doc/configuring-access
author Paul Crowley <paul@lshift.net>
Tue, 13 Oct 2009 12:03:23 +0100
changeset 111 eace50ec6427
parent 83 86ec1268d306
child 112 3035990989ee
permissions -rw-r--r--
Fix a minor inaccuracy in the security docs
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
83
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
     1
ACCESS.CONF
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
     2
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
     3
Out of the box, there are just two kinds of users: the ones with keys in
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
     4
"keys/root" and those in "keys/users". However, you can change this by editing
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
     5
"access.conf". There are two "access.conf" files, one in
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
     6
"/etc/mercurial-server" and one in "hgadmin"; the two are simply concatenated
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
     7
before being read.
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
     8
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
     9
Each line of access.conf has the following syntax:
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    10
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    11
<rule> <condition> <condition> ...
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    12
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    13
Rule is one of
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    14
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    15
init - allow any operation, including the creation of new repositories
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    16
write - allow reads and writes to this file in this repository
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    17
read - allow the repo to be read but reject matching writes
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    18
deny - deny all requests
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    19
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    20
A condition is a globpattern matched against a relative path. The two most
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    21
important conditions are
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    22
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    23
    user=<globpattern> - user's key
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    24
    repo=<globpattern> - repo (as the user supplies it)
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    25
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    26
The first rule in the file which has all its conditions satisfied is used to
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    27
determine whether an action is allowed.
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    28
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    29
Paths cannot contain any special characters except "/"; glob patterns cannot
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    30
contain any special characters except "/" and "*". "*" matches zero or more
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    31
characters not including "/" while "**" matches zero or more characters
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    32
including "/".
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    33
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    34
Blank lines and lines that start with "#" are ignored.
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    35
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    36
access.conf ships with the following contents:
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    37
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    38
    init user=root/**
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    39
    deny repo=hgadmin
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    40
    write user=users/**
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    41
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    42
This means: keys in "root" can do anything; keys in "users" cannot create
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    43
repositories, cannot even read the hgadmin repository, but can read and write
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    44
any other repository; no other key has any access.
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    45
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    46
More advanced access configuration is covered in file-conditions.
86ec1268d306 Move some docs out of the README to make it less daunting
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    47