author | Paul Crowley <paul@lshift.net> |
Fri, 20 Feb 2009 15:47:52 +0000 | |
changeset 58 | 207a413897b4 |
parent 57 | fdf8f5f0c283 |
child 60 | 909f3801ee44 |
child 62 | f1e319d3672a |
permissions | -rw-r--r-- |
36
b3237aabd0fe
Change the name to mercurial-server
Paul Crowley <paul@lshift.net>
parents:
30
diff
changeset
|
1 |
mercurial-server |
2
a69f7bea408c
added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff
changeset
|
2 |
|
a69f7bea408c
added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff
changeset
|
3 |
A set of tools for managing authorization and access control for |
12 | 4 |
ssh-based Mercurial repositories |
2
a69f7bea408c
added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff
changeset
|
5 |
|
50
77d97aa18f29
update dates and copyright notices
Paul Crowley <paul@lshift.net>
parents:
49
diff
changeset
|
6 |
Paul Crowley, paul@lshift.net, 2008-2009 |
2
a69f7bea408c
added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff
changeset
|
7 |
|
a69f7bea408c
added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff
changeset
|
8 |
This software may be used and distributed according to the terms |
a69f7bea408c
added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff
changeset
|
9 |
of the GNU General Public License, incorporated herein by reference. |
a69f7bea408c
added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff
changeset
|
10 |
|
12 | 11 |
WHAT IT GIVES YOU |
12 |
||
14
e7d5254cd0ca
fix repo confusion in README per Matthias's comments
Paul Crowley <paul@ciphergoth.org>
parents:
13
diff
changeset
|
13 |
These tools make it easier to provide a centralized repository host |
e7d5254cd0ca
fix repo confusion in README per Matthias's comments
Paul Crowley <paul@ciphergoth.org>
parents:
13
diff
changeset
|
14 |
with read/write access to many repositories for many developers. |
e7d5254cd0ca
fix repo confusion in README per Matthias's comments
Paul Crowley <paul@ciphergoth.org>
parents:
13
diff
changeset
|
15 |
|
49 | 16 |
All of the repositories controlled by these tools are owned by a single user |
17 |
(the "hg" user in what follows), but many remote users can act on them, and |
|
18 |
different users can have different permissions. We don't use file permissions to |
|
19 |
achieve that - instead, developers log in as the "hg" user when they connect to |
|
20 |
the repository host using ssh, using ssh URLs of the form |
|
21 |
"ssh://hg@repository-host/repository-name". A restricted shell prevents them |
|
22 |
from using this access for unauthorized purposes. Developers are authenticated |
|
23 |
only using SSH keys; no other form of authentication is supported. |
|
12 | 24 |
|
49 | 25 |
To give a user access to the repository, place their key in an |
26 |
appropriately-named subdirectory of "/etc/mercurial-server/keys" and run |
|
27 |
"/etc/mercurial-server/refresh-auth". You can then control what access they have |
|
28 |
to what repositories by editing the control file |
|
29 |
"/etc/mercurial-server/access.conf", which can match the names of these keys |
|
30 |
against a glob pattern. |
|
31 |
||
32 |
For convenient remote control of access, you can instead (if you have the |
|
33 |
privileges) make changes to a special repository called "hgadmin", which |
|
34 |
contains its own "access.conf" file and "keys" directory. Changes pushed to this |
|
35 |
repository take effect immediately. The two "access.conf" files are |
|
36 |
concatenated, and the keys directories merged. |
|
12 | 37 |
|
28
583ed103e021
update README to reflect new scripted installer
Paul Crowley <paul@ciphergoth.org>
parents:
26
diff
changeset
|
38 |
QUICK START |
12 | 39 |
|
49 | 40 |
You and all developers using this system will need an SSH public key, and will |
41 |
almost certainly want to be running ssh-agent (or its equivalent, eg Pageant |
|
42 |
under Windows). If you're not familiar with ssh-agent, you should learn about |
|
43 |
that before using this. |
|
2
a69f7bea408c
added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff
changeset
|
44 |
|
49 | 45 |
In what follows, certain operations (eg installing mercurial-server itself) have |
46 |
