README
author Paul Crowley <paul@lshift.net>
Thu, 17 Apr 2008 17:34:07 +0100
changeset 12 834426fcbada
parent 10 524b4a45ef0a
child 13 1206ed37090a
permissions -rw-r--r--
rewrote README
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
2
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
     1
hg-admin-tools version 0.1
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
     2
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
     3
A set of tools for managing authorization and access control for
12
834426fcbada rewrote README
Paul Crowley <paul@lshift.net>
parents: 10
diff changeset
     4
ssh-based Mercurial repositories
2
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
     5
12
834426fcbada rewrote README
Paul Crowley <paul@lshift.net>
parents: 10
diff changeset
     6
Paul Crowley, paul@lshift.net, 2008
2
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
     7
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
     8
This software may be used and distributed according to the terms
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
     9
of the GNU General Public License, incorporated herein by reference.
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    10
12
834426fcbada rewrote README
Paul Crowley <paul@lshift.net>
parents: 10
diff changeset
    11
WHAT IT GIVES YOU
834426fcbada rewrote README
Paul Crowley <paul@lshift.net>
parents: 10
diff changeset
    12
834426fcbada rewrote README
Paul Crowley <paul@lshift.net>
parents: 10
diff changeset
    13
You maintain a local Mercurial repository called "hgadmin" which
834426fcbada rewrote README
Paul Crowley <paul@lshift.net>
parents: 10
diff changeset
    14
controls what access is allowed to whom.  When you push a new version
834426fcbada rewrote README
Paul Crowley <paul@lshift.net>
parents: 10
diff changeset
    15
of this repository to the repository host, changes take effect
834426fcbada rewrote README
Paul Crowley <paul@lshift.net>
parents: 10
diff changeset
    16
immediately, so familiar "hg" commands are all that are needed to
834426fcbada rewrote README
Paul Crowley <paul@lshift.net>
parents: 10
diff changeset
    17
maintain it.  A "keys" directory contains the SSH keys of all the
834426fcbada rewrote README
Paul Crowley <paul@lshift.net>
parents: 10
diff changeset
    18
developers who have access, while "hg-ssh-access.conf" gives a set of
834426fcbada rewrote README
Paul Crowley <paul@lshift.net>
parents: 10
diff changeset
    19
rules defining who can do what to what.
834426fcbada rewrote README
Paul Crowley <paul@lshift.net>
parents: 10
diff changeset
    20
834426fcbada rewrote README
Paul Crowley <paul@lshift.net>
parents: 10
diff changeset
    21
HOW IT WORKS
834426fcbada rewrote README
Paul Crowley <paul@lshift.net>
parents: 10
diff changeset
    22
834426fcbada rewrote README
Paul Crowley <paul@lshift.net>
parents: 10
diff changeset
    23
The repository is owned by a single user (the "hg" user in what
834426fcbada rewrote README
Paul Crowley <paul@lshift.net>
parents: 10
diff changeset
    24
follows), but many remote users can act on it.  We don't use file
834426fcbada rewrote README
Paul Crowley <paul@lshift.net>
parents: 10
diff changeset
    25
permissions to achieve that - instead, developers log in as the "hg"
834426fcbada rewrote README
Paul Crowley <paul@lshift.net>
parents: 10
diff changeset
    26
user when they connect to the repository host using ssh, using ssh
834426fcbada rewrote README
Paul Crowley <paul@lshift.net>
parents: 10
diff changeset
    27
URLs of the form "ssh://hg@repository-host/repository-name".  A
834426fcbada rewrote README
Paul Crowley <paul@lshift.net>
parents: 10
diff changeset
    28
restricted shell prevents them from using this access for unauthorized
834426fcbada rewrote README
Paul Crowley <paul@lshift.net>
parents: 10
diff changeset
    29
purposes.
834426fcbada rewrote README
Paul Crowley <paul@lshift.net>
parents: 10
diff changeset
    30
834426fcbada rewrote README
Paul Crowley <paul@lshift.net>
parents: 10
diff changeset
    31
Developers are authenticated only using SSH keys; no other form of
834426fcbada rewrote README
Paul Crowley <paul@lshift.net>
parents: 10
diff changeset
    32
authentication is supported.  When a developer attempts to connect to
834426fcbada rewrote README
Paul Crowley <paul@lshift.net>
parents: 10
diff changeset
    33
a repository via ssh, the SSH daemon searches for a match for that
834426fcbada rewrote README
Paul Crowley <paul@lshift.net>
parents: 10
diff changeset
    34
user's key in ~hg/.ssh/authorized_keys.  If the developer is
834426fcbada rewrote README
Paul Crowley <paul@lshift.net>
parents: 10
diff changeset
    35
authorised to connect to the repository they will have an entry in
834426fcbada rewrote README
Paul Crowley <paul@lshift.net>
parents: 10
diff changeset
    36
this file.  The entry includes a "command" prefix which specifies that
834426fcbada rewrote README
Paul Crowley <paul@lshift.net>
parents: 10
diff changeset
    37
the restricted shell should be used; this shell is passed an argument
834426fcbada rewrote README
Paul Crowley <paul@lshift.net>
parents: 10
diff changeset
    38
identifying the developer.  The shell parses the command the developer
834426fcbada rewrote README
Paul Crowley <paul@lshift.net>
parents: 10
diff changeset
    39
is trying to execute, and consults a rules file to see if that
834426fcbada rewrote README
Paul Crowley <paul@lshift.net>
parents: 10
diff changeset
    40
developer is allowed to perform that action on that repository.  The
834426fcbada rewrote README
Paul Crowley <paul@lshift.net>
parents: 10
diff changeset
    41
bulk of the work of the restricted shell is done by the Python program
834426fcbada rewrote README
Paul Crowley <paul@lshift.net>
parents: 10
diff changeset
    42
"hg-ssh", but the shell script "hg-ssh-wrapper" sets up some
834426fcbada rewrote README
Paul Crowley <paul@lshift.net>
parents: 10
diff changeset
    43
configuration so that you can change it to suit your local installation.
