author | Paul Crowley <paul@lshift.net> |
Mon, 09 Nov 2009 15:46:05 +0000 | |
changeset 168 | f9bf8f84df7f |
parent 162 | 1c0bc7d33648 |
child 179 | 243dd21d0dbc |
permissions | -rw-r--r-- |
119 | 1 |
<?xml version="1.0" encoding="utf-8"?> |
120 | 2 |
<article xmlns="http://docbook.org/ns/docbook" version="5.0" xml:lang="en" |
3 |
xmlns:xlink="http://www.w3.org/1999/xlink"> |
|
119 | 4 |
<info> |
5 |
<title>Sharing Mercurial repositories with mercurial-server</title> |
|
6 |
<author><firstname>Paul</firstname><surname>Crowley</surname></author> |
|
120 | 7 |
<copyright><year>2009</year><holder>Paul Crowley, LShift Ltd</holder></copyright> |
119 | 8 |
</info> |
9 |
<section> |
|
10 |
<title>About mercurial-server</title> |
|
11 |
<para> |
|
120 | 12 |
Home page: <link xlink:href="http://www.lshift.net/mercurial-server.html"/> |
13 |
</para> |
|
14 |
<para> |
|
133
a99ab5be891a
Let next para do the work of discussing what OS it runs on
Paul Crowley <paul@lshift.net>
parents:
132
diff
changeset
|
15 |
mercurial-server gives your developers remote read/write access to |
a99ab5be891a
Let next para do the work of discussing what OS it runs on
Paul Crowley <paul@lshift.net>
parents:
132
diff
changeset
|
16 |
centralized <link xlink:href="http://hg-scm.org/">Mercurial</link> |
a99ab5be891a
Let next para do the work of discussing what OS it runs on
Paul Crowley <paul@lshift.net>
parents:
132
diff
changeset
|
17 |
repositories using SSH public key authentication; it provides convenient |
a99ab5be891a
Let next para do the work of discussing what OS it runs on
Paul Crowley <paul@lshift.net>
parents:
132
diff
changeset
|
18 |
and fine-grained key management and access control. |
119 | 19 |
</para> |
20 |
<para> |
|
21 |
Though mercurial-server is currently targeted at Debian-based systems such |
|
22 |
as Ubuntu, other users have reported success getting it running on other |
|
23 |
Unix-based systems such as Red Hat. Running it on a non-Unix system such as |
|
24 |
Windows is not supported. You will need root privileges to install it. |
|
25 |
</para> |
|
26 |
</section> |
|
27 |
<section> |
|
28 |
<title>Step by step</title> |
|
29 |
<para> |
|
134
525976d2827c
Change the way we link to SSH tutorial
Paul Crowley <paul@lshift.net>
parents:
133
diff
changeset
|
30 |
mercurial-server authenticates users not using passwords but using SSH |
525976d2827c
Change the way we link to SSH tutorial
Paul Crowley <paul@lshift.net>
parents:
133
diff
changeset
|
31 |
public keys; everyone who wants access to a mercurial-server repository |
131
e8bf13d06582
Assume they have SSH set up; talk about hgadmin first
Paul Crowley <paul@lshift.net>
parents:
130
diff
changeset
|
32 |
will need such a key. In combination with <command>ssh-agent</command> (or |
120 | 33 |
equivalents such as the Windows program <link |
34 |
xlink:href="http://the.earth.li/~sgtatham/putty/0.60/htmldoc/Chapter9.html#pageant">Pageant</link>), |
|
35 |
this means that users will not need to type in a password to access the |
|
134
525976d2827c
Change the way we link to SSH tutorial
Paul Crowley <paul@lshift.net>
parents:
133
diff
changeset
|
36 |
repository. If you're not familiar with SSH public keys, the <link |
525976d2827c
Change the way we link to SSH tutorial
Paul Crowley <paul@lshift.net>
parents:
133
diff
changeset
|
37 |
xlink:href="http://sial.org/howto/openssh/publickey-auth/">OpenSSH Public |
525976d2827c
Change the way we link to SSH tutorial
Paul Crowley <paul@lshift.net>
parents:
133
diff
changeset
|
38 |
Key Authentication tutorial</link> may be helpful. |
119 | 39 |
</para> |
120 | 40 |
<section> |
131
e8bf13d06582
Assume they have SSH set up; talk about hgadmin first
Paul Crowley <paul@lshift.net>
parents:
130
diff
changeset
|
41 |
<title>Installing mercurial-server</title> |
119 | 42 |
<para> |
122
05b676684c7e
Call the user jay rather than user, and use pat instead of other-user
Paul Crowley <paul@lshift.net>
parents:
121
diff
changeset
|
43 |
In what follows, we assume that your username is <systemitem |
05b676684c7e
Call the user jay rather than user, and use pat instead of other-user
Paul Crowley <paul@lshift.net>
parents:
121
diff
changeset
|
44 |
class="username">jay</systemitem>, that you usually sit at a machine called |
158
713c6cccbc2f
Use short meaningless hostnames
Paul Crowley <paul@lshift.net>
parents:
157
diff
changeset
|
45 |
<systemitem class="systemname">spoon</systemitem> and you wish to |
120 | 46 |
install mercurial-server on <systemitem |
158
713c6cccbc2f
Use short meaningless hostnames
Paul Crowley <paul@lshift.net>
parents:
157
diff
changeset
|
47 |
class="systemname">jeeves</systemitem>. We assume that you have created your SSH public key, set up your SSH agent with this key, and that this key gives you access to <systemitem |
713c6cccbc2f
Use short meaningless hostnames
Paul Crowley <paul@lshift.net>
parents:
157
diff
changeset
|
48 |
class="systemname">jeeves</systemitem>. |
119 | 49 |
</para> |
131
e8bf13d06582
Assume they have SSH set up; talk about hgadmin first
Paul Crowley <paul@lshift.net>
parents:
130
diff
changeset
|
50 |
<para>First install mercurial-server on <systemitem |
158
713c6cccbc2f
Use short meaningless hostnames
Paul Crowley <paul@lshift.net>
parents:
157
diff
changeset
|
51 |
class="systemname">jeeves</systemitem>:</para> |
713c6cccbc2f
Use short meaningless hostnames
Paul Crowley <paul@lshift.net>
parents:
157
diff
changeset
|
52 |
<screen><computeroutput>jay@spoon:~$ </computeroutput><userinput>scp mercurial-server_0.6.1_amd64.deb jeeves:</userinput> |
119 | 53 |
<computeroutput>mercurial-server_0.6.1_amd64.deb 100% |
158
713c6cccbc2f
Use short meaningless hostnames
Paul Crowley <paul@lshift.net>
parents:
157
diff
changeset
|
54 |
jay@spoon:~$ </computeroutput><userinput>ssh -A jeeves</userinput> |
713c6cccbc2f
Use short meaningless hostnames
