author | Paul Crowley <paul@lshift.net> |
Sat, 07 Mar 2009 10:05:14 +0000 | |
changeset 87 | 535502c18eaa |
parent 83 | 86ec1268d306 |
child 100 | db219a5a14f8 |
permissions | -rw-r--r-- |
36
b3237aabd0fe
Change the name to mercurial-server
Paul Crowley <paul@lshift.net>
parents:
30
diff
changeset
|
1 |
mercurial-server |
2
a69f7bea408c
added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff
changeset
|
2 |
|
66
2f0ea1163b9e
Change intro to README and linewrap at column 75
Paul Crowley <paul@lshift.net>
parents:
63
diff
changeset
|
3 |
mercurial-server makes a group of repositories available to the developers |
2f0ea1163b9e
Change intro to README and linewrap at column 75
Paul Crowley <paul@lshift.net>
parents:
63
diff
changeset
|
4 |
you choose, identified by ssh keys, with easy key and access management |
2f0ea1163b9e
Change intro to README and linewrap at column 75
Paul Crowley <paul@lshift.net>
parents:
63
diff
changeset
|
5 |
based on hg. |
2
a69f7bea408c
added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff
changeset
|
6 |
|
82 | 7 |
http://hg.opensource.lshift.net/mercurial-server/ |
8 |
||
9 |
Copyright (C) 2008-2009 LShift Ltd. |
|
10 |
||
11 |
This program is free software; you can redistribute it and/or modify |
|
12 |
it under the terms of the GNU General Public License as published by |
|
13 |
the Free Software Foundation; either version 2 of the License, or |
|
14 |
(at your option) any later version. |
|
2
a69f7bea408c
added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff
changeset
|
15 |
|
82 | 16 |
This program is distributed in the hope that it will be useful, |
17 |
but WITHOUT ANY WARRANTY; without even the implied warranty of |
|
18 |
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
|
19 |
GNU General Public License for more details. |
|
2
a69f7bea408c
added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff
changeset
|
20 |
|
82 | 21 |
You should have received a copy of the GNU General Public License along |
22 |
with this program; if not, write to the Free Software Foundation, Inc., |
|
23 |
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
|
24 |
||
25 |
SUMMARY |
|
26 |
||
27 |
mercurial-server makes a group of repositories available to the developers |
|
28 |
you choose, identified by ssh keys, with easy key and access management |
|
29 |
based on hg. |
|
60 | 30 |
|
66
2f0ea1163b9e
Change intro to README and linewrap at column 75
Paul Crowley <paul@lshift.net>
parents:
63
diff
changeset
|
31 |
All of the repositories controlled by mercurial-server are owned by a |
2f0ea1163b9e
Change intro to README and linewrap at column 75
Paul Crowley <paul@lshift.net>
parents:
63
diff
changeset
|
32 |
single user (the "hg" user in what follows), but many remote users can act |
2f0ea1163b9e
Change intro to README and linewrap at column 75
Paul Crowley <paul@lshift.net>
parents:
63
diff
changeset
|
33 |
on them, and different users can have different permissions. We don't use |
2f0ea1163b9e
Change intro to README and linewrap at column 75
Paul Crowley <paul@lshift.net>
parents:
63
diff
changeset
|
34 |
file permissions to achieve that - instead, developers log in as the "hg" |
2f0ea1163b9e
Change intro to README and linewrap at column 75
Paul Crowley <paul@lshift.net>
parents:
63
diff
changeset
|
35 |
user when they connect to the repository host using ssh, using ssh URLs of |
2f0ea1163b9e
Change intro to README and linewrap at column 75
Paul Crowley <paul@lshift.net>
parents:
63
diff
changeset
|
36 |
the form "ssh://hg@repository-host/repository-name". A restricted shell |
2f0ea1163b9e
Change intro to README and linewrap at column 75
Paul Crowley <paul@lshift.net>
parents:
63
diff
changeset
|
37 |