to be done on the repository server (which we call "repository-host"), but any |
|
47 |
operation that involves checking in or out of Mercurial can be done wherever is |
|
48 |
most convenient to you; the most usual arrangment would be that you'd do these |
|
49 |
things at the machine you sit at, and on which you run ssh-agent, which is what |
|
50 |
authenticates you when you talk to the repository server. |
|
51 |
||
52 |
Ensure there is no user called "hg" on the repository host, and run "./install". |
|
53 |
This installs the mercurial-server files and control files, and creates and sets |
|
54 |
up the "hg" user. |
|
2
a69f7bea408c
added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff
changeset
|
55 |
|
49 | 56 |
Place your SSH public key in the directory "/etc/mercurial-server/keys/root". I |
57 |
suggest creating yourself a directory and naming the key after your hostname (ie |
|
58 |
the file is called something like |
|
59 |
"/etc/mercurial-server/keys/root/yourname/yourhostname") so that you can easily |
|
60 |
manage users who have a different key on each host they use. Then run |
|
61 |
"/etc/mercurial-server/refresh-auth". |
|
62 |
||
63 |
The repository is now ready to use, and you are now the sole user able to change |
|
64 |
and create repositories on this repository host. |
|
65 |
||
66 |
CREATING REPOSITORIES |
|
67 |
||
68 |
To create a new repository, you clone a local repository onto the remote server. |
|
69 |
So if you want a new empty repository called "myproject", you can do (as |
|
70 |
yourself): |
|
71 |
||
72 |
hg init myproject |
|
73 |
hg clone myproject ssh://hg@repository-host/myproject |
|
74 |
||
75 |
ADDING OTHER USERS |
|
2
a69f7bea408c
added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff
changeset
|
76 |
|
49 | 77 |
Because your key is in the "keys/root" subdirectory, you have the equivalent of |
78 |
"root privileges" over mercurial-server (not the whole computer, just |
|
79 |
mercurial-server). You can add other root users by putting their keys next to |
|
80 |
yours, or you can make less privileged users by putting their keys in the |
|
81 |
"keys/users" subdirectory - these users will be able to read and write to any |
|
82 |
repository (except one - see below) but will not be able to create new |
|
83 |
repositories. As always, when you change "/etc/mercurial-server/keys" you need |
|
84 |
to re-run "/etc/mercurial-server/refresh-auth". |
|
85 |
||
57
fdf8f5f0c283
re-wrap paras to be consistent; briefly document logging
Paul Crowley <paul@lshift.net>
parents:
50
diff
changeset
|
86 |
LOGGING |
fdf8f5f0c283
re-wrap paras to be consistent; briefly document logging
Paul Crowley <paul@lshift.net>
parents:
50
diff
changeset
|
87 |
|
fdf8f5f0c283
re-wrap paras to be consistent; briefly document logging
Paul Crowley <paul@lshift.net>
parents:
50
diff
changeset
|
88 |
Every push and pull is logged with the key used: see the file .hg/serve-log in |
fdf8f5f0c283
re-wrap paras to be consistent; briefly document logging
Paul Crowley <paul@lshift.net>
parents:
50
diff
changeset
|
89 |
each repository. |
fdf8f5f0c283
re-wrap paras to be consistent; briefly document logging
Paul Crowley <paul@lshift.net>
parents:
50
diff
changeset
|
90 |
|
49 | 91 |
USING HGADMIN |
92 |
||
93 |
It can be inconvenient to log on to the repository server, become root, copy |
|
94 |
keys around, and run "refresh-auth" every time you want to change user |
|
95 |
privileges. This is where mercurial-server shines :-) Suppose you have another |
|
96 |
user's SSH public key in the file "/tmp/theirkey" (on the machine you sit at, |
|
97 |
not necessarily the repository server) and you want to give them user-level |
|
98 |
access to the repository server. Run these commands: |
|
2
a69f7bea408c
added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff
changeset
|
99 |
|
49 | 100 |
hg clone ssh://hg@repository-server/hgadmin |
101 |
cd hgadmin |
|
102 |
mkdir keys/user/thatuser |
|
103 |
cp /tmp/theirkey keys/user/thatuser/theirhostname |
|
104 |
hg add |
|
105 |
hg commit -m "Added key for thatuser" |
|
106 |
hg push |
|
14
e7d5254cd0ca