Paul Crowley <paul@lshift.net>
parents:
157
diff
changeset
|
55 |
<computeroutput>jay@jeeves:~$ </computeroutput><userinput>sudo dpkg -i mercurial-server_0.6.1_amd64.deb</userinput> |
122
05b676684c7e
Call the user jay rather than user, and use pat instead of other-user
Paul Crowley <paul@lshift.net>
parents:
121
diff
changeset
|
56 |
<computeroutput>[sudo] password for jay: |
119 | 57 |
Selecting previously deselected package mercurial-server. |
58 |
(Reading database ... 144805 files and directories currently installed.) |
|
59 |
Unpacking mercurial-server (from .../mercurial-server_0.6.1_amd64.deb) ... |
|
60 |
Setting up mercurial-server (0.6.1) ... |
|
158
713c6cccbc2f
Use short meaningless hostnames
Paul Crowley <paul@lshift.net>
parents:
157
diff
changeset
|
61 |
jay@jeeves:~$ </computeroutput></screen> |
119 | 62 |
<para> |
120 | 63 |
mercurial-server is now installed on the repository host. Next, we need to give you permission to access its repositories. |
119 | 64 |
</para> |
158
713c6cccbc2f
Use short meaningless hostnames
Paul Crowley <paul@lshift.net>
parents:
157
diff
changeset
|
65 |
<screen><computeroutput>jay@jeeves:~$ </computeroutput><userinput>ssh-add -L > my-key</userinput> |
713c6cccbc2f
Use short meaningless hostnames
Paul Crowley <paul@lshift.net>
parents:
157
diff
changeset
|
66 |
<computeroutput>jay@jeeves:~$ </computeroutput><userinput>sudo mkdir -p /etc/mercurial-server/keys/root/jay</userinput> |
713c6cccbc2f
Use short meaningless hostnames
Paul Crowley <paul@lshift.net>
parents:
157
diff
changeset
|
67 |
<computeroutput>jay@jeeves:~$ </computeroutput><userinput>sudo cp my-key /etc/mercurial-server/keys/root/jay/spoon</userinput> |
713c6cccbc2f
Use short meaningless hostnames
Paul Crowley <paul@lshift.net>
parents:
157
diff
changeset
|
68 |
<computeroutput>jay@jeeves:~$ </computeroutput><userinput>sudo -u hg /usr/share/mercurial-server/refresh-auth</userinput> |
713c6cccbc2f
Use short meaningless hostnames
Paul Crowley <paul@lshift.net>
parents:
157
diff
changeset
|
69 |
<computeroutput>jay@jeeves:~$ </computeroutput><userinput>exit</userinput> |
713c6cccbc2f
Use short meaningless hostnames
Paul Crowley <paul@lshift.net>
parents:
157
diff
changeset
|
70 |
<computeroutput>Connection to jeeves closed. |
713c6cccbc2f
Use short meaningless hostnames
Paul Crowley <paul@lshift.net>
parents:
157
diff
changeset
|
71 |
jay@spoon:~$ </computeroutput></screen> |
119 | 72 |
<para> |
120 | 73 |
You can now create repositories on the remote machine and have complete |
131
e8bf13d06582
Assume they have SSH set up; talk about hgadmin first
Paul Crowley <paul@lshift.net>
parents:
130
diff
changeset
|
74 |
read-write access to all of them. |
119 | 75 |
</para> |
120 | 76 |
</section> |
77 |
<section> |
|
78 |
<title>Creating repositories</title> |
|
131
e8bf13d06582
Assume they have SSH set up; talk about hgadmin first
Paul Crowley <paul@lshift.net>
parents:
130
diff
changeset
|
79 |
<para> |
e8bf13d06582
Assume they have SSH set up; talk about hgadmin first
Paul Crowley <paul@lshift.net>
parents:
130
diff
changeset
|
80 |
To store a repository on the server, clone it over. |
e8bf13d06582
Assume they have SSH set up; talk about hgadmin first
Paul Crowley <paul@lshift.net>
parents:
130
diff
changeset
|
81 |
</para> |
159
609d1d4ec773
Use shorter name for clone example project
Paul Crowley <paul@lshift.net>
parents:
158
diff
changeset
|
82 |
<screen><computeroutput>jay@spoon:~$ </computeroutput><userinput>cd myproj</userinput> |
160
72cb7a42650a
Use shorter remote repo name
Paul Crowley <paul@lshift.net>
parents:
159
diff
changeset
|
83 |
<computeroutput>jay@spoon:~/myproj$ </computeroutput><userinput>hg clone . ssh://hg@jeeves/jays/project</userinput> |
119 | 84 |
<computeroutput>searching for changes |
85 |
remote: adding changesets |
|
86 |
remote: adding manifests |
|
87 |
remote: adding file changes |
|
88 |
remote: added 119 changesets with 284 changes to 61 files |
|
160
72cb7a42650a
Use shorter remote repo name
Paul Crowley <paul@lshift.net>
parents:
159
diff
changeset
|
89 |
jay@spoon:~/myproj$ </computeroutput><userinput>hg pull ssh://hg@jeeves/jays/project</userinput> |
72cb7a42650a
Use shorter remote repo name
Paul Crowley <paul@lshift.net>
parents:
159
diff
changeset
|
90 |
<computeroutput>pulling from ssh://hg@jeeves/jays/project |
119 | 91 |
searching for changes |
92 |
no changes found |
|
159
609d1d4ec773
Use shorter name for clone example project
Paul Crowley <paul@lshift.net>
parents:
158
diff
changeset
|
93 |
<computeroutput>jay@spoon:~/myproj$ </computeroutput><userinput>cd ..</userinput> |
158
713c6cccbc2f
Use short meaningless hostnames
Paul Crowley <paul@lshift.net>
parents:
157
diff
changeset
|
94 |
jay@spoon:~$ </computeroutput></screen> |
120 | 95 |
</section> |
96 |
<section> |
|
97 |
<title>Adding other users</title> |
|
119 | 98 |
<para> |
145 | 99 |
At this stage, no-one but you has any access to any repositories you |
120 | 100 |
create on this system. In order to give anyone else access, you'll need a |
101 |
copy of their SSH public key; we'll assume you have that key in |
|
161
475a05ed5f0e
Sam's machine is called saucer
Paul Crowley <paul@lshift.net>
parents:
160
diff
changeset
|
102 |
<filename>~/sam-saucer-key.pub</filename>. To manage access, you make changes to the special <filename |
154
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
103 |
class='directory'>hgadmin</filename> repository. |
119 | 104 |
</para> |
158
713c6cccbc2f
Use short meaningless hostnames
Paul Crowley <paul@lshift.net>
parents:
157
diff
changeset
|
105 |
<screen><computeroutput>jay@spoon:~$ </computeroutput><userinput>hg clone ssh://hg@jeeves/hgadmin</userinput> |
119 | 106 |
<computeroutput>destination directory: hgadmin |
107 |
no changes found |
|
108 |
updating working directory |
|
109 |