prevents them from using this access for unauthorized purposes. Developers |
2f0ea1163b9e
Change intro to README and linewrap at column 75
Paul Crowley <paul@lshift.net>
parents:
63
diff
changeset
|
38 |
are authenticated only using SSH keys; no other form of authentication is |
2f0ea1163b9e
Change intro to README and linewrap at column 75
Paul Crowley <paul@lshift.net>
parents:
63
diff
changeset
|
39 |
supported. |
12 | 40 |
|
49 | 41 |
To give a user access to the repository, place their key in an |
42 |
appropriately-named subdirectory of "/etc/mercurial-server/keys" and run |
|
81
f23736ad66bc
Update README to reflect absence of wrappers
Paul Crowley <paul@lshift.net>
parents:
66
diff
changeset
|
43 |
"/usr/local/lib/mercurial-server/refresh-auth". You can then control what |
f23736ad66bc
Update README to reflect absence of wrappers
Paul Crowley <paul@lshift.net>
parents:
66
diff
changeset
|
44 |
access they have to what repositories by editing the control file |
f23736ad66bc
Update README to reflect absence of wrappers
Paul Crowley <paul@lshift.net>
parents:
66
diff
changeset
|
45 |
"/etc/mercurial-server/access.conf", which can match the names of these keys |
f23736ad66bc
Update README to reflect absence of wrappers
Paul Crowley <paul@lshift.net>
parents:
66
diff
changeset
|
46 |
against a glob pattern. |
49 | 47 |
|
48 |
For convenient remote control of access, you can instead (if you have the |
|
49 |
privileges) make changes to a special repository called "hgadmin", which |
|
66
2f0ea1163b9e
Change intro to README and linewrap at column 75
Paul Crowley <paul@lshift.net>
parents:
63
diff
changeset
|
50 |
contains its own "access.conf" file and "keys" directory. Changes pushed to |
2f0ea1163b9e
Change intro to README and linewrap at column 75
Paul Crowley <paul@lshift.net>
parents:
63
diff
changeset
|
51 |
this repository take effect immediately. The two "access.conf" files are |
49 | 52 |
concatenated, and the keys directories merged. |
12 | 53 |
|
28
583ed103e021
update README to reflect new scripted installer
Paul Crowley <paul@ciphergoth.org>
parents:
26
diff
changeset
|
54 |
QUICK START |
12 | 55 |
|
66
2f0ea1163b9e
Change intro to README and linewrap at column 75
Paul Crowley <paul@lshift.net>
parents:
63
diff
changeset
|
56 |
You and all developers using this system will need an SSH public key, and |
2f0ea1163b9e
Change intro to README and linewrap at column 75
Paul Crowley <paul@lshift.net>
parents:
63
diff
changeset
|
57 |
will almost certainly want to be running ssh-agent (or its equivalent, eg |
2f0ea1163b9e
Change intro to README and linewrap at column 75
Paul Crowley <paul@lshift.net>
parents:
63
diff
changeset
|
58 |
Pageant under Windows). If you're not familiar with ssh-agent, you should |
2f0ea1163b9e
Change intro to README and linewrap at column 75
Paul Crowley <paul@lshift.net>
parents:
63
diff
changeset
|
59 |
learn about that before using this. |
2
a69f7bea408c
added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff
changeset
|
60 |
|
66
2f0ea1163b9e
Change intro to README and linewrap at column 75
Paul Crowley <paul@lshift.net>
parents:
63
diff
changeset
|
61 |
In what follows, certain operations (eg installing mercurial-server itself) |
2f0ea1163b9e
Change intro to README and linewrap at column 75
Paul Crowley <paul@lshift.net>
parents:
63
diff
changeset
|
62 |
have to be done on the repository server (which we call "repository-host"), |
2f0ea1163b9e
Change intro to README and linewrap at column 75
Paul Crowley <paul@lshift.net>
parents:
63
diff
changeset
|
63 |
but any operation that involves checking in or out of Mercurial can be done |
2f0ea1163b9e
Change intro to README and linewrap at column 75
Paul Crowley <paul@lshift.net>
parents:
63
diff
changeset
|
64 |
