mercurial-server: README@834426fcbada (annotated)

2 a69f7bea408c added a README to describe how this works. Paul Crowley <paul@lshift.net> parents: diff changeset	1	hg-admin-tools version 0.1
a69f7bea408c added a README to describe how this works. Paul Crowley <paul@lshift.net> parents: diff changeset	2
a69f7bea408c added a README to describe how this works. Paul Crowley <paul@lshift.net> parents: diff changeset	3	A set of tools for managing authorization and access control for
12 834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	4	ssh-based Mercurial repositories
2 a69f7bea408c added a README to describe how this works. Paul Crowley <paul@lshift.net> parents: diff changeset	5
12 834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	6	Paul Crowley, paul@lshift.net, 2008
2 a69f7bea408c added a README to describe how this works. Paul Crowley <paul@lshift.net> parents: diff changeset	7
a69f7bea408c added a README to describe how this works. Paul Crowley <paul@lshift.net> parents: diff changeset	8	This software may be used and distributed according to the terms
a69f7bea408c added a README to describe how this works. Paul Crowley <paul@lshift.net> parents: diff changeset	9	of the GNU General Public License, incorporated herein by reference.
a69f7bea408c added a README to describe how this works. Paul Crowley <paul@lshift.net> parents: diff changeset	10
12 834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	11	WHAT IT GIVES YOU
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	12
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	13	You maintain a local Mercurial repository called "hgadmin" which
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	14	controls what access is allowed to whom. When you push a new version
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	15	of this repository to the repository host, changes take effect
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	16	immediately, so familiar "hg" commands are all that are needed to
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	17	maintain it. A "keys" directory contains the SSH keys of all the
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	18	developers who have access, while "hg-ssh-access.conf" gives a set of
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	19	rules defining who can do what to what.
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	20
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	21	HOW IT WORKS
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	22
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	23	The repository is owned by a single user (the "hg" user in what
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	24	follows), but many remote users can act on it. We don't use file
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	25	permissions to achieve that - instead, developers log in as the "hg"
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	26	user when they connect to the repository host using ssh, using ssh
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	27	URLs of the form "ssh://hg@repository-host/repository-name". A
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	28	restricted shell prevents them from using this access for unauthorized
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	29	purposes.
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	30
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	31	Developers are authenticated only using SSH keys; no other form of
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	32	authentication is supported. When a developer attempts to connect to
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	33	a repository via ssh, the SSH daemon searches for a match for that
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	34	user's key in ~hg/.ssh/authorized_keys. If the developer is
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	35	authorised to connect to the repository they will have an entry in
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	36	this file. The entry includes a "command" prefix which specifies that
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	37	the restricted shell should be used; this shell is passed an argument
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	38	identifying the developer. The shell parses the command the developer
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	39	is trying to execute, and consults a rules file to see if that
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	40	developer is allowed to perform that action on that repository. The
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	41	bulk of the work of the restricted shell is done by the Python program
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	42	"hg-ssh", but the shell script "hg-ssh-wrapper" sets up some
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	43	configuration so that you can change it to suit your local installation.
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	44
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	45	The file ~hg/.ssh/authorized_keys is generated by "refresh-auth",
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	46	which recurses through a directory of files containing SSH keys and
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	47	generates an entry in authorized_keys for each one, using the name of
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	48	the key file as the identifier for the developer. These keys will
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	49	live in the "keys" subdirectory of a repository, "hgadmin". A hook in
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	50	this repository re-runs "refresh-auth" on the most recent version
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	51	after every push.
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	52
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	53	INSTRUCTIONS FOR USE
2 a69f7bea408c added a README to describe how this works. Paul Crowley <paul@lshift.net> parents: diff changeset	54
10 524b4a45ef0a wrap overlong lines Paul Crowley <paul@lshift.net> parents: 4 diff changeset	55	This is only one setup - it can be tweaked in many ways, and is as
524b4a45ef0a wrap overlong lines Paul Crowley <paul@lshift.net> parents: 4 diff changeset	56	specific as it is only in the interests of brevity.
2 a69f7bea408c added a README to describe how this works. Paul Crowley <paul@lshift.net> parents: diff changeset	57
10 524b4a45ef0a wrap overlong lines Paul Crowley <paul@lshift.net> parents: 4 diff changeset	58	You, and all users of your Hg repository, will need SSH public key
524b4a45ef0a wrap overlong lines Paul Crowley <paul@lshift.net> parents: 4 diff changeset	59	authentication set up, preferably working with ssh-agent so you don't
524b4a45ef0a wrap overlong lines Paul Crowley <paul@lshift.net> parents: 4 diff changeset	60	have to type in your passphrase all the time. I assume you've done
524b4a45ef0a wrap overlong lines Paul Crowley <paul@lshift.net> parents: 4 diff changeset	61	that in what follows, so if you've done something different you'll
524b4a45ef0a wrap overlong lines Paul Crowley <paul@lshift.net> parents: 4 diff changeset	62	need to change it appropriately.
2 a69f7bea408c added a README to describe how this works. Paul Crowley <paul@lshift.net> parents: diff changeset	63
10 524b4a45ef0a wrap overlong lines Paul Crowley <paul@lshift.net> parents: 4 diff changeset	64	Create a user called "hg" on the machine where the repository will
524b4a45ef0a wrap overlong lines Paul Crowley <paul@lshift.net> parents: 4 diff changeset	65	live. I used the command
524b4a45ef0a wrap overlong lines Paul Crowley <paul@lshift.net> parents: 4 diff changeset	66
524b4a45ef0a wrap overlong lines Paul Crowley <paul@lshift.net> parents: 4 diff changeset	67	sudo adduser --system --shell /bin/sh --group --disabled-password \
524b4a45ef0a wrap overlong lines Paul Crowley <paul@lshift.net> parents: 4 diff changeset	68	--gecos "Mercural repository" hg
2 a69f7bea408c added a README to describe how this works. Paul Crowley <paul@lshift.net> parents: diff changeset	69
12 834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	70	Issue these commands to become the hg user and set up the repository.