0 files updated, 0 files merged, 0 files removed, 0 files unresolved |
|
158
713c6cccbc2f
Use short meaningless hostnames
Paul Crowley <paul@lshift.net>
parents:
157
diff
changeset
|
110 |
jay@spoon:~$ </computeroutput><userinput>cd hgadmin</userinput> |
713c6cccbc2f
Use short meaningless hostnames
Paul Crowley <paul@lshift.net>
parents:
157
diff
changeset
|
111 |
<computeroutput>jay@spoon:~/hgadmin$ </computeroutput><userinput>mkdir -p keys/users/sam</userinput> |
161
475a05ed5f0e
Sam's machine is called saucer
Paul Crowley <paul@lshift.net>
parents:
160
diff
changeset
|
112 |
<computeroutput>jay@spoon:~/hgadmin$ </computeroutput><userinput>cp ~/sam-saucer-key.pub keys/users/sam/saucer</userinput> |
158
713c6cccbc2f
Use short meaningless hostnames
Paul Crowley <paul@lshift.net>
parents:
157
diff
changeset
|
113 |
<computeroutput>jay@spoon:~/hgadmin$ </computeroutput><userinput>hg add</userinput> |
161
475a05ed5f0e
Sam's machine is called saucer
Paul Crowley <paul@lshift.net>
parents:
160
diff
changeset
|
114 |
<computeroutput>adding keys/users/sam/saucer |
162 | 115 |
jay@spoon:~/hgadmin$ </computeroutput><userinput>hg commit -m "Add Sam's key"</userinput> |
158
713c6cccbc2f
Use short meaningless hostnames
Paul Crowley <paul@lshift.net>
parents:
157
diff
changeset
|
116 |
<computeroutput>jay@spoon:~/hgadmin$ </computeroutput><userinput>hg push</userinput> |
713c6cccbc2f
Use short meaningless hostnames
Paul Crowley <paul@lshift.net>
parents:
157
diff
changeset
|
117 |
<computeroutput>pushing to ssh://hg@jeeves/hgadmin |
119 | 118 |
searching for changes |
119 |
remote: adding changesets |
|
120 |
remote: adding manifests |
|
121 |
remote: adding file changes |
|
122 |
remote: added 1 changesets with 1 changes to 1 files |
|
158
713c6cccbc2f
Use short meaningless hostnames
Paul Crowley <paul@lshift.net>
parents:
157
diff
changeset
|
123 |
jay@spoon:~/hgadmin$ </computeroutput></screen> |
119 | 124 |
<para> |
123 | 125 |
Sam can now read and write to your |
160
72cb7a42650a
Use shorter remote repo name
Paul Crowley <paul@lshift.net>
parents:
159
diff
changeset
|
126 |
<uri>ssh://hg@jeeves/jays/project</uri> repository. |
120 | 127 |
Most other changes to access control can be made simply by making and |
154
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
128 |
pushing changes to <filename |
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
129 |
class='directory'>hgadmin</filename>, and you can use Mercurial to |
120 | 130 |
cooperate with other root users in the normal way. |
131 |
</para> |
|
131
e8bf13d06582
Assume they have SSH set up; talk about hgadmin first
Paul Crowley <paul@lshift.net>
parents:
130
diff
changeset
|
132 |
<para> |
e8bf13d06582
Assume they have SSH set up; talk about hgadmin first
Paul Crowley <paul@lshift.net>
parents:
130
diff
changeset
|
133 |
If you prefer, you could give them access by |
158
713c6cccbc2f
Use short meaningless hostnames
Paul Crowley <paul@lshift.net>
parents:
157
diff
changeset
|
134 |
logging into <systemitem class="systemname">jeeves</systemitem>, |
131
e8bf13d06582
Assume they have SSH set up; talk about hgadmin first
Paul Crowley <paul@lshift.net>
parents:
130
diff
changeset
|
135 |
putting the key in the right place under <filename |
e8bf13d06582
Assume they have SSH set up; talk about hgadmin first
Paul Crowley <paul@lshift.net>
parents:
130
diff
changeset
|
136 |
class='directory'>/etc/mercurial-server/keys</filename>, and re-running |
e8bf13d06582
Assume they have SSH set up; talk about hgadmin first
Paul Crowley <paul@lshift.net>
parents:
130
diff
changeset
|
137 |
<userinput>sudo -u hg /usr/share/mercurial-server/refresh-auth</userinput>. |
154
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
138 |
However, using <filename |
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
139 |
class='directory'>hgadmin</filename> is usually more convenient if you need to make more than a very few changes; it also makes it easier to share administration with others and provides a log of all changes. |
131
e8bf13d06582
Assume they have SSH set up; talk about hgadmin first
Paul Crowley <paul@lshift.net>
parents:
130
diff
changeset
|
140 |
</para> |
120 | 141 |
</section> |
132
a5850a63390f
Move basic access control to the start of access control
Paul Crowley <paul@lshift.net>
parents:
131
diff
changeset
|
142 |
</section> |
120 | 143 |
<section> |
132
a5850a63390f
Move basic access control to the start of access control
Paul Crowley <paul@lshift.net>
parents:
131
diff
changeset
|
144 |
<title>Access control</title> |
120 | 145 |
<para> |
146 |
Out of the box, mercurial-server supports two kinds of users: "root" users and normal users. If you followed the steps above, you are a "root" user because your key is under <filename class='directory'>keys/root</filename>, while the other user you gave access to is a normal user since their key is under <filename class='directory'>keys/users</filename>. Keys that are not in either of these directories will by default have no access to anything. |
|
147 |
</para> |
|
148 |
<para> |
|
154
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
149 |
Root users can edit <filename |
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
150 |
class='directory'>hgadmin</filename>, create new repositories and read and write to existing ones. Normal users cannot access <filename |
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
151 |
class='directory'>hgadmin</filename> or create new repositories, but they can read and write to any other repository. |
120 | 152 |
</para> |
132
a5850a63390f
Move basic access control to the start of access control
Paul Crowley <paul@lshift.net>
parents:
131
diff
changeset
|
153 |
<section> |
a5850a63390f
Move basic access control to the start of access control
Paul Crowley <paul@lshift.net>
parents:
131
diff
changeset
|
154 |
