <paul@lshift.net>
parents:
148
diff
changeset
|
378 |
<para>You cannot limit read access to a subset of a repository with a <literal>read</literal> |
121
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
379 |
rule and a file condition: any user who has access to a repository can read |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
380 |
all of it and its full history. Such a rule can only have the effect of |
149
dc4ed4edb458
Improvements to file conditions section
Paul Crowley <paul@lshift.net>
parents:
148
diff
changeset
|
381 |
masking a later <literal>write</literal> rule, as in this example:</para> |
144
2dbaddde1fd5
programlisting also needs no initial blank lines
Paul Crowley <paul@lshift.net>
parents:
143
diff
changeset
|
382 |
<programlisting>read repo=specialrepo file=dontwritethis |
2dbaddde1fd5
programlisting also needs no initial blank lines
Paul Crowley <paul@lshift.net>
parents:
143
diff
changeset
|
383 |
write repo=specialrepo |
121
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
384 |
</programlisting> |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
385 |
<para> |
149
dc4ed4edb458
Improvements to file conditions section
Paul Crowley <paul@lshift.net>
parents:
148
diff
changeset
|
386 |
allows all users to read <literal>specialrepo</literal>, and to write to all files |
121
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
387 |
<emphasis>except</emphasis> that any changeset which writes to |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
388 |
<filename>dontwritethis</filename> will be rejected. |
120 | 389 |
</para> |
121
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
390 |
</listitem> |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
391 |
<listitem> |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
392 |
For similar reasons, don't give <literal>init</literal> rules file conditions. |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
393 |
</listitem> |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
394 |
<listitem> |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
395 |
<para>Don't try to deny write access to a particular file on a particular |
149
dc4ed4edb458
Improvements to file conditions section
Paul Crowley <paul@lshift.net>
parents:
148
diff
changeset
|
396 |
branch—a developer can write to the file on another branch and then merge |
121
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
397 |
it in. Either deny all writes to the branch from that user, or allow them |
149
dc4ed4edb458
Improvements to file conditions section
Paul Crowley <paul@lshift.net>
parents:
148
diff
changeset
|
398 |
to write to all the files they can write to on any branch. |
121
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
399 |
</para> |
144
2dbaddde1fd5
programlisting also needs no initial blank lines
Paul Crowley <paul@lshift.net>
parents:
143
diff
changeset
|
400 |
<programlisting>write user=docs/* branch=docs file=docs/* |
121
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
401 |
</programlisting> |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
402 |
<para> |
149
dc4ed4edb458
Improvements to file conditions section
Paul Crowley <paul@lshift.net>
parents:
148
diff
changeset
|
403 |
This rule grants users whose keys are in the <filename |
dc4ed4edb458
Improvements to file conditions section
Paul Crowley <paul@lshift.net>
parents:
148
diff
changeset
|
404 |
class='directory'>docs</filename> subdirectory the power to push changesets |
dc4ed4edb458
Improvements to file conditions section
Paul Crowley <paul@lshift.net>
parents:
148
diff
changeset
|
405 |
into any repository only if those changesets are on the |
dc4ed4edb458
Improvements to file conditions section
Paul Crowley <paul@lshift.net>
parents:
148
diff
changeset
|
406 |
<literal>docs</literal> branch and they affect only those files directly |
dc4ed4edb458
Improvements to file conditions section
Paul Crowley <paul@lshift.net>
parents:
148
diff
changeset
|
407 |
under the <filename class='directory'>docs</filename> directory. However, |
dc4ed4edb458
Improvements to file conditions section
Paul Crowley <paul@lshift.net>
parents:
148
diff
changeset
|
408 |
the rules below have more counterintuitive consequences. |
121
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
409 |
</para> |
144
2dbaddde1fd5
programlisting also needs no initial blank lines
Paul Crowley <paul@lshift.net>
parents:
143
diff
changeset
|
410 |
<programlisting>write user=docs/* branch=docs |
2dbaddde1fd5
programlisting also needs no initial blank lines
Paul Crowley <paul@lshift.net>
parents:
143
diff
changeset
|
411 |
write user=docs/* file=docs/* |
2dbaddde1fd5
programlisting also needs no initial blank lines
Paul Crowley <paul@lshift.net>
parents:
143
diff
changeset
|
412 |
read user=docs/* |
121
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
413 |
</programlisting> |
149
dc4ed4edb458
Improvements to file conditions section