fix repo confusion in README per Matthias's comments
Paul Crowley <paul@ciphergoth.org>
parents:
13
diff
changeset
|
107 |
|
49 | 108 |
In other words, hgadmin is a version controlled version of |
109 |
"/etc/mercurial-server/keys", and changes to it take effect immediately. Only |
|
110 |
"keys/root" users can act on "hgadmin" - those with keys in "keys/users" are |
|
111 |
locked out. Multiple admins can use Mercurial's version control to cooperate on |
|
112 |
controlling access to the repository server in a natural way. You can also add |
|
113 |
"root" users by putting their key in the "keys/root" directory in just the same |
|
114 |
way - these users will now be able to control hgadmin and create new |
|
115 |
repositories just as you can. |
|
14
e7d5254cd0ca
fix repo confusion in README per Matthias's comments
Paul Crowley <paul@ciphergoth.org>
parents:
13
diff
changeset
|
116 |
|
49 | 117 |
ACCESS.CONF |
13 | 118 |
|
49 | 119 |
Out of the box, there are just two kinds of users: the ones with keys in |
120 |
"keys/root" and those in "keys/users". However, you can change this by editing |
|
121 |
"access.conf". There are two "access.conf" files, one in "/etc/mercurial-server" |
|
122 |
and one in "hgadmin"; the two are simply concatenated before being read. |
|
2
a69f7bea408c
added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff
changeset
|
123 |
|
49 | 124 |
Each line of access.conf has the following syntax: |
2
a69f7bea408c
added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff
changeset
|
125 |
|
18
538d6b198f4a
Big change to support file conditions; format of hg-ssh-access.conf
Paul Crowley <paul@lshift.net>
parents:
15
diff
changeset
|
126 |
<rule> <condition> <condition> ... |
538d6b198f4a
Big change to support file conditions; format of hg-ssh-access.conf
Paul Crowley <paul@lshift.net>
parents:
15
diff
changeset
|
127 |
|
538d6b198f4a
Big change to support file conditions; format of hg-ssh-access.conf
Paul Crowley <paul@lshift.net>
parents:
15
diff
changeset
|
128 |
Rule is one of |
538d6b198f4a
Big change to support file conditions; format of hg-ssh-access.conf
Paul Crowley <paul@lshift.net>
parents:
15
diff
changeset
|
129 |
|
538d6b198f4a
Big change to support file conditions; format of hg-ssh-access.conf
Paul Crowley <paul@lshift.net>
parents:
15
diff
changeset
|
130 |
init - allow any operation, including the creation of new repositories |
538d6b198f4a
Big change to support file conditions; format of hg-ssh-access.conf
Paul Crowley <paul@lshift.net>
parents:
15
diff
changeset
|
131 |
write - allow reads and writes to this file in this repository |
538d6b198f4a
Big change to support file conditions; format of hg-ssh-access.conf
Paul Crowley <paul@lshift.net>
parents:
15
diff
changeset
|
132 |
read - allow the repo to be read but reject matching writes |
538d6b198f4a
Big change to support file conditions; format of hg-ssh-access.conf
Paul Crowley <paul@lshift.net>
parents:
15
diff
changeset
|
133 |
deny - deny all requests |
538d6b198f4a
Big change to support file conditions; format of hg-ssh-access.conf
Paul Crowley <paul@lshift.net>
parents:
15
diff
changeset
|
134 |
|
538d6b198f4a
Big change to support file conditions; format of hg-ssh-access.conf
Paul Crowley <paul@lshift.net>
parents:
15
diff
changeset
|
135 |
A condition is a globpattern matched against a relative path, one of: |
538d6b198f4a
Big change to support file conditions; format of hg-ssh-access.conf
Paul Crowley <paul@lshift.net>
parents:
15
diff
changeset
|
136 |
|
538d6b198f4a
Big change to support file conditions; format of hg-ssh-access.conf
Paul Crowley <paul@lshift.net>
parents:
15
diff
changeset
|
137 |
user=<globpattern> - user's key |
538d6b198f4a
Big change to support file conditions; format of hg-ssh-access.conf
Paul Crowley <paul@lshift.net>
parents:
15
diff
changeset
|
138 |
repo=<globpattern> - repo (as the user supplies it) |
538d6b198f4a
Big change to support file conditions; format of hg-ssh-access.conf
Paul Crowley <paul@lshift.net>
parents:
15
diff
changeset
|
139 |
file=<globpattern> - file in the repo |
20
f4daa224dc7e
Add support for locking by branch, and document breaking in.