<title>Using access.conf</title> |
120 | 155 |
<para> |
154
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
156 |
mercurial-server offers much more fine-grained access control than this division into two classes of users. Let's suppose you wish to give Pat access to the <filename |
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
157 |
class='directory'>widget</filename> repository, but no other. We first copy Pat's SSH public key into the <filename |
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
158 |
class='directory'>keys/pat</filename> directory in <filename |
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
159 |
class='directory'>hgadmin</filename>. This tells mercurial-server about Pat's key, but gives Pat no access to anything because the key is not under either <filename |
120 | 160 |
class='directory'>keys/root</filename> or <filename |
154
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
161 |
class='directory'>keys/users</filename>. To grant this key access, we must give mercurial-server a new access rule, so we create a file in <filename |
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
162 |
class='directory'>hgadmin</filename> called <filename>access.conf</filename>, with the following contents:</para> |
146 | 163 |
<programlisting># Give Pat access to the "widget" repository |
164 |
write repo=widget user=pat |
|
120 | 165 |
</programlisting> |
166 |
<para> |
|
154
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
167 |
Pat will have read and write access to the <filename |
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
168 |
class='directory'>widget</filename> repository as soon as we add, commit, and push these files. |
120 | 169 |
</para> |
170 |
<para> |
|
124 | 171 |
Each line of <filename>access.conf</filename> has the following syntax: |
120 | 172 |
</para> |
144
2dbaddde1fd5
programlisting also needs no initial blank lines
Paul Crowley <paul@lshift.net>
parents:
143
diff
changeset
|
173 |
<programlisting><replaceable>rule</replaceable> <replaceable>condition</replaceable> <replaceable>condition...</replaceable> |
120 | 174 |
</programlisting> |
175 |
<para> |
|
157 | 176 |
Blank lines and lines that start with <code>#</code> are ignored. Rule is |
177 |
one of |
|
120 | 178 |
</para> |
179 |
<itemizedlist> |
|
180 |
<listitem> |
|
181 |
<literal>init</literal>: allow reads, writes, and the creation of new repositories |
|
182 |
</listitem> |
|
183 |
<listitem> |
|
184 |
<literal>write</literal>: allow reads and writes |
|
185 |
</listitem> |
|
186 |
<listitem> |
|
187 |
<literal>read</literal>: allow only read operations |
|
188 |
</listitem> |
|
189 |
<listitem> |
|
190 |
<literal>deny</literal>: deny all requests |
|
191 |
</listitem> |
|
192 |
</itemizedlist> |
|
193 |
<para> |
|
194 |
A condition is a globpattern matched against a relative path. The two most |
|
195 |
important conditions are |
|
196 |
</para> |
|
197 |
<itemizedlist> |
|
198 |
<listitem> |
|
156
34925ee06f90
Silly to use literal inside code
Paul Crowley <paul@lshift.net>
parents:
155
diff
changeset
|
199 |
<code>user=<replaceable>globpattern</replaceable></code>: path to the user's key |
120 | 200 |
</listitem> |
201 |
<listitem> |
|
156
34925ee06f90
Silly to use literal inside code
Paul Crowley <paul@lshift.net>
parents:
155
diff
changeset
|
202 |
<code>repo=<replaceable>globpattern</replaceable></code>: path to the repository |
120 | 203 |
</listitem> |
204 |
</itemizedlist> |
|
205 |
<para> |
|
157 | 206 |
<code>*</code> only matches one directory level, where <code>**</code> |
207 |
matches as many as you want. More precisely, <code>*</code> matches zero or |
|
208 |
more characters not including <code>/</code> while <code>**</code> matches |
|
209 |
zero or more characters including <code>/</code>. So |
|
152
f4688940fe15
Improvements to access.conf documentation
Paul Crowley <paul@lshift.net>
parents:
151
diff
changeset
|
210 |
<code>projects/*</code> matches <filename |
f4688940fe15
Improvements to access.conf documentation
Paul Crowley <paul@lshift.net>
parents:
151
diff
changeset
|
211 |
class='directory'>projects/foo</filename> but not <filename |
f4688940fe15
Improvements to access.conf documentation
Paul Crowley <paul@lshift.net>
parents:
151
diff
changeset
|
212 |
class='directory'>projects/foo/bar</filename>, while |
f4688940fe15
Improvements to access.conf documentation
Paul Crowley <paul@lshift.net>
parents:
151
diff
changeset
|
213 |
<code>projects/**</code> matches both. |
120 | 214 |
</para> |
147
b29a7088b132
Move conditions next to rules
Paul Crowley <paul@lshift.net>
parents:
146
diff
changeset
|
215 |
<para> |
152
f4688940fe15
Improvements to access.conf documentation
Paul Crowley <paul@lshift.net>
parents:
151
diff
changeset
|
216 |
When considering a request, mercurial-server steps through all the rules in |
f4688940fe15
Improvements to access.conf documentation
Paul Crowley <paul@lshift.net>
parents:
151
diff
changeset
|
217 |
<filename>/etc/mercurial-server/access.conf</filename> and then all the |
154
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
218 |
rules in <filename>access.conf</filename> in <filename |
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
219 |
class='directory'>hgadmin</filename> |
152
f4688940fe15
Improvements to access.conf documentation
Paul Crowley <paul@lshift.net>
parents:
151
diff
changeset
|
220 |
looking for a rule which matches on every condition. The first match |
f4688940fe15
Improvements to access.conf documentation
Paul Crowley <paul@lshift.net>
parents:
151
diff
changeset
|
221 |
determines whether the request will be allowed; if there is no match in |
f4688940fe15
Improvements to access.conf documentation
Paul Crowley <paul@lshift.net>
parents:
151
diff
changeset
|
222 |
either file, the request will be denied. |
147
b29a7088b132