wherever is most convenient to you; the most usual arrangment would be that |
2f0ea1163b9e
Change intro to README and linewrap at column 75
Paul Crowley <paul@lshift.net>
parents:
63
diff
changeset
|
65 |
you'd do these things at the machine you sit at, and on which you run |
2f0ea1163b9e
Change intro to README and linewrap at column 75
Paul Crowley <paul@lshift.net>
parents:
63
diff
changeset
|
66 |
ssh-agent, which is what authenticates you when you talk to the repository |
2f0ea1163b9e
Change intro to README and linewrap at column 75
Paul Crowley <paul@lshift.net>
parents:
63
diff
changeset
|
67 |
server. |
49 | 68 |
|
66
2f0ea1163b9e
Change intro to README and linewrap at column 75
Paul Crowley <paul@lshift.net>
parents:
63
diff
changeset
|
69 |
Ensure there is no user called "hg" on the repository host, and run |
2f0ea1163b9e
Change intro to README and linewrap at column 75
Paul Crowley <paul@lshift.net>
parents:
63
diff
changeset
|
70 |
"./install". This installs the mercurial-server files and control files, and |
2f0ea1163b9e
Change intro to README and linewrap at column 75
Paul Crowley <paul@lshift.net>
parents:
63
diff
changeset
|
71 |
creates and sets up the "hg" user. |
2
a69f7bea408c
added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff
changeset
|
72 |
|
66
2f0ea1163b9e
Change intro to README and linewrap at column 75
Paul Crowley <paul@lshift.net>
parents:
63
diff
changeset
|
73 |
Place your SSH public key in the directory "/etc/mercurial-server/keys/root". |
2f0ea1163b9e
Change intro to README and linewrap at column 75
Paul Crowley <paul@lshift.net>
parents:
63
diff
changeset
|
74 |
I suggest creating yourself a directory and naming the key after your hostname |
2f0ea1163b9e
Change intro to README and linewrap at column 75
Paul Crowley <paul@lshift.net>
parents:
63
diff
changeset
|
75 |
(ie the file is called something like |
2f0ea1163b9e
Change intro to README and linewrap at column 75
Paul Crowley <paul@lshift.net>
parents:
63
diff
changeset
|
76 |
"/etc/mercurial-server/keys/root/yourname/yourhostname") so that you can |
2f0ea1163b9e
Change intro to README and linewrap at column 75
Paul Crowley <paul@lshift.net>
parents:
63
diff
changeset
|
77 |
easily manage users who have a different key on each host they use. Then run |
81
f23736ad66bc
Update README to reflect absence of wrappers
Paul Crowley <paul@lshift.net>
parents:
66
diff
changeset
|
78 |
"/usr/local/lib/mercurial-server/refresh-auth". |
49 | 79 |
|
66
2f0ea1163b9e
Change intro to README and linewrap at column 75
Paul Crowley <paul@lshift.net>
parents:
63
diff
changeset
|
80 |
The repository is now ready to use, and you are now the sole user able to |
2f0ea1163b9e
Change intro to README and linewrap at column 75
Paul Crowley <paul@lshift.net>
parents:
63
diff
changeset
|
81 |
change and create repositories on this repository host. |
49 | 82 |
|
83 |
CREATING REPOSITORIES |
|
84 |
||
66
2f0ea1163b9e
Change intro to README and linewrap at column 75
Paul Crowley <paul@lshift.net>
parents:
63
diff
changeset
|
85 |
To create a new repository, you clone a local repository onto the remote |
2f0ea1163b9e
Change intro to README and linewrap at column 75
Paul Crowley <paul@lshift.net>
parents:
63
diff
changeset
|
86 |
server. So if you want a new empty repository called "myproject", you can do |
2f0ea1163b9e
Change intro to README and linewrap at column 75
Paul Crowley <paul@lshift.net>
parents:
63
diff
changeset
|
87 |
(as yourself): |
49 | 88 |
|
89 |
hg init myproject |
|
90 |
hg clone myproject ssh://hg@repository-host/myproject |
|
91 |
||
92 |
ADDING OTHER USERS |
|
2
a69f7bea408c
added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff
changeset
|
93 |
|
66
2f0ea1163b9e
Change intro to README and linewrap at column 75