834426fcbada rewrote README
Paul Crowley <paul@lshift.net>
parents: 10
diff changeset
    44
834426fcbada rewrote README
Paul Crowley <paul@lshift.net>
parents: 10
diff changeset
    45
The file ~hg/.ssh/authorized_keys is generated by "refresh-auth",
834426fcbada rewrote README
Paul Crowley <paul@lshift.net>
parents: 10
diff changeset
    46
which recurses through a directory of files containing SSH keys and
834426fcbada rewrote README
Paul Crowley <paul@lshift.net>
parents: 10
diff changeset
    47
generates an entry in authorized_keys for each one, using the name of
834426fcbada rewrote README
Paul Crowley <paul@lshift.net>
parents: 10
diff changeset
    48
the key file as the identifier for the developer.  These keys will
834426fcbada rewrote README
Paul Crowley <paul@lshift.net>
parents: 10
diff changeset
    49
live in the "keys" subdirectory of a repository, "hgadmin".  A hook in
834426fcbada rewrote README
Paul Crowley <paul@lshift.net>
parents: 10
diff changeset
    50
this repository re-runs "refresh-auth" on the most recent version
834426fcbada rewrote README
Paul Crowley <paul@lshift.net>
parents: 10
diff changeset
    51
after every push.
834426fcbada rewrote README
Paul Crowley <paul@lshift.net>
parents: 10
diff changeset
    52
834426fcbada rewrote README
Paul Crowley <paul@lshift.net>
parents: 10
diff changeset
    53
INSTRUCTIONS FOR USE
2
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    54
10
524b4a45ef0a wrap overlong lines
Paul Crowley <paul@lshift.net>
parents: 4
diff changeset
    55
This is only one setup - it can be tweaked in many ways, and is as
524b4a45ef0a wrap overlong lines
Paul Crowley <paul@lshift.net>
parents: 4
diff changeset
    56
specific as it is only in the interests of brevity.
2
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    57
10
524b4a45ef0a wrap overlong lines
Paul Crowley <paul@lshift.net>
parents: 4
diff changeset
    58
You, and all users of your Hg repository, will need SSH public key
524b4a45ef0a wrap overlong lines
Paul Crowley <paul@lshift.net>
parents: 4
diff changeset
    59
authentication set up, preferably working with ssh-agent so you don't
524b4a45ef0a wrap overlong lines
Paul Crowley <paul@lshift.net>
parents: 4
diff changeset
    60
have to type in your passphrase all the time.  I assume you've done
524b4a45ef0a wrap overlong lines
Paul Crowley <paul@lshift.net>
parents: 4
diff changeset
    61
that in what follows, so if you've done something different you'll
524b4a45ef0a wrap overlong lines
Paul Crowley <paul@lshift.net>
parents: 4
diff changeset
    62
need to change it appropriately.
2
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    63
10
524b4a45ef0a wrap overlong lines
Paul Crowley <paul@lshift.net>
parents: 4
diff changeset
    64
Create a user called "hg" on the machine where the repository will
524b4a45ef0a wrap overlong lines
Paul Crowley <paul@lshift.net>
parents: 4
diff changeset
    65
live.  I used the command
524b4a45ef0a wrap overlong lines
Paul Crowley <paul@lshift.net>
parents: 4
diff changeset
    66
524b4a45ef0a wrap overlong lines
Paul Crowley <paul@lshift.net>
parents: 4
diff changeset
    67
  sudo adduser --system --shell /bin/sh --group --disabled-password \
524b4a45ef0a wrap overlong lines
Paul Crowley <paul@lshift.net>
parents: 4
diff changeset
    68
    --gecos "Mercural repository" hg
2
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    69
12
834426fcbada rewrote README
Paul Crowley <paul@lshift.net>
parents: 10
diff changeset
    70
Issue these commands to become the hg user and set up the repository.
834426fcbada rewrote README
Paul Crowley <paul@lshift.net>
parents: 10
diff changeset
    71
Use your own name in place of "myname".