Move conditions next to rules
Paul Crowley <paul@lshift.net>
parents:
146
diff
changeset
|
223 |
</para> |
b29a7088b132
Move conditions next to rules
Paul Crowley <paul@lshift.net>
parents:
146
diff
changeset
|
224 |
<para> |
152
f4688940fe15
Improvements to access.conf documentation
Paul Crowley <paul@lshift.net>
parents:
151
diff
changeset
|
225 |
By default, <filename>/etc/mercurial-server/access.conf</filename> has the |
f4688940fe15
Improvements to access.conf documentation
Paul Crowley <paul@lshift.net>
parents:
151
diff
changeset
|
226 |
following rules: |
147
b29a7088b132
Move conditions next to rules
Paul Crowley <paul@lshift.net>
parents:
146
diff
changeset
|
227 |
</para> |
b29a7088b132
Move conditions next to rules
Paul Crowley <paul@lshift.net>
parents:
146
diff
changeset
|
228 |
<programlisting>init user=root/** |
b29a7088b132
Move conditions next to rules
Paul Crowley <paul@lshift.net>
parents:
146
diff
changeset
|
229 |
deny repo=hgadmin |
b29a7088b132
Move conditions next to rules
Paul Crowley <paul@lshift.net>
parents:
146
diff
changeset
|
230 |
write user=users/** |
b29a7088b132
Move conditions next to rules
Paul Crowley <paul@lshift.net>
parents:
146
diff
changeset
|
231 |
</programlisting> |
b29a7088b132
Move conditions next to rules
Paul Crowley <paul@lshift.net>
parents:
146
diff
changeset
|
232 |
<para> |
152
f4688940fe15
Improvements to access.conf documentation
Paul Crowley <paul@lshift.net>
parents:
151
diff
changeset
|
233 |
These rules ensure that root users can do any operation on any repository, |
154
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
234 |
that no other users can access the <filename |
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
235 |
class='directory'>hgadmin</filename> repository, |
152
f4688940fe15
Improvements to access.conf documentation
Paul Crowley <paul@lshift.net>
parents:
151
diff
changeset
|
236 |
and that those with keys in <filename |
f4688940fe15
Improvements to access.conf documentation
Paul Crowley <paul@lshift.net>
parents:
151
diff
changeset
|
237 |
class='directory'>keys/users</filename> can read or write to any repository |
153
aa57f48c7585
replace generalities with specific examples
Paul Crowley <paul@lshift.net>
parents:
152
diff
changeset
|
238 |
but not create repositories. Some examples of how these rules work: |
147
b29a7088b132
Move conditions next to rules
Paul Crowley <paul@lshift.net>
parents:
146
diff
changeset
|
239 |
</para> |
152
f4688940fe15
Improvements to access.conf documentation
Paul Crowley <paul@lshift.net>
parents:
151
diff
changeset
|
240 |
<itemizedlist> |
f4688940fe15
Improvements to access.conf documentation
Paul Crowley <paul@lshift.net>
parents:
151
diff
changeset
|
241 |
<listitem> |
153
aa57f48c7585
replace generalities with specific examples
Paul Crowley <paul@lshift.net>
parents:
152
diff
changeset
|
242 |
User <filename class='directory'>root/jay</filename> creates a repository |
aa57f48c7585
replace generalities with specific examples
Paul Crowley <paul@lshift.net>
parents:
152
diff
changeset
|
243 |
<filename class='directory'>foo/bar/baz</filename>. This matches the first |
aa57f48c7585
replace generalities with specific examples
Paul Crowley <paul@lshift.net>
parents:
152
diff
changeset
|
244 |
rule and so will be allowed. |
152
f4688940fe15
Improvements to access.conf documentation
Paul Crowley <paul@lshift.net>
parents:
151
diff
changeset
|
245 |
</listitem> |
f4688940fe15
Improvements to access.conf documentation
Paul Crowley <paul@lshift.net>
parents:
151
diff
changeset
|
246 |
<listitem> |
153
aa57f48c7585
replace generalities with specific examples
Paul Crowley <paul@lshift.net>
parents:
152
diff
changeset
|
247 |
User <filename class='directory'>root/jay</filename> changes repository |
aa57f48c7585
replace generalities with specific examples
Paul Crowley <paul@lshift.net>
parents:
152
diff
changeset
|
248 |
<filename class='directory'>hgadmin</filename>. Again, this matches the |
aa57f48c7585
replace generalities with specific examples
Paul Crowley <paul@lshift.net>
parents:
152
diff
changeset
|
249 |
first rule and so will be allowed; later rules have no effect. |
aa57f48c7585
replace generalities with specific examples
Paul Crowley <paul@lshift.net>
parents:
152
diff
changeset
|
250 |
</listitem> |
aa57f48c7585
replace generalities with specific examples
Paul Crowley <paul@lshift.net>
parents:
152
diff
changeset
|
251 |
<listitem> |
aa57f48c7585
replace generalities with specific examples
Paul Crowley <paul@lshift.net>
parents:
152
diff
changeset
|
252 |
User <filename class='directory'>users/sam</filename> tries to read |
aa57f48c7585
replace generalities with specific examples
Paul Crowley <paul@lshift.net>
parents:
152
diff
changeset
|
253 |
repository <filename class='directory'>hgadmin</filename>. This does not |
aa57f48c7585
replace generalities with specific examples
Paul Crowley <paul@lshift.net>
parents:
152
diff
changeset
|
254 |
match the first rule, but matches the second, and so will be denied. |
152
f4688940fe15
Improvements to access.conf documentation
Paul Crowley <paul@lshift.net>
parents:
151
diff
changeset
|
255 |
</listitem> |
f4688940fe15
Improvements to access.conf documentation
Paul Crowley <paul@lshift.net>
parents:
151
diff
changeset
|
256 |
<listitem> |
153
aa57f48c7585
replace generalities with specific examples
Paul Crowley <paul@lshift.net>
parents:
152
diff
changeset
|
257 |
User <filename class='directory'>users/sam</filename> tries to create |
aa57f48c7585
replace generalities with specific examples
Paul Crowley <paul@lshift.net>
parents:
152
diff
changeset
|
258 |
repository <filename class='directory'>sams-project</filename>. This does |
aa57f48c7585
replace generalities with specific examples
Paul Crowley <paul@lshift.net>
parents:
152
diff
changeset
|
259 |
not match the first two rules, but matches the third; this is a |