Paul Crowley <paul@lshift.net>
parents:
63
diff
changeset
|
94 |
Because your key is in the "keys/root" subdirectory, you have the equivalent |
2f0ea1163b9e
Change intro to README and linewrap at column 75
Paul Crowley <paul@lshift.net>
parents:
63
diff
changeset
|
95 |
of "root privileges" over mercurial-server (not the whole computer, just |
49 | 96 |
mercurial-server). You can add other root users by putting their keys next to |
97 |
yours, or you can make less privileged users by putting their keys in the |
|
98 |
"keys/users" subdirectory - these users will be able to read and write to any |
|
99 |
repository (except one - see below) but will not be able to create new |
|
100 |
repositories. As always, when you change "/etc/mercurial-server/keys" you need |
|
81
f23736ad66bc
Update README to reflect absence of wrappers
Paul Crowley <paul@lshift.net>
parents:
66
diff
changeset
|
101 |
to re-run "/usr/local/lib/mercurial-server/refresh-auth". |
49 | 102 |
|
57
fdf8f5f0c283
re-wrap paras to be consistent; briefly document logging
Paul Crowley <paul@lshift.net>
parents:
50
diff
changeset
|
103 |
LOGGING |
fdf8f5f0c283
re-wrap paras to be consistent; briefly document logging
Paul Crowley <paul@lshift.net>
parents:
50
diff
changeset
|
104 |
|
fdf8f5f0c283
re-wrap paras to be consistent; briefly document logging
Paul Crowley <paul@lshift.net>
parents:
50
diff
changeset
|
105 |
Every push and pull is logged with the key used: see the file .hg/serve-log in |
fdf8f5f0c283
re-wrap paras to be consistent; briefly document logging
Paul Crowley <paul@lshift.net>
parents:
50
diff
changeset
|
106 |
each repository. |
fdf8f5f0c283
re-wrap paras to be consistent; briefly document logging
Paul Crowley <paul@lshift.net>
parents:
50
diff
changeset
|
107 |
|
49 | 108 |
USING HGADMIN |
109 |
||
110 |
It can be inconvenient to log on to the repository server, become root, copy |
|
111 |
keys around, and run "refresh-auth" every time you want to change user |
|
112 |
privileges. This is where mercurial-server shines :-) Suppose you have another |
|
113 |
user's SSH public key in the file "/tmp/theirkey" (on the machine you sit at, |
|
114 |
not necessarily the repository server) and you want to give them user-level |
|
115 |
access to the repository server. Run these commands: |
|
2
a69f7bea408c
added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff
changeset
|
116 |
|
49 | 117 |
hg clone ssh://hg@repository-server/hgadmin |
118 |
cd hgadmin |
|
83
86ec1268d306
Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
82
diff
changeset
|
119 |
mkdir keys/users/thatuser |
86ec1268d306
Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
82
diff
changeset
|
120 |
cp /tmp/theirkey keys/users/thatuser/theirhostname |
49 | 121 |
hg add |
122 |
hg commit -m "Added key for thatuser" |
|
123 |
hg push |
|
14
e7d5254cd0ca
fix repo confusion in README per Matthias's comments
Paul Crowley <paul@ciphergoth.org>
parents:
13
diff
changeset
|
124 |
|
49 | 125 |
In other words, hgadmin is a version controlled version of |
83
86ec1268d306
Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
82
diff
changeset
|
126 |
"/etc/mercurial-server", and changes to it take effect immediately - |
86ec1268d306
Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
82
diff
changeset
|
127 |
"refresh-auth" is run after every push. |
14
e7d5254cd0ca
fix repo confusion in README per Matthias's comments
Paul Crowley <paul@ciphergoth.org>
parents:
13
diff
changeset
|
128 |
|
83
86ec1268d306
Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
82
diff
changeset
|
129 |
With the default access.conf file (see doc/configuring-access for more |
86ec1268d306
Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