Paul Crowley <paul@lshift.net>
parents:
148
diff
changeset
|
414 |
<para> |
dc4ed4edb458
Improvements to file conditions section
Paul Crowley <paul@lshift.net>
parents:
148
diff
changeset
|
415 |
These rules grant users whose keys are in the <filename |
dc4ed4edb458
Improvements to file conditions section
Paul Crowley <paul@lshift.net>
parents:
148
diff
changeset
|
416 |
class='directory'>docs</filename> subdirectory the power to change any file directly under the <filename class='directory'>docs</filename> directory, or any file at all in the <literal>docs</literal> branch. Indirectly, however, this adds up to the power to change any file on any branch, simply by making the change on the docs branch and then merging the change into another branch. |
dc4ed4edb458
Improvements to file conditions section
Paul Crowley <paul@lshift.net>
parents:
148
diff
changeset
|
417 |
</para> |
121
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
418 |
</listitem> |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
419 |
</itemizedlist> |
120 | 420 |
</section> |
421 |
</section> |
|
422 |
<section> |
|
126
fd7ebe95d8e5
Move how it works section later
Paul Crowley <paul@lshift.net>
parents:
125
diff
changeset
|
423 |
<title>How mercurial-server works</title> |
fd7ebe95d8e5
Move how it works section later
Paul Crowley <paul@lshift.net>
parents:
125
diff
changeset
|
424 |
<para> |
fd7ebe95d8e5
Move how it works section later
Paul Crowley <paul@lshift.net>
parents:
125
diff
changeset
|
425 |
All of the repositories controlled by mercurial-server are owned by a |
151
5758cf47ff43
cleanups to the security section
Paul Crowley <paul@lshift.net>
parents:
150
diff
changeset
|
426 |
single user, the <systemitem |
5758cf47ff43
cleanups to the security section
Paul Crowley <paul@lshift.net>
parents:
150
diff
changeset
|
427 |
class="username">hg</systemitem> user, which is why all URLs for |
155
3bff97f72a33
ssh:// is the start of a URI
Paul Crowley <paul@lshift.net>
parents:
154
diff
changeset
|
428 |
mercurial-server repositories start with <uri>ssh://hg@...</uri>. |
126
fd7ebe95d8e5
Move how it works section later
Paul Crowley <paul@lshift.net>
parents:
125
diff
changeset
|
429 |
Each SSH key that has access to the repository has an entry in |
fd7ebe95d8e5
Move how it works section later
Paul Crowley <paul@lshift.net>
parents:
125
diff
changeset
|
430 |
<filename>~hg/.ssh/authorized_keys</filename>; this is how the SSH daemon |
fd7ebe95d8e5
Move how it works section later
Paul Crowley <paul@lshift.net>
parents:
125
diff
changeset
|
431 |
knows to give that key access. When the user connects over SSH, their |
150
02b464a6b433
Improvements to how it works section
Paul Crowley <paul@lshift.net>
parents:
149
diff
changeset
|
432 |
commands are run in a custom restricted shell; this shell knows which key |
02b464a6b433
Improvements to how it works section
Paul Crowley <paul@lshift.net>
parents:
149
diff
changeset
|
433 |
was used to connect, determines what the user is trying to do, checks the |
02b464a6b433
Improvements to how it works section
Paul Crowley <paul@lshift.net>
parents:
149
diff
changeset
|
434 |
access rules to decide whether to allow it, and if allowed invokes |
02b464a6b433
Improvements to how it works section
Paul Crowley <paul@lshift.net>
parents:
149
diff
changeset
|
435 |
Mercurial internally, without forking. |
126
fd7ebe95d8e5
Move how it works section later
Paul Crowley <paul@lshift.net>
parents:
125
diff
changeset
|
436 |
</para> |
fd7ebe95d8e5
Move how it works section later
Paul Crowley <paul@lshift.net>
parents:
125
diff
changeset
|
437 |
<para> |
fd7ebe95d8e5
Move how it works section later
Paul Crowley <paul@lshift.net>
parents:
125
diff
changeset
|
438 |
This restricted shell also ensures that certain Mercurial extensions are |
fd7ebe95d8e5
Move how it works section later
Paul Crowley <paul@lshift.net>
parents:
125
diff
changeset
|
439 |
loaded when the user acts on a repository; these extensions check the |
fd7ebe95d8e5
Move how it works section later
Paul Crowley <paul@lshift.net>
parents:
125
diff
changeset
|
440 |
access control rules for any changeset that the user tries to commit, and |
fd7ebe95d8e5
Move how it works section later
Paul Crowley <paul@lshift.net>
parents:
125
diff
changeset
|
441 |
log all pushes and pulls into a per-repository access log. |
fd7ebe95d8e5
Move how it works section later
Paul Crowley <paul@lshift.net>
parents:
125
diff
changeset
|
442 |
</para> |
fd7ebe95d8e5
Move how it works section later
Paul Crowley <paul@lshift.net>
parents:
125
diff
changeset
|
443 |
<para> |
fd7ebe95d8e5
Move how it works section later
Paul Crowley <paul@lshift.net>
parents:
125
diff
changeset
|
444 |
<command>refresh-auth</command> recurses through the <filename |
fd7ebe95d8e5
Move how it works section later
Paul Crowley <paul@lshift.net>
parents:
125
diff
changeset
|
445 |
class='directory'>/etc/mercurial-server/keys</filename> and the <filename |