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	71	Use your own name in place of "myname".
2 a69f7bea408c added a README to describe how this works. Paul Crowley <paul@lshift.net> parents: diff changeset	72
a69f7bea408c added a README to describe how this works. Paul Crowley <paul@lshift.net> parents: diff changeset	73	sudo -u hg -s
a69f7bea408c added a README to describe how this works. Paul Crowley <paul@lshift.net> parents: diff changeset	74	cd ~hg
12 834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	75	mkdir -p admin repos/hgadmin/keys/admin
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	76	cd admin
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	77	tar xvzf /tmp/hg-admin-tools.tar.gz
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	78	mv hg-admin-tools* hg-admin-tools
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	79	cp hg-admin-tools/hg-ssh-wrapper ~
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	80	cd ../repos/hgadmin
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	81	hg init .
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	82	echo "init admin/* *" > hg-ssh-access.conf
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	83	cp /tmp/my-ssh-public-key keys/admin/myname
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	84	cp ~/admin/hg-admin-tools/hgadmin-hgrc .hg/hgrc
2 a69f7bea408c added a README to describe how this works. Paul Crowley <paul@lshift.net> parents: diff changeset	85	../../admin/hg-admin-tools/refresh-auth
12 834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	86	exit
2 a69f7bea408c added a README to describe how this works. Paul Crowley <paul@lshift.net> parents: diff changeset	87
12 834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	88	You should now have SSH access to this repository and full control.
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	89	To administer these controls (and test your access), check out hgadmin:
2 a69f7bea408c added a README to describe how this works. Paul Crowley <paul@lshift.net> parents: diff changeset	90
12 834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	91	mkdir ~/hg
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	92	cd ~/hg
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	93	hg clone ssh://hg@repository-host-name/hgadmin
834426fcbada rewrote README Paul Crowley <paul@lshift.net> parents: 10 diff changeset	94	cd hgadmin
2 a69f7bea408c added a README to describe how this works. Paul Crowley <paul@lshift.net> parents: diff changeset	95
10 524b4a45ef0a wrap overlong lines Paul Crowley <paul@lshift.net> parents: 4 diff changeset	96	You can now add other users by putting their keys in an appropriate
524b4a45ef0a wrap overlong lines Paul Crowley <paul@lshift.net> parents: 4 diff changeset	97	subdirectory of the "keys" directory, and control their access by
524b4a45ef0a wrap overlong lines Paul Crowley <paul@lshift.net> parents: 4 diff changeset	98	editing hg-ssh-access.conf. Changes will take effect as soon as you
524b4a45ef0a wrap overlong lines Paul Crowley <paul@lshift.net> parents: 4 diff changeset	99	push them to the remote ssh server.
2 a69f7bea408c added a README to describe how this works. Paul Crowley <paul@lshift.net> parents: diff changeset	100
10 524b4a45ef0a wrap overlong lines Paul Crowley <paul@lshift.net> parents: 4 diff changeset	101	Each line of hg-ssh-access.conf has the following syntax:
2 a69f7bea408c added a README to describe how this works. Paul Crowley <paul@lshift.net> parents: diff changeset	102
a69f7bea408c added a README to describe how this works. Paul Crowley <paul@lshift.net> parents: diff changeset	103	<rule> <keypattern> <repositorypattern>
a69f7bea408c added a README to describe how this works. Paul Crowley <paul@lshift.net> parents: diff changeset	104
10 524b4a45ef0a wrap overlong lines Paul Crowley <paul@lshift.net> parents: 4 diff changeset	105	The "rule" is either "init", "allow", or "deny". "keypattern" is a
524b4a45ef0a wrap overlong lines Paul Crowley <paul@lshift.net> parents: 4 diff changeset	106	glob pattern matched against the name of the key used - for example,
524b4a45ef0a wrap overlong lines Paul Crowley <paul@lshift.net> parents: 4 diff changeset	107	in our initial setup "admin/myname" matches "admin/*".
524b4a45ef0a wrap overlong lines Paul Crowley <paul@lshift.net> parents: 4 diff changeset	108	"repositorypattern" is a pattern matched againt the repository name -
524b4a45ef0a wrap overlong lines Paul Crowley <paul@lshift.net> parents: 4 diff changeset	109	so "hgadmin" matches "*". Only boring characters are allowed in
524b4a45ef0a wrap overlong lines Paul Crowley <paul@lshift.net> parents: 4 diff changeset	110	patterns and key and repository names - see the source for details.
524b4a45ef0a wrap overlong lines Paul Crowley <paul@lshift.net> parents: 4 diff changeset	111	Blank lines and lines that start with "#" are ignored.
2 a69f7bea408c added a README to describe how this works. Paul Crowley <paul@lshift.net> parents: diff changeset	112

author	Paul Crowley <paul@lshift.net>
	Thu, 17 Apr 2008 17:34:07 +0100
changeset 12	834426fcbada
parent 10	524b4a45ef0a
child 13	1206ed37090a
permissions	-rw-r--r--