82
diff
changeset
|
130 |
details) only users in "keys/root" can act on "hgadmin" - those with keys in |
86ec1268d306
Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
82
diff
changeset
|
131 |
"keys/users" cannot even read this repository. So multiple admins can use |
86ec1268d306
Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
82
diff
changeset
|
132 |
Mercurial's version control to cooperate on controlling access to the |
86ec1268d306
Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
82
diff
changeset
|
133 |
repository server in a natural way. |
86ec1268d306
Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
82
diff
changeset
|
134 |
|
86ec1268d306
Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
82
diff
changeset
|
135 |
You can also create an "access.conf" file in hgadmin, and this is appended to |
86ec1268d306
Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
82
diff
changeset
|
136 |
/etc/mercurial-server/access.conf whenever this is read - in other words, |
86ec1268d306
Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
82
diff
changeset
|
137 |
rules in the latter take precedence over those in the former. So once you're |
86ec1268d306
Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
82
diff
changeset
|
138 |
working with "hgadmin", it can be convenient to remove all the keys in |
86ec1268d306
Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
82
diff
changeset
|
139 |
"/etc/mercurial-server/keys" and all the entries in |
61 | 140 |
"/etc/mercurial-server/access.conf" and use hgadmin to control everything. If |
66
2f0ea1163b9e
Change intro to README and linewrap at column 75
Paul Crowley <paul@lshift.net>
parents:
63
diff
changeset
|
141 |
you find yourself locked out, you can get back in again by restoring some of |
83
86ec1268d306
Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
82
diff
changeset
|
142 |
the entries you removed from these files. |
18
538d6b198f4a
Big change to support file conditions; format of hg-ssh-access.conf
Paul Crowley <paul@lshift.net>
parents:
15
diff
changeset
|
143 |
|
83
86ec1268d306
Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
82
diff
changeset
|
144 |
MORE INFORMATION |
28
583ed103e021
update README to reflect new scripted installer
Paul Crowley <paul@ciphergoth.org>
parents:
26
diff
changeset
|
145 |
|
83
86ec1268d306
Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
82
diff
changeset
|
146 |
For more on how to use mercurial-server and configure access, see the files in |
86ec1268d306
Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
82
diff
changeset
|
147 |
the doc directory. |
20
f4daa224dc7e
Add support for locking by branch, and document breaking in.
Paul Crowley <paul@ciphergoth.org>
parents:
18
diff
changeset
|
148 |
|
18
538d6b198f4a
Big change to support file conditions; format of hg-ssh-access.conf
Paul Crowley <paul@lshift.net>
parents:
15
diff
changeset
|
149 |
THANKS |
538d6b198f4a
Big change to support file conditions; format of hg-ssh-access.conf
Paul Crowley <paul@lshift.net>
parents:
15
diff
changeset
|
150 |
|
57
fdf8f5f0c283
re-wrap paras to be consistent; briefly document logging
Paul Crowley <paul@lshift.net>
parents:
50
diff
changeset
|
151 |
Thanks for reading this far. If you use mercurial-server, please tell me about |
fdf8f5f0c283
re-wrap paras to be consistent; briefly document logging
Paul Crowley <paul@lshift.net>
parents:
50
diff
changeset
|
152 |
it. |
18
538d6b198f4a
Big change to support file conditions; format of hg-ssh-access.conf
Paul Crowley <paul@lshift.net>
parents:
15
diff
changeset
|
153 |
|
50
77d97aa18f29
update dates and copyright notices
Paul Crowley <paul@lshift.net>
parents:
49
diff
changeset
|
154 |
Paul Crowley, 2009 |