README
author Paul Crowley <paul@lshift.net>
Thu, 17 Apr 2008 16:50:17 +0100
changeset 11 f3c73c9fc0ff
parent 10 524b4a45ef0a
child 12 834426fcbada
permissions -rw-r--r--
add newline to error message
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
2
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
     1
hg-admin-tools version 0.1
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
     2
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
     3
A set of tools for managing authorization and access control for
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
     4
ssh-based Hg repositories
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
     5
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
     6
Paul Crowley, paul@lshift.net, 2008-04-15
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
     7
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
     8
This software may be used and distributed according to the terms
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
     9
of the GNU General Public License, incorporated herein by reference.
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    10
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    11
INSTRUCTIONS FOR USE:
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    12
10
524b4a45ef0a wrap overlong lines
Paul Crowley <paul@lshift.net>
parents: 4
diff changeset
    13
This is only one setup - it can be tweaked in many ways, and is as
524b4a45ef0a wrap overlong lines
Paul Crowley <paul@lshift.net>
parents: 4
diff changeset
    14
specific as it is only in the interests of brevity.
2
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    15
10
524b4a45ef0a wrap overlong lines
Paul Crowley <paul@lshift.net>
parents: 4
diff changeset
    16
You, and all users of your Hg repository, will need SSH public key
524b4a45ef0a wrap overlong lines
Paul Crowley <paul@lshift.net>
parents: 4
diff changeset
    17
authentication set up, preferably working with ssh-agent so you don't
524b4a45ef0a wrap overlong lines
Paul Crowley <paul@lshift.net>
parents: 4
diff changeset
    18
have to type in your passphrase all the time.  I assume you've done
524b4a45ef0a wrap overlong lines
Paul Crowley <paul@lshift.net>
parents: 4
diff changeset
    19
that in what follows, so if you've done something different you'll
524b4a45ef0a wrap overlong lines
Paul Crowley <paul@lshift.net>
parents: 4
diff changeset
    20
need to change it appropriately.
2
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    21
10
524b4a45ef0a wrap overlong lines
Paul Crowley <paul@lshift.net>
parents: 4
diff changeset
    22
Create a user called "hg" on the machine where the repository will
524b4a45ef0a wrap overlong lines
Paul Crowley <paul@lshift.net>
parents: 4
diff changeset
    23
live.  I used the command
524b4a45ef0a wrap overlong lines
Paul Crowley <paul@lshift.net>
parents: 4
diff changeset
    24
524b4a45ef0a wrap overlong lines
Paul Crowley <paul@lshift.net>
parents: 4
diff changeset
    25
  sudo adduser --system --shell /bin/sh --group --disabled-password \
524b4a45ef0a wrap overlong lines
Paul Crowley <paul@lshift.net>
parents: 4
diff changeset
    26
    --gecos "Mercural repository" hg
2
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    27
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    28
Now create a basic access control setup.  
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    29
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    30
   cd
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    31
   mkdir hg
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    32
   cd hg
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    33
   hg clone ssh://hg.opensource.lshift.net/hg-admin-tools hg-admin-tools
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    34
   mkdir -p hgadmin/keys/admin
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    35
   cd hgadmin
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    36
   ssh-add -L > keys/admin/myname
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    37
   echo "init admin/* *" > hg-ssh-access.conf
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    38
   hg init .
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    39
   hg add
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    40
   hg commit -m "Initial configuration"
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    41
10
524b4a45ef0a wrap overlong lines
Paul Crowley <paul@lshift.net>
parents: 4
diff changeset
    42
You can use whatever you want in place of "myname" and indeed "admin".
