mercurial-server: README@1206ed37090a (annotated)

13 1206ed37090a more README fixes Paul Crowley <paul@ciphergoth.org> parents: 12 diff changeset	1	hg-admin-tools
2 a69f7bea408c added a README to describe how this works. Paul Crowley <paul@lshift.net> parents: diff changeset	2
a69f7bea408c added a README to describe how this works. Paul Crowley <paul@lshift.net> parents: diff changeset	3	A set of tools for managing authorization and access control for
12 834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	4	ssh-based Mercurial repositories
2 a69f7bea408c added a README to describe how this works. Paul Crowley <paul@lshift.net> parents: diff changeset	5
12 834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	6	Paul Crowley, paul@lshift.net, 2008
2 a69f7bea408c added a README to describe how this works. Paul Crowley <paul@lshift.net> parents: diff changeset	7
a69f7bea408c added a README to describe how this works. Paul Crowley <paul@lshift.net> parents: diff changeset	8	This software may be used and distributed according to the terms
a69f7bea408c added a README to describe how this works. Paul Crowley <paul@lshift.net> parents: diff changeset	9	of the GNU General Public License, incorporated herein by reference.
a69f7bea408c added a README to describe how this works. Paul Crowley <paul@lshift.net> parents: diff changeset	10
12 834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	11	WHAT IT GIVES YOU
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	12
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	13	You maintain a local Mercurial repository called "hgadmin" which
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	14	controls what access is allowed to whom. When you push a new version
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	15	of this repository to the repository host, changes take effect
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	16	immediately, so familiar "hg" commands are all that are needed to
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	17	maintain it. A "keys" directory contains the SSH keys of all the
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	18	developers who have access, while "hg-ssh-access.conf" gives a set of
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	19	rules defining who can do what to what.
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	20
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	21	HOW IT WORKS
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	22
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	23	The repository is owned by a single user (the "hg" user in what
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	24	follows), but many remote users can act on it. We don't use file
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	25	permissions to achieve that - instead, developers log in as the "hg"
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	26	user when they connect to the repository host using ssh, using ssh
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	27	URLs of the form "ssh://hg@repository-host/repository-name". A
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	28	restricted shell prevents them from using this access for unauthorized
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	29	purposes.
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	30
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	31	Developers are authenticated only using SSH keys; no other form of
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	32	authentication is supported. When a developer attempts to connect to
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	33	a repository via ssh, the SSH daemon searches for a match for that
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	34	user's key in ~hg/.ssh/authorized_keys. If the developer is
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	35	authorised to connect to the repository they will have an entry in
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	36	this file. The entry includes a "command" prefix which specifies that
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	37	the restricted shell should be used; this shell is passed an argument
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	38	identifying the developer. The shell parses the command the developer
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	39	is trying to execute, and consults a rules file to see if that
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	40	developer is allowed to perform that action on that repository. The
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	41	bulk of the work of the restricted shell is done by the Python program
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	42	"hg-ssh", but the shell script "hg-ssh-wrapper" sets up some
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	43	configuration so that you can change it to suit your local installation.
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	44
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	45	The file ~hg/.ssh/authorized_keys is generated by "refresh-auth",
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	46	which recurses through a directory of files containing SSH keys and
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	47	generates an entry in authorized_keys for each one, using the name of
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	48	the key file as the identifier for the developer. These keys will
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	49	live in the "keys" subdirectory of a repository, "hgadmin". A hook in
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	50	this repository re-runs "refresh-auth" on the most recent version
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	51	after every push.
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	52
13 1206ed37090a more README fixes Paul Crowley <paul@ciphergoth.org> parents: 12 diff changeset	53	GETTING STARTED
2 a69f7bea408c added a README to describe how this works. Paul Crowley <paul@lshift.net> parents: diff changeset	54
10 524b4a45ef0a wrap overlong lines Paul Crowley <paul@lshift.net> parents: 4 diff changeset	55	This is only one setup - it can be tweaked in many ways, and is as
524b4a45ef0a wrap overlong lines Paul Crowley <paul@lshift.net> parents: 4 diff changeset	56	specific as it is only in the interests of brevity.