aa57f48c7585
replace generalities with specific examples
Paul Crowley <paul@lshift.net>
parents:
152
diff
changeset
|
260 |
<literal>write</literal> rule, which doesn't grant the privilege to create |
aa57f48c7585
replace generalities with specific examples
Paul Crowley <paul@lshift.net>
parents:
152
diff
changeset
|
261 |
repositories, so the request will be denied. |
152
f4688940fe15
Improvements to access.conf documentation
Paul Crowley <paul@lshift.net>
parents:
151
diff
changeset
|
262 |
</listitem> |
f4688940fe15
Improvements to access.conf documentation
Paul Crowley <paul@lshift.net>
parents:
151
diff
changeset
|
263 |
<listitem> |
153
aa57f48c7585
replace generalities with specific examples
Paul Crowley <paul@lshift.net>
parents:
152
diff
changeset
|
264 |
User <filename class='directory'>users/sam</filename> writes to existing |
aa57f48c7585
replace generalities with specific examples
Paul Crowley <paul@lshift.net>
parents:
152
diff
changeset
|
265 |
repository <filename class='directory'>projects/main</filename>. Again, |
aa57f48c7585
replace generalities with specific examples
Paul Crowley <paul@lshift.net>
parents:
152
diff
changeset
|
266 |
this matches the third rule, which allows the request. |
152
f4688940fe15
Improvements to access.conf documentation
Paul Crowley <paul@lshift.net>
parents:
151
diff
changeset
|
267 |
</listitem> |
f4688940fe15
Improvements to access.conf documentation
Paul Crowley <paul@lshift.net>
parents:
151
diff
changeset
|
268 |
<listitem> |
153
aa57f48c7585
replace generalities with specific examples
Paul Crowley <paul@lshift.net>
parents:
152
diff
changeset
|
269 |
User <filename class='directory'>pat</filename> tries to write to existing |
aa57f48c7585
replace generalities with specific examples
Paul Crowley <paul@lshift.net>
parents:
152
diff
changeset
|
270 |
repository <filename class='directory'>widget</filename>. Until we change |
aa57f48c7585
replace generalities with specific examples
Paul Crowley <paul@lshift.net>
parents:
152
diff
changeset
|
271 |
the <filename>access.conf</filename> file in <filename |
aa57f48c7585
replace generalities with specific examples
Paul Crowley <paul@lshift.net>
parents:
152
diff
changeset
|
272 |
class='directory'>hgadmin</filename>, this will match no rule, and so will |
aa57f48c7585
replace generalities with specific examples
Paul Crowley <paul@lshift.net>
parents:
152
diff
changeset
|
273 |
be denied. |
152
f4688940fe15
Improvements to access.conf documentation
Paul Crowley <paul@lshift.net>
parents:
151
diff
changeset
|
274 |
</listitem> |
f4688940fe15
Improvements to access.conf documentation
Paul Crowley <paul@lshift.net>
parents:
151
diff
changeset
|
275 |
<listitem> |
f4688940fe15
Improvements to access.conf documentation
Paul Crowley <paul@lshift.net>
parents:
151
diff
changeset
|
276 |
Any request from a user whose key not under the <filename |
f4688940fe15
Improvements to access.conf documentation
Paul Crowley <paul@lshift.net>
parents:
151
diff
changeset
|
277 |
class='directory'>keys</filename> directory at all will always be denied, |
f4688940fe15
Improvements to access.conf documentation
Paul Crowley <paul@lshift.net>
parents:
151
diff
changeset
|
278 |
no matter what rules are in effect; because of the way SSH authentication |
f4688940fe15
Improvements to access.conf documentation
Paul Crowley <paul@lshift.net>
parents:
151
diff
changeset
|
279 |
works, they will be prompted to enter a password, but no password will |
f4688940fe15
Improvements to access.conf documentation
Paul Crowley <paul@lshift.net>
parents:
151
diff
changeset
|
280 |
work. This can't be changed. |
f4688940fe15
Improvements to access.conf documentation
Paul Crowley <paul@lshift.net>
parents:
151
diff
changeset
|
281 |
</listitem> |
f4688940fe15
Improvements to access.conf documentation
Paul Crowley <paul@lshift.net>
parents:
151
diff
changeset
|
282 |
</itemizedlist> |
132
a5850a63390f
Move basic access control to the start of access control
Paul Crowley <paul@lshift.net>
parents:
131
diff
changeset
|
283 |
</section> |
120 | 284 |
<section> |
125
fc5b8fc1040e
Explain why we configure access twice
Paul Crowley <paul@lshift.net>
parents:
124
diff
changeset
|
285 |
<title>/etc/mercurial-server and hgadmin</title> |
fc5b8fc1040e
Explain why we configure access twice
Paul Crowley <paul@lshift.net>
parents:
124
diff
changeset
|
286 |
<para> |
fc5b8fc1040e
Explain why we configure access twice
Paul Crowley <paul@lshift.net>
parents:
124
diff
changeset
|
287 |
mercurial-server consults two distinct locations to collect information about what to allow: <filename |
154
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
288 |
class='directory'>/etc/mercurial-server</filename> and its own <filename |
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
289 |
class='directory'>hgadmin</filename> repository. This is useful for several reasons: |
125
fc5b8fc1040e
Explain why we configure access twice
Paul Crowley <paul@lshift.net>
parents:
124
diff
changeset
|
290 |
</para> |
fc5b8fc1040e
Explain why we configure access twice
Paul Crowley <paul@lshift.net>
parents:
124
diff
changeset
|
291 |
<itemizedlist> |
fc5b8fc1040e
Explain why we configure access twice
Paul Crowley <paul@lshift.net>
parents:
124
diff
changeset
|
292 |
<listitem> |
148
5da43b596bac
Fixes to /etc/mercurial-server discussion
Paul Crowley <paul@lshift.net>
parents:
147
diff
changeset
|
293 |
Some users may not need the convenience of access control via mercurial; for these users updating <filename |
125
fc5b8fc1040e
Explain why we configure access twice
Paul Crowley <paul@lshift.net>
parents:
124
diff
changeset
|
294 |
class='directory'>/etc/mercurial-server</filename> may offer a simpler route. |
fc5b8fc1040e
Explain why we configure access twice
Paul Crowley <paul@lshift.net>
parents:
124