Paul Crowley <paul@ciphergoth.org>
parents:
18
diff
changeset
|
140 |
branch=<globpattern> - name of the branch |
18
538d6b198f4a
Big change to support file conditions; format of hg-ssh-access.conf
Paul Crowley <paul@lshift.net>
parents:
15
diff
changeset
|
141 |
|
57
fdf8f5f0c283
re-wrap paras to be consistent; briefly document logging
Paul Crowley <paul@lshift.net>
parents:
50
diff
changeset
|
142 |
The first rule in the file which has all its conditions satisfied is used to |
fdf8f5f0c283
re-wrap paras to be consistent; briefly document logging
Paul Crowley <paul@lshift.net>
parents:
50
diff
changeset
|
143 |
determine whether an action is allowed. |
18
538d6b198f4a
Big change to support file conditions; format of hg-ssh-access.conf
Paul Crowley <paul@lshift.net>
parents:
15
diff
changeset
|
144 |
|
57
fdf8f5f0c283
re-wrap paras to be consistent; briefly document logging
Paul Crowley <paul@lshift.net>
parents:
50
diff
changeset
|
145 |
Paths cannot contain any special characters except "/"; glob patterns cannot |
fdf8f5f0c283
re-wrap paras to be consistent; briefly document logging
Paul Crowley <paul@lshift.net>
parents:
50
diff
changeset
|
146 |
contain any special characters except "/" and "*". "*" matches zero or more |
fdf8f5f0c283
re-wrap paras to be consistent; briefly document logging
Paul Crowley <paul@lshift.net>
parents:
50
diff
changeset
|
147 |
characters not including "/" while "**" matches zero or more characters |
fdf8f5f0c283
re-wrap paras to be consistent; briefly document logging
Paul Crowley <paul@lshift.net>
parents:
50
diff
changeset
|
148 |
including "/". |
18
538d6b198f4a
Big change to support file conditions; format of hg-ssh-access.conf
Paul Crowley <paul@lshift.net>
parents:
15
diff
changeset
|
149 |
|
538d6b198f4a
Big change to support file conditions; format of hg-ssh-access.conf
Paul Crowley <paul@lshift.net>
parents:
15
diff
changeset
|
150 |
Blank lines and lines that start with "#" are ignored. |
538d6b198f4a
Big change to support file conditions; format of hg-ssh-access.conf
Paul Crowley <paul@lshift.net>
parents:
15
diff
changeset
|
151 |
|
538d6b198f4a
Big change to support file conditions; format of hg-ssh-access.conf
Paul Crowley <paul@lshift.net>
parents:
15
diff
changeset
|
152 |
FILE CONDITIONS |
538d6b198f4a
Big change to support file conditions; format of hg-ssh-access.conf
Paul Crowley <paul@lshift.net>
parents:
15
diff
changeset
|
153 |
|
49 | 154 |
mercurial-server supports file and branch conditions, which restrict an |
155 |
operation depending on what files it modifies and what branch the work is on. |
|
156 |
However, the way these conditions work is subtle and can be counterintuitive - |
|
157 |
if you want to keep things simple, stick to user and repo conditions, and then |
|
158 |
things are likely to work the way you would expect. |
|
159 |
||
20
f4daa224dc7e
Add support for locking by branch, and document breaking in.