2 a69f7bea408c added a README to describe how this works. Paul Crowley <paul@lshift.net> parents: diff changeset	57
10 524b4a45ef0a wrap overlong lines Paul Crowley <paul@lshift.net> parents: 4 diff changeset	58	You, and all users of your Hg repository, will need SSH public key
524b4a45ef0a wrap overlong lines Paul Crowley <paul@lshift.net> parents: 4 diff changeset	59	authentication set up, preferably working with ssh-agent so you don't
524b4a45ef0a wrap overlong lines Paul Crowley <paul@lshift.net> parents: 4 diff changeset	60	have to type in your passphrase all the time. I assume you've done
524b4a45ef0a wrap overlong lines Paul Crowley <paul@lshift.net> parents: 4 diff changeset	61	that in what follows, so if you've done something different you'll
524b4a45ef0a wrap overlong lines Paul Crowley <paul@lshift.net> parents: 4 diff changeset	62	need to change it appropriately.
2 a69f7bea408c added a README to describe how this works. Paul Crowley <paul@lshift.net> parents: diff changeset	63
10 524b4a45ef0a wrap overlong lines Paul Crowley <paul@lshift.net> parents: 4 diff changeset	64	Create a user called "hg" on the machine where the repository will
524b4a45ef0a wrap overlong lines Paul Crowley <paul@lshift.net> parents: 4 diff changeset	65	live. I used the command
524b4a45ef0a wrap overlong lines Paul Crowley <paul@lshift.net> parents: 4 diff changeset	66
524b4a45ef0a wrap overlong lines Paul Crowley <paul@lshift.net> parents: 4 diff changeset	67	sudo adduser --system --shell /bin/sh --group --disabled-password \
524b4a45ef0a wrap overlong lines Paul Crowley <paul@lshift.net> parents: 4 diff changeset	68	--gecos "Mercural repository" hg
2 a69f7bea408c added a README to describe how this works. Paul Crowley <paul@lshift.net> parents: diff changeset	69
12 834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	70	Issue these commands to become the hg user and set up the repository.
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	71	Use your own name in place of "myname".
2 a69f7bea408c added a README to describe how this works. Paul Crowley <paul@lshift.net> parents: diff changeset	72
13 1206ed37090a more README fixes Paul Crowley <paul@ciphergoth.org> parents: 12 diff changeset	73	ssh-add -L >> /tmp/my-ssh-public-key
2 a69f7bea408c added a README to describe how this works. Paul Crowley <paul@lshift.net> parents: diff changeset	74	sudo -u hg -s
a69f7bea408c added a README to describe how this works. Paul Crowley <paul@lshift.net> parents: diff changeset	75	cd ~hg
12 834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	76	mkdir -p admin repos/hgadmin/keys/admin
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	77	cd admin
13 1206ed37090a more README fixes Paul Crowley <paul@ciphergoth.org> parents: 12 diff changeset	78	hg clone http://hg.opensource.lshift.net/hg-admin-tools
12 834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	79	cp hg-admin-tools/hg-ssh-wrapper ~
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	80	cd ../repos/hgadmin
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	81	hg init .
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	82	echo "init admin/* *" > hg-ssh-access.conf
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	83	cp /tmp/my-ssh-public-key keys/admin/myname
13 1206ed37090a more README fixes Paul Crowley <paul@ciphergoth.org> parents: 12 diff changeset	84	hg add
1206ed37090a more README fixes Paul Crowley <paul@ciphergoth.org> parents: 12 diff changeset	85	hg commit
12 834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	86	cp ~/admin/hg-admin-tools/hgadmin-hgrc .hg/hgrc
2 a69f7bea408c added a README to describe how this works. Paul Crowley <paul@lshift.net> parents: diff changeset	87	../../admin/hg-admin-tools/refresh-auth
12 834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	88	exit
2 a69f7bea408c added a README to describe how this works. Paul Crowley <paul@lshift.net> parents: diff changeset	89
12 834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	90	You should now have SSH access to this repository and full control.