diff
changeset
|
295 |
</listitem> |
fc5b8fc1040e
Explain why we configure access twice
Paul Crowley <paul@lshift.net>
parents:
124
diff
changeset
|
296 |
<listitem> |
148
5da43b596bac
Fixes to /etc/mercurial-server discussion
Paul Crowley <paul@lshift.net>
parents:
147
diff
changeset
|
297 |
<filename class='directory'>/etc/mercurial-server</filename> is suitable |
5da43b596bac
Fixes to /etc/mercurial-server discussion
Paul Crowley <paul@lshift.net>
parents:
147
diff
changeset
|
298 |
for management with tools such as <link |
125
fc5b8fc1040e
Explain why we configure access twice
Paul Crowley <paul@lshift.net>
parents:
124
diff
changeset
|
299 |
xlink:href="http://reductivelabs.com/products/puppet">Puppet</link> |
fc5b8fc1040e
Explain why we configure access twice
Paul Crowley <paul@lshift.net>
parents:
124
diff
changeset
|
300 |
</listitem> |
fc5b8fc1040e
Explain why we configure access twice
Paul Crowley <paul@lshift.net>
parents:
124
diff
changeset
|
301 |
<listitem> |
154
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
302 |
If a change to <filename |
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
303 |
class='directory'>hgadmin</filename> leaves you "locked out", <filename |
125
fc5b8fc1040e
Explain why we configure access twice
Paul Crowley <paul@lshift.net>
parents:
124
diff
changeset
|
304 |
class='directory'>/etc/mercurial-server</filename> allows you a way back in. |
fc5b8fc1040e
Explain why we configure access twice
Paul Crowley <paul@lshift.net>
parents:
124
diff
changeset
|
305 |
</listitem> |
fc5b8fc1040e
Explain why we configure access twice
Paul Crowley <paul@lshift.net>
parents:
124
diff
changeset
|
306 |
<listitem> |
fc5b8fc1040e
Explain why we configure access twice
Paul Crowley <paul@lshift.net>
parents:
124
diff
changeset
|
307 |
At install time, all users are "locked out", and so some mechanism to allow some users in is needed. |
fc5b8fc1040e
Explain why we configure access twice
Paul Crowley <paul@lshift.net>
parents:
124
diff
changeset
|
308 |
</listitem> |
fc5b8fc1040e
Explain why we configure access twice
Paul Crowley <paul@lshift.net>
parents:
124
diff
changeset
|
309 |
</itemizedlist> |
fc5b8fc1040e
Explain why we configure access twice
Paul Crowley <paul@lshift.net>
parents:
124
diff
changeset
|
310 |
<para> |
154
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
311 |
Rules in <filename>/etc/mercurial-server/access.conf</filename> are checked before those in <filename |
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
312 |
class='directory'>hgadmin</filename>, and keys in <filename class='directory'>/etc/mercurial-server/keys</filename> will be present no matter how <filename |
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
313 |
class='directory'>hgadmin</filename> changes. |
125
fc5b8fc1040e
Explain why we configure access twice
Paul Crowley <paul@lshift.net>
parents:
124
diff
changeset
|
314 |
</para> |
fc5b8fc1040e
Explain why we configure access twice
Paul Crowley <paul@lshift.net>
parents:
124
diff
changeset
|
315 |
<para> |
fc5b8fc1040e
Explain why we configure access twice
Paul Crowley <paul@lshift.net>
parents:
124
diff
changeset
|
316 |
We anticipate that once mercurial-server is successfully installed and |
154
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
317 |
working you will usually want to use <filename |
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
318 |
class='directory'>hgadmin</filename> for most |
125
fc5b8fc1040e
Explain why we configure access twice
Paul Crowley <paul@lshift.net>
parents:
124
diff
changeset
|
319 |
access control tasks. Once you have the right keys and |
154
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
320 |
<filename>access.conf</filename> set up in <filename |
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
321 |
class='directory'>hgadmin</filename>, you |
125
fc5b8fc1040e
Explain why we configure access twice
Paul Crowley <paul@lshift.net>
parents:
124
diff
changeset
|
322 |
can delete <filename>/etc/mercurial-server/access.conf</filename> and all |
fc5b8fc1040e
Explain why we configure access twice
Paul Crowley <paul@lshift.net>
parents:
124
diff
changeset
|
323 |
of <filename class='directory'>/etc/mercurial-server/keys</filename>, |
154
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
324 |
turning control entirely over to <filename |
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
325 |
class='directory'>hgadmin</filename>. |
125
fc5b8fc1040e
Explain why we configure access twice
Paul Crowley <paul@lshift.net>
parents:
124
diff
changeset
|
326 |
</para> |
127 | 327 |
<para> |
328 |
<filename>/etc/mercurial-server/remote-hgrc</filename> is in the |
|
329 |
<systemitem>HGRCPATH</systemitem> for all remote access to mercurial-server |
|
330 |
repositories. This file contains the hooks that mercurial-server uses for |
|
331 |
access control and logging. You can add hooks to this file, but obviously |
|
332 |
breaking the existing hooks will disable the relevant functionality and |
|
333 |
isn't advisable. |
|
334 |
</para> |
|
125
fc5b8fc1040e
Explain why we configure access twice
Paul Crowley <paul@lshift.net>
parents:
124
diff
changeset
|
335 |
</section> |
fc5b8fc1040e
Explain why we configure access twice
Paul Crowley <paul@lshift.net>
parents:
124
diff
changeset
|
336 |
<section> |
121
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
337 |
<title>File and branch conditions</title> |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
338 |
<para> |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
339 |
mercurial-server supports file and branch conditions, which restrict an |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
340 |
operation depending on what files it modifies and what branch the work is |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
341 |