Paul Crowley <paul@ciphergoth.org>
parents:
18
diff
changeset
|
160 |
The rules file is used to make four decisions: |
2
a69f7bea408c
added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff
changeset
|
161 |
|
18
538d6b198f4a
Big change to support file conditions; format of hg-ssh-access.conf
Paul Crowley <paul@lshift.net>
parents:
15
diff
changeset
|
162 |
- Whether to allow a repository to be created |
538d6b198f4a
Big change to support file conditions; format of hg-ssh-access.conf
Paul Crowley <paul@lshift.net>
parents:
15
diff
changeset
|
163 |
- Whether to allow access to a repository |
20
f4daa224dc7e
Add support for locking by branch, and document breaking in.
Paul Crowley <paul@ciphergoth.org>
parents:
18
diff
changeset
|
164 |
- Whether to allow a changeset on a particular branch at all |
18
538d6b198f4a
Big change to support file conditions; format of hg-ssh-access.conf
Paul Crowley <paul@lshift.net>
parents:
15
diff
changeset
|
165 |
- Whether to allow a changeset to change a particular file |
538d6b198f4a
Big change to support file conditions; format of hg-ssh-access.conf
Paul Crowley <paul@lshift.net>
parents:
15
diff
changeset
|
166 |
|
57
fdf8f5f0c283
re-wrap paras to be consistent; briefly document logging
Paul Crowley <paul@lshift.net>
parents:
50
diff
changeset
|
167 |
When the first two of these decisions are being made, nothing is known about |
fdf8f5f0c283
re-wrap paras to be consistent; briefly document logging
Paul Crowley <paul@lshift.net>
parents:
50
diff
changeset
|
168 |
what files might be changed, and so all file conditions automatically succeed |
fdf8f5f0c283
re-wrap paras to be consistent; briefly document logging
Paul Crowley <paul@lshift.net>
parents:
50
diff
changeset
|
169 |
for the purpose of such decisions. This means that doing tricky things with file |
fdf8f5f0c283
re-wrap paras to be consistent; briefly document logging
Paul Crowley <paul@lshift.net>
parents:
50
diff
changeset
|
170 |
conditions can have counterintuitive consequences: |
18
538d6b198f4a
Big change to support file conditions; format of hg-ssh-access.conf
Paul Crowley <paul@lshift.net>
parents:
15
diff
changeset
|
171 |
|
57
fdf8f5f0c283
re-wrap paras to be consistent; briefly document logging
Paul Crowley <paul@lshift.net>
parents:
50
diff
changeset
|
172 |
- You cannot limit read access to a subset of a repository with a "read" rule |
fdf8f5f0c283
re-wrap paras to be consistent; briefly document logging
Paul Crowley <paul@lshift.net>
parents:
50
diff
changeset
|
173 |
and a file condition: any user who has access to a repository can read all of it |
fdf8f5f0c283
re-wrap paras to be consistent; briefly document logging
Paul Crowley <paul@lshift.net>
parents:
50
diff
changeset
|
174 |
and its full history. Such a rule can only have the effect of masking a later |
fdf8f5f0c283
re-wrap paras to be consistent; briefly document logging
Paul Crowley <paul@lshift.net>
parents:
50
diff
changeset
|
175 |
"write" rule, as in this example: |
18
538d6b198f4a
Big change to support file conditions; format of hg-ssh-access.conf
Paul Crowley <paul@lshift.net>
parents:
15
diff
changeset
|
176 |
|
538d6b198f4a
Big change to support file conditions; format of hg-ssh-access.conf
Paul Crowley <paul@lshift.net>
parents:
15
diff
changeset
|
177 |
read repo=specialrepo file=dontwritethis |
538d6b198f4a
Big change to support file conditions; format of hg-ssh-access.conf
Paul Crowley <paul@lshift.net>
parents:
15
diff
changeset
|
178 |
write repo=specialrepo |
538d6b198f4a