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	91	To administer these controls (and test your access), check out hgadmin:
2 a69f7bea408c added a README to describe how this works. Paul Crowley <paul@lshift.net> parents: diff changeset	92
12 834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	93	mkdir ~/hg
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	94	cd ~/hg
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	95	hg clone ssh://hg@repository-host-name/hgadmin
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	96	cd hgadmin
2 a69f7bea408c added a README to describe how this works. Paul Crowley <paul@lshift.net> parents: diff changeset	97
10 524b4a45ef0a wrap overlong lines Paul Crowley <paul@lshift.net> parents: 4 diff changeset	98	You can now add other users by putting their keys in an appropriate
524b4a45ef0a wrap overlong lines Paul Crowley <paul@lshift.net> parents: 4 diff changeset	99	subdirectory of the "keys" directory, and control their access by
524b4a45ef0a wrap overlong lines Paul Crowley <paul@lshift.net> parents: 4 diff changeset	100	editing hg-ssh-access.conf. Changes will take effect as soon as you
13 1206ed37090a more README fixes Paul Crowley <paul@ciphergoth.org> parents: 12 diff changeset	101	push them to the remote repository.
1206ed37090a more README fixes Paul Crowley <paul@ciphergoth.org> parents: 12 diff changeset	102
1206ed37090a more README fixes Paul Crowley <paul@ciphergoth.org> parents: 12 diff changeset	103	HG-SSH-ACCESS.CONF
2 a69f7bea408c added a README to describe how this works. Paul Crowley <paul@lshift.net> parents: diff changeset	104
10 524b4a45ef0a wrap overlong lines Paul Crowley <paul@lshift.net> parents: 4 diff changeset	105	Each line of hg-ssh-access.conf has the following syntax:
2 a69f7bea408c added a README to describe how this works. Paul Crowley <paul@lshift.net> parents: diff changeset	106
a69f7bea408c added a README to describe how this works. Paul Crowley <paul@lshift.net> parents: diff changeset	107	<rule> <keypattern> <repositorypattern>
a69f7bea408c added a README to describe how this works. Paul Crowley <paul@lshift.net> parents: diff changeset	108
10 524b4a45ef0a wrap overlong lines Paul Crowley <paul@lshift.net> parents: 4 diff changeset	109	The "rule" is either "init", "allow", or "deny". "keypattern" is a
524b4a45ef0a wrap overlong lines Paul Crowley <paul@lshift.net> parents: 4 diff changeset	110	glob pattern matched against the name of the key used - for example,
524b4a45ef0a wrap overlong lines Paul Crowley <paul@lshift.net> parents: 4 diff changeset	111	in our initial setup "admin/myname" matches "admin/*".
524b4a45ef0a wrap overlong lines Paul Crowley <paul@lshift.net> parents: 4 diff changeset	112	"repositorypattern" is a pattern matched againt the repository name -
524b4a45ef0a wrap overlong lines Paul Crowley <paul@lshift.net> parents: 4 diff changeset	113	so "hgadmin" matches "*". Only boring characters are allowed in
524b4a45ef0a wrap overlong lines Paul Crowley <paul@lshift.net> parents: 4 diff changeset	114	patterns and key and repository names - see the source for details.
13 1206ed37090a more README fixes Paul Crowley <paul@ciphergoth.org> parents: 12 diff changeset	115	Blank lines and lines that start with "#" are ignored. The first rule
1206ed37090a more README fixes Paul Crowley <paul@ciphergoth.org> parents: 12 diff changeset	116	to match both the key and the repository applies: "deny" will deny all
1206ed37090a more README fixes Paul Crowley <paul@ciphergoth.org> parents: 12 diff changeset	117	matching requests, "allow" allows read/write access to existing
1206ed37090a more README fixes Paul Crowley <paul@ciphergoth.org> parents: 12 diff changeset	118	repositories, and "init" allows that and creation of new repositories.

author	Paul Crowley <paul@ciphergoth.org>
	Fri, 18 Apr 2008 09:13:37 +0100
changeset 13	1206ed37090a
parent 12	834426fcbada
child 14	e7d5254cd0ca
permissions	-rw-r--r--