2
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    72
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    73
   sudo -u hg -s
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    74
   cd ~hg
12
834426fcbada rewrote README
Paul Crowley <paul@lshift.net>
parents: 10
diff changeset
    75
   mkdir -p admin repos/hgadmin/keys/admin
834426fcbada rewrote README
Paul Crowley <paul@lshift.net>
parents: 10
diff changeset
    76
   cd admin
834426fcbada rewrote README
Paul Crowley <paul@lshift.net>
parents: 10
diff changeset
    77
   tar xvzf /tmp/hg-admin-tools.tar.gz
834426fcbada rewrote README
Paul Crowley <paul@lshift.net>
parents: 10
diff changeset
    78
   mv hg-admin-tools* hg-admin-tools
834426fcbada rewrote README
Paul Crowley <paul@lshift.net>
parents: 10
diff changeset
    79
   cp hg-admin-tools/hg-ssh-wrapper ~
834426fcbada rewrote README
Paul Crowley <paul@lshift.net>
parents: 10
diff changeset
    80
   cd ../repos/hgadmin
834426fcbada rewrote README
Paul Crowley <paul@lshift.net>
parents: 10
diff changeset
    81
   hg init .
834426fcbada rewrote README
Paul Crowley <paul@lshift.net>
parents: 10
diff changeset
    82
   echo "init admin/* *" > hg-ssh-access.conf
834426fcbada rewrote README
Paul Crowley <paul@lshift.net>
parents: 10
diff changeset
    83
   cp /tmp/my-ssh-public-key keys/admin/myname
834426fcbada rewrote README
Paul Crowley <paul@lshift.net>
parents: 10
diff changeset
    84
   cp ~/admin/hg-admin-tools/hgadmin-hgrc .hg/hgrc
2
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    85
   ../../admin/hg-admin-tools/refresh-auth
12
834426fcbada rewrote README
Paul Crowley <paul@lshift.net>
parents: 10
diff changeset
    86
   exit
2
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    87
12
834426fcbada rewrote README
Paul Crowley <paul@lshift.net>
parents: 10
diff changeset
    88
You should now have SSH access to this repository and full control.
834426fcbada rewrote README
Paul Crowley <paul@lshift.net>
parents: 10
diff changeset
    89
To administer these controls (and test your access), check out hgadmin:
2
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    90
12
834426fcbada rewrote README
Paul Crowley <paul@lshift.net>
parents: 10
diff changeset
    91
   mkdir ~/hg
834426fcbada rewrote README
Paul Crowley <paul@lshift.net>
parents: 10
diff changeset
    92
   cd ~/hg
834426fcbada rewrote README
Paul Crowley <paul@lshift.net>
parents: 10
diff changeset
    93
   hg clone ssh://hg@repository-host-name/hgadmin
834426fcbada rewrote README
Paul Crowley <paul@lshift.net>
parents: 10
diff changeset
    94
   cd hgadmin
2
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    95
10
524b4a45ef0a wrap overlong lines
Paul Crowley <paul@lshift.net>
parents: 4
diff changeset
    96
You can now add other users by putting their keys in an appropriate
524b4a45ef0a wrap overlong lines
Paul Crowley <paul@lshift.net>
parents: 4
diff changeset
    97
subdirectory of the "keys" directory, and control their access by
524b4a45ef0a wrap overlong lines
Paul Crowley <paul@lshift.net>
parents: 4
diff changeset
    98
editing hg-ssh-access.conf.  Changes will take effect as soon as you
524b4a45ef0a wrap overlong lines
Paul Crowley <paul@lshift.net>
parents: 4
diff changeset
    99
push them to the remote ssh server.
2
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
   100
10
524b4a45ef0a wrap overlong lines
Paul Crowley <paul@lshift.net>
parents: 4
diff changeset
   101
Each line of hg-ssh-access.conf has the following syntax:
2
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
   102
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
   103
<rule> <keypattern> <repositorypattern>
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
   104
10
524b4a45ef0a wrap overlong lines
Paul Crowley <paul@lshift.net>
parents: 4
diff changeset
   105
The "rule" is either "init", "allow", or "deny".  "keypattern" is a
524b4a45ef0a wrap overlong lines
Paul Crowley <paul@lshift.net>
parents: 4
diff changeset
   106
glob pattern matched against the name of the key used - for example,
524b4a45ef0a wrap overlong lines
Paul Crowley <paul@lshift.net>
parents: 4
diff changeset
   107
in our initial setup "admin/myname" matches "admin/*".
524b4a45ef0a wrap overlong lines
Paul Crowley <paul@lshift.net>
parents: 4
diff changeset
   108
"repositorypattern" is a pattern matched againt the repository name -
524b4a45ef0a wrap overlong lines
Paul Crowley <paul@lshift.net>
parents: 4
diff changeset
   109
so "hgadmin" matches "*".  Only boring characters are allowed in
524b4a45ef0a wrap overlong lines
Paul Crowley <paul@lshift.net>
parents: 4
diff changeset
   110
patterns and key and repository names - see the source for details.
524b4a45ef0a wrap overlong lines
Paul Crowley <paul@lshift.net>
parents: 4
diff changeset
   111
Blank lines and lines that start with "#" are ignored.
2
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
   112