Big change to support file conditions; format of hg-ssh-access.conf
Paul Crowley <paul@lshift.net>
parents:
15
diff
changeset
|
179 |
|
57
fdf8f5f0c283
re-wrap paras to be consistent; briefly document logging
Paul Crowley <paul@lshift.net>
parents:
50
diff
changeset
|
180 |
allows all users to read specialrepo, and to write to all files *except* that |
fdf8f5f0c283
re-wrap paras to be consistent; briefly document logging
Paul Crowley <paul@lshift.net>
parents:
50
diff
changeset
|
181 |
any changeset which writes to "dontwritethis" will be rejected. |
18
538d6b198f4a
Big change to support file conditions; format of hg-ssh-access.conf
Paul Crowley <paul@lshift.net>
parents:
15
diff
changeset
|
182 |
|
538d6b198f4a
Big change to support file conditions; format of hg-ssh-access.conf
Paul Crowley <paul@lshift.net>
parents:
15
diff
changeset
|
183 |
- For similar reasons, don't give "init" rules file conditions. |
538d6b198f4a
Big change to support file conditions; format of hg-ssh-access.conf
Paul Crowley <paul@lshift.net>
parents:
15
diff
changeset
|
184 |
|
57
fdf8f5f0c283
re-wrap paras to be consistent; briefly document logging
Paul Crowley <paul@lshift.net>
parents:
50
diff
changeset
|
185 |
- Don't try to deny write access to a particular file on a particular branch - a |
fdf8f5f0c283
re-wrap paras to be consistent; briefly document logging
Paul Crowley <paul@lshift.net>
parents:
50
diff
changeset
|
186 |
developer can write to the file on another branch and then merge it in. Either |
fdf8f5f0c283
re-wrap paras to be consistent; briefly document logging
Paul Crowley <paul@lshift.net>
parents:
50
diff
changeset
|
187 |
deny all writes to the branch from that user, or allow them to write to all the |
fdf8f5f0c283
re-wrap paras to be consistent; briefly document logging
Paul Crowley <paul@lshift.net>
parents:
50
diff
changeset
|
188 |
files they can write to on any branch. In other words, something like this will |
fdf8f5f0c283
re-wrap paras to be consistent; briefly document logging
Paul Crowley <paul@lshift.net>
parents:
50
diff
changeset
|
189 |
have the intended effect: |
26
2c4f499ea12f
Explain limitations of branch/file rule combination
Paul Crowley <paul@lshift.net>
parents:
20
diff
changeset
|
190 |
|
2c4f499ea12f
Explain limitations of branch/file rule combination
Paul Crowley <paul@lshift.net>
parents:
20
diff
changeset
|
191 |
write user=docs/* branch=docs file=docs/* |
2c4f499ea12f
Explain limitations of branch/file rule combination
Paul Crowley <paul@lshift.net>
parents:
20
diff
changeset
|
192 |
|
57
fdf8f5f0c283
re-wrap paras to be consistent; briefly document logging
Paul Crowley <paul@lshift.net>
parents:
50
diff
changeset
|
193 |
But something like this will not have the intended effect; it will effectively |
fdf8f5f0c283
re-wrap paras to be consistent; briefly document logging
Paul Crowley <paul@lshift.net>
parents:
50
diff
changeset
|
194 |
allow these users to write to any file on any branch, by writing it to "docs" |
fdf8f5f0c283
re-wrap paras to be consistent; briefly document logging
Paul Crowley <paul@lshift.net>
parents:
50
diff
changeset
|
195 |
first: |
26
2c4f499ea12f
Explain limitations of branch/file rule combination
Paul Crowley <paul@lshift.net>
parents:
20
diff
changeset
|
196 |
|
2c4f499ea12f
Explain limitations of branch/file rule combination
Paul Crowley <paul@lshift.net>
parents:
20
diff
changeset
|
197 |
write user=docs/* branch=docs |
2c4f499ea12f
Explain limitations of branch/file rule combination
Paul Crowley <paul@lshift.net>
parents:
20
diff
changeset
|
198 |