fd7ebe95d8e5
Move how it works section later
Paul Crowley <paul@lshift.net>
parents:
125
diff
changeset
|
446 |
class='directory'>keys</filename> directory in the |
154
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
447 |
<filename |
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
448 |
class='directory'>hgadmin</filename> repository, creating an entry in |
126
fd7ebe95d8e5
Move how it works section later
Paul Crowley <paul@lshift.net>
parents:
125
diff
changeset
|
449 |
<filename>~hg/.ssh/authorized_keys</filename> for each one. This is redone |
154
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
450 |
automatically whenever a change is pushed to <filename |
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
451 |
class='directory'>hgadmin</filename>. |
126
fd7ebe95d8e5
Move how it works section later
Paul Crowley <paul@lshift.net>
parents:
125
diff
changeset
|
452 |
</para> |
fd7ebe95d8e5
Move how it works section later
Paul Crowley <paul@lshift.net>
parents:
125
diff
changeset
|
453 |
</section> |
fd7ebe95d8e5
Move how it works section later
Paul Crowley <paul@lshift.net>
parents:
125
diff
changeset
|
454 |
<section> |
120 | 455 |
<title>Security</title> |
456 |
<para> |
|
151
5758cf47ff43
cleanups to the security section
Paul Crowley <paul@lshift.net>
parents:
150
diff
changeset
|
457 |
mercurial-server relies entirely on <command>sshd</command> to grant access to remote users. |
120 | 458 |
As a result, it runs no daemons, installs no setuid programs, and no part |
151
5758cf47ff43
cleanups to the security section
Paul Crowley <paul@lshift.net>
parents:
150
diff
changeset
|
459 |
of it runs as <systemitem |
5758cf47ff43
cleanups to the security section
Paul Crowley <paul@lshift.net>
parents:
150
diff
changeset
|
460 |
class="username">root</systemitem> except the install process: all programs run as the user |
5758cf47ff43
cleanups to the security section
Paul Crowley <paul@lshift.net>
parents:
150
diff
changeset
|
461 |
<systemitem |
5758cf47ff43
cleanups to the security section
Paul Crowley <paul@lshift.net>
parents:
150
diff
changeset
|
462 |
class="username">hg</systemitem>. Any attack on mercurial-server can only be started if the attacker |
137 | 463 |
already has a public key in <filename>~hg/.ssh/authorized_keys</filename>, |
151
5758cf47ff43
cleanups to the security section
Paul Crowley <paul@lshift.net>
parents:
150
diff
changeset
|
464 |
otherwise <command>sshd</command> will bar the way. |
120 | 465 |
</para> |
466 |
<para> |
|
467 |
No matter what command the user tries to run on the remote system via SSH, |
|
468 |
mercurial-server is run. It parses the command line the user asked for, and |
|
151
5758cf47ff43
cleanups to the security section
Paul Crowley <paul@lshift.net>
parents:
150
diff
changeset
|
469 |
interprets and runs the corresponding operation itself if access is |
120 | 470 |
allowed, so users can only read and add to history within repositories; |
151
5758cf47ff43
cleanups to the security section
Paul Crowley <paul@lshift.net>
parents:
150
diff
changeset
|
471 |
they cannot run any other command. In addition, every push and pull is |
120 | 472 |
logged with a datestamp, changeset ID and the key that performed the |
473 |
operation. |
|
474 |
</para> |
|
475 |
<para> |
|
476 |
However, while the first paragraph holds no matter what bugs |
|
477 |
mercurial-server contains, the second depends on the relevant code being |
|
478 |
correct; though the entire codebase is short, mercurial-server is a fairly |
|
479 |
new program and may harbour bugs. Backups are essential! |
|
480 |
</para> |
|
481 |
</section> |
|
482 |
<section> |
|
129 | 483 |
<title>Legalese</title> |
484 |
<para> |
|
485 |
This program is free software; you can redistribute it and/or modify it |
|
486 |
under the terms of the GNU General Public License as published by the Free |
|
487 |
Software Foundation; either version 2 of the License, or (at your option) |
|
488 |
any later version. |
|
489 |
</para> |
|
490 |
<para> |
|
491 |
This program is distributed in the hope that it will be useful, but |
|
492 |
WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY |
|
493 |
or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for |
|
494 |
more details. |
|
495 |
</para> |
|
496 |
<para> |
|
497 |
You should have received a copy of the GNU General Public License along |
|
498 |
with this program; if not, write to the Free Software Foundation, Inc., 51 |
|
499 |
Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
|
500 |
</para> |
|
501 |
</section> |
|
502 |
<section> |
|
120 | 503 |
<title>Thanks</title> |
504 |
<para> |
|
505 |
Thanks for reading this far. If you use mercurial-server, please tell me about |
|
506 |
it. |
|
507 |
</para> |
|
508 |
<para> |
|
509 |
Paul Crowley, <email>paul@lshift.net</email>, 2009 |
|
119 | 510 |
</para> |
511 |
</section> |
|
512 |
</article> |
|
513 |