524b4a45ef0a wrap overlong lines
Paul Crowley <paul@lshift.net>
parents: 4
diff changeset
    43
The files in ~/hg must be readable by the hg user.  Issue these
524b4a45ef0a wrap overlong lines
Paul Crowley <paul@lshift.net>
parents: 4
diff changeset
    44
commands to become the hg user and set up the repository
2
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    45
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    46
   sudo -u hg -s
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    47
   cd ~hg
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    48
   mkdir admin repos
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    49
   hg clone ~/hg/hg-admin-tools admin/hg-admin-tools
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    50
   hg clone ~/hg/hgadmin repos/hgadmin
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    51
   cp admin/hg-admin-tools/hgadmin-hgrc repos/hgadmin/.hg/hgrc
4
dcd195f3e52c move config out of Python files; don't make hg-ssh-wrapper a dotfile;
Paul Crowley <paul@lshift.net>
parents: 2
diff changeset
    52
   cp admin/hg-admin-tools/hg-ssh-wrapper hg-ssh-wrapper
2
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    53
   cd repos/hgadmin
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    54
   ../../admin/hg-admin-tools/refresh-auth
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    55
    exit
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    56
10
524b4a45ef0a wrap overlong lines
Paul Crowley <paul@lshift.net>
parents: 4
diff changeset
    57
You should now have SSH access to this repository and full control,
524b4a45ef0a wrap overlong lines
Paul Crowley <paul@lshift.net>
parents: 4
diff changeset
    58
which you can test like so:
2
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    59
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    60
   cd ~/hg/hgadmin
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    61
   echo "[paths]" >> .hg/hgrc
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    62
   echo "default = ssh://hg@localhost/hgadmin"  >> .hg/hgrc
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    63
   hg pull
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    64
   hg push
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    65
10
524b4a45ef0a wrap overlong lines
Paul Crowley <paul@lshift.net>
parents: 4
diff changeset
    66
These attempts to push and pull should report no new changes but
524b4a45ef0a wrap overlong lines
Paul Crowley <paul@lshift.net>
parents: 4
diff changeset
    67
otherwise work.
2
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    68
10
524b4a45ef0a wrap overlong lines
Paul Crowley <paul@lshift.net>
parents: 4
diff changeset
    69
You can now add other users by putting their keys in an appropriate
524b4a45ef0a wrap overlong lines
Paul Crowley <paul@lshift.net>
parents: 4
diff changeset
    70
subdirectory of the "keys" directory, and control their access by
524b4a45ef0a wrap overlong lines
Paul Crowley <paul@lshift.net>
parents: 4
diff changeset
    71
editing hg-ssh-access.conf.  Changes will take effect as soon as you
524b4a45ef0a wrap overlong lines
Paul Crowley <paul@lshift.net>
parents: 4
diff changeset
    72
push them to the remote ssh server.
2
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    73
10
524b4a45ef0a wrap overlong lines
Paul Crowley <paul@lshift.net>
parents: 4
diff changeset
    74
Each line of hg-ssh-access.conf has the following syntax:
2
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    75
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    76
<rule> <keypattern> <repositorypattern>
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    77
10
524b4a45ef0a wrap overlong lines
Paul Crowley <paul@lshift.net>
parents: 4
diff changeset
    78
The "rule" is either "init", "allow", or "deny".  "keypattern" is a
524b4a45ef0a wrap overlong lines
Paul Crowley <paul@lshift.net>
parents: 4
diff changeset
    79
glob pattern matched against the name of the key used - for example,
524b4a45ef0a wrap overlong lines
Paul Crowley <paul@lshift.net>
parents: 4
diff changeset
    80
in our initial setup "admin/myname" matches "admin/*".
524b4a45ef0a wrap overlong lines
Paul Crowley <paul@lshift.net>
parents: 4
diff changeset
    81
"repositorypattern" is a pattern matched againt the repository name -
524b4a45ef0a wrap overlong lines
Paul Crowley <paul@lshift.net>
parents: 4
diff changeset
    82
so "hgadmin" matches "*".  Only boring characters are allowed in
524b4a45ef0a wrap overlong lines
Paul Crowley <paul@lshift.net>
parents: 4
diff changeset
    83
patterns and key and repository names - see the source for details.
524b4a45ef0a wrap overlong lines
Paul Crowley <paul@lshift.net>
parents: 4
diff changeset
    84
Blank lines and lines that start with "#" are ignored.
2
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    85
a69f7bea408c added a README to describe how this works.
Paul Crowley <paul@lshift.net>
parents:
diff changeset
    86