write user=docs/* file=docs/* |
2c4f499ea12f
Explain limitations of branch/file rule combination
Paul Crowley <paul@lshift.net>
parents:
20
diff
changeset
|
199 |
read user=docs/* |
2c4f499ea12f
Explain limitations of branch/file rule combination
Paul Crowley <paul@lshift.net>
parents:
20
diff
changeset
|
200 |
|
28
583ed103e021
update README to reflect new scripted installer
Paul Crowley <paul@ciphergoth.org>
parents:
26
diff
changeset
|
201 |
HOW IT WORKS |
583ed103e021
update README to reflect new scripted installer
Paul Crowley <paul@ciphergoth.org>
parents:
26
diff
changeset
|
202 |
|
57
fdf8f5f0c283
re-wrap paras to be consistent; briefly document logging
Paul Crowley <paul@lshift.net>
parents:
50
diff
changeset
|
203 |
When a developer attempts to connect to a repository via ssh, the SSH daemon |
fdf8f5f0c283
re-wrap paras to be consistent; briefly document logging
Paul Crowley <paul@lshift.net>
parents:
50
diff
changeset
|
204 |
searches for a match for that user's key in ~hg/.ssh/authorized_keys. If the |
fdf8f5f0c283
re-wrap paras to be consistent; briefly document logging
Paul Crowley <paul@lshift.net>
parents:
50
diff
changeset
|
205 |
developer is authorised to connect to the repository they will have an entry in |
fdf8f5f0c283
re-wrap paras to be consistent; briefly document logging
Paul Crowley <paul@lshift.net>
parents:
50
diff
changeset
|
206 |
this file. The entry includes a "command" prefix which specifies that the |
fdf8f5f0c283
re-wrap paras to be consistent; briefly document logging
Paul Crowley <paul@lshift.net>
parents:
50
diff
changeset
|
207 |
restricted shell should be used; this shell is passed an argument identifying |
fdf8f5f0c283
re-wrap paras to be consistent; briefly document logging
Paul Crowley <paul@lshift.net>
parents:
50
diff
changeset
|
208 |
the developer. The shell parses the command the developer is trying to execute, |
fdf8f5f0c283
re-wrap paras to be consistent; briefly document logging
Paul Crowley <paul@lshift.net>
parents:
50
diff
changeset
|
209 |
and consults a rules file to see if that developer is allowed to perform that |
fdf8f5f0c283
re-wrap paras to be consistent; briefly document logging
Paul Crowley <paul@lshift.net>
parents:
50
diff
changeset
|
210 |
action on that repository. The bulk of the work of the restricted shell is done |
fdf8f5f0c283
re-wrap paras to be consistent; briefly document logging
Paul Crowley <paul@lshift.net>
parents:
50
diff
changeset
|
211 |
by the Python program "hg-ssh", but the shell script "hg-ssh-wrapper" sets up |
fdf8f5f0c283
re-wrap paras to be consistent; briefly document logging
Paul Crowley <paul@lshift.net>
parents:
50
diff
changeset
|
212 |
some configuration so that you can change it to suit your local installation. |
28
583ed103e021
update README to reflect new scripted installer
Paul Crowley <paul@ciphergoth.org>
parents:
26
diff
changeset
|
213 |
|
57
fdf8f5f0c283
re-wrap paras to be consistent; briefly document logging
Paul Crowley <paul@lshift.net>
parents:
50
diff
changeset
|
214 |
The file ~hg/.ssh/authorized_keys is generated by "refresh-auth", which recurses |
fdf8f5f0c283
re-wrap paras to be consistent; briefly document logging
Paul Crowley <paul@lshift.net>
parents:
50
diff
changeset
|
215 |
through two directories of files containing SSH keys and generates an entry in |
fdf8f5f0c283
re-wrap paras to be consistent; briefly document logging
Paul Crowley <paul@lshift.net>
parents:
50
diff
changeset
|
216 |
authorized_keys for each one, using the name of the key file as the identifier |
fdf8f5f0c283
re-wrap paras to be consistent; briefly document logging
Paul Crowley <paul@lshift.net>
parents:
50
diff
changeset
|
217 |
for the developer. These keys will live in the "keys" subdirectory |
fdf8f5f0c283
re-wrap paras to be consistent; briefly document logging
Paul Crowley <paul@lshift.net>
parents:
50
diff
changeset
|
218 |
"/etc/mercurial-server" and the "keys" subdirectory of a repository called |
fdf8f5f0c283
re-wrap paras to be consistent; briefly document logging
Paul Crowley <paul@lshift.net>
parents:
50
diff
changeset
|
219 |
"hgadmin". A hook in this repository re-runs "refresh-auth" on the most recent |
28
583ed103e021
update README to reflect new scripted installer
Paul Crowley <paul@ciphergoth.org>
parents:
26
diff
changeset
|
220 |
version after every push. |
583ed103e021
update README to reflect new scripted installer
Paul Crowley <paul@ciphergoth.org>
parents:
26
diff
changeset
|
221 |
|
57
fdf8f5f0c283
re-wrap paras to be consistent; briefly document logging
Paul Crowley <paul@lshift.net>
parents:
50
diff
changeset
|
222 |
Finally, hook in an extension is run for each changeset that is remotely |
fdf8f5f0c283
re-wrap paras to be consistent; briefly document logging
Paul Crowley <paul@lshift.net>
parents:
50
diff
changeset
|
223 |
committed, which uses the rules file to determine whether to allow the |
fdf8f5f0c283
re-wrap paras to be consistent; briefly document logging
Paul Crowley <paul@lshift.net>
parents:
50
diff
changeset
|
224 |
changeset. |
28
583ed103e021
update README to reflect new scripted installer
Paul Crowley <paul@ciphergoth.org>
parents:
26
diff
changeset
|
225 |
|
49 | 226 |
LOCKED OUT? |
20
f4daa224dc7e
Add support for locking by branch, and document breaking in.
Paul Crowley <paul@ciphergoth.org>
parents:
18
diff
changeset
|
227 |
|
49 | 228 |
Once you're working with "hgadmin", it can be convenient to remove all the keys |
229 |
in "/etc/mercurial-server/keys" and all the entries in |
|
230 |
"/etc/mercurial-server/access.conf" and use hgadmin to control everything. If |
|
231 |
you find yourself locked out, you can get back in again by restoring some of the |
|
232 |
entries you removed from these files - remember, |
|
233 |
"/etc/mercurial-server/access.conf" takes precedence over the "access.conf" in |
|
234 |
"hgadmin". |
|
20
f4daa224dc7e
Add support for locking by branch, and document breaking in.
Paul Crowley <paul@ciphergoth.org>
parents:
18
diff
changeset
|
235 |
|
18
538d6b198f4a
Big change to support file conditions; format of hg-ssh-access.conf
Paul Crowley <paul@lshift.net>
parents:
15
diff
changeset
|
236 |
THANKS |
538d6b198f4a
Big change to support file conditions; format of hg-ssh-access.conf
Paul Crowley <paul@lshift.net>
parents:
15
diff
changeset
|
237 |
|
57
fdf8f5f0c283
re-wrap paras to be consistent; briefly document logging
Paul Crowley <paul@lshift.net>
parents:
50
diff
changeset
|
238 |
Thanks for reading this far. If you use mercurial-server, please tell me about |
fdf8f5f0c283
re-wrap paras to be consistent; briefly document logging
Paul Crowley <paul@lshift.net>
parents:
50
diff
changeset
|
239 |
it. |
18
538d6b198f4a
Big change to support file conditions; format of hg-ssh-access.conf
Paul Crowley <paul@lshift.net>
parents:
15
diff
changeset
|
240 |
|
50
77d97aa18f29
update dates and copyright notices
Paul Crowley <paul@lshift.net>
parents:
49
diff
changeset
|
241 |
Paul Crowley, 2009 |
77d97aa18f29
update dates and copyright notices
Paul Crowley <paul@lshift.net>
parents:
49
diff
changeset
|
242 |