on. </para> |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
342 |
<caution> |
128 | 343 |
The way these conditions work is subtle and can be counterintuitive. Unless |
344 |
you need what they provide, ignore this section, stick to user and repo |
|
140 | 345 |
conditions, and then things are likely to work the way you would expect. If |
346 |
you do need what they provide, read what follows very carefully. |
|
121
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
347 |
</caution> |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
348 |
<para> |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
349 |
File and branch conditions are added to the conditions against which a rule |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
350 |
matches, just like user and repo conditions; they have this form: |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
351 |
</para> |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
352 |
<itemizedlist> |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
353 |
<listitem> |
156
34925ee06f90
Silly to use literal inside code
Paul Crowley <paul@lshift.net>
parents:
155
diff
changeset
|
354 |
<code>file=<replaceable>globpattern</replaceable></code>: file within the repo |
121
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
355 |
</listitem> |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
356 |
<listitem> |
156
34925ee06f90
Silly to use literal inside code
Paul Crowley <paul@lshift.net>
parents:
155
diff
changeset
|
357 |
<code>branch=<replaceable>globpattern</replaceable></code>: Mercurial branch name |
121
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
358 |
</listitem> |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
359 |
</itemizedlist> |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
360 |
<para> |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
361 |
However, in order to understand what effect adding these conditions will |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
362 |
have, it helps to understand how and when these rules are applied. |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
363 |
</para> |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
364 |
<para> |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
365 |
The rules file is used to make three decisions: |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
366 |
</para> |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
367 |
<itemizedlist> |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
368 |
<listitem> |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
369 |
Whether to allow a repository to be created |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
370 |
</listitem> |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
371 |
<listitem> |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
372 |
Whether to allow any access to a repository |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
373 |
</listitem> |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
374 |
<listitem> |
139
b7e78f9705e6
There are only three decisions, honest
Paul Crowley <paul@lshift.net>
parents:
138
diff
changeset
|
375 |
Whether to allow a changeset |
121
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
376 |
</listitem> |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
377 |
</itemizedlist> |
120 | 378 |
<para> |
121
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
379 |
When the first two of these decisions are being made, nothing is known |
139
b7e78f9705e6
There are only three decisions, honest
Paul Crowley <paul@lshift.net>
parents:
138
diff
changeset
|
380 |
about any changsets that might be pushed, and so all file and branch |
b7e78f9705e6
There are only three decisions, honest
Paul Crowley <paul@lshift.net>
parents:
138
diff
changeset
|
381 |
conditions automatically succeed for the purpose of such decisions. For the |
b7e78f9705e6
There are only three decisions, honest
Paul Crowley <paul@lshift.net>
parents:
138
diff
changeset
|
382 |
third condition, every file changed in the changeset must be allowed by a |
b7e78f9705e6
There are only three decisions, honest
Paul Crowley <paul@lshift.net>
parents:
138
diff
changeset
|
383 |
<literal>write</literal> or <literal>init</literal> rule for the changeset |
b7e78f9705e6
There are only three decisions, honest
Paul Crowley <paul@lshift.net>
parents:
138
diff
changeset
|
384 |
to be allowed. |
b7e78f9705e6
There are only three decisions, honest
Paul Crowley <paul@lshift.net>
parents:
138
diff
changeset
|
385 |
</para> |
b7e78f9705e6
There are only three decisions, honest
Paul Crowley <paul@lshift.net>
parents:
138
diff
changeset
|
386 |
<para> |
b7e78f9705e6
There are only three decisions, honest
Paul Crowley <paul@lshift.net>
parents:
138
diff
changeset
|
387 |
This means that doing tricky things with file conditions can have |
b7e78f9705e6
There are only three decisions, honest
Paul Crowley <paul@lshift.net>
parents:
138
diff
changeset
|
388 |
counterintuitive consequences: |
121
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
389 |
</para> |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
390 |
<itemizedlist> |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
391 |
<listitem> |
149
dc4ed4edb458
Improvements to file conditions section
Paul Crowley <paul@lshift.net>
parents:
148
diff
changeset
|
392 |
<para>You cannot limit read access to a subset of a repository with a <literal>read</literal> |
121
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
393 |
rule and a file condition: any user who has access to a repository can read |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
394 |
all of it and its full history. Such a rule can only have the effect of |
149
dc4ed4edb458
Improvements to file conditions section
Paul Crowley <paul@lshift.net>
parents:
148
diff
changeset
|
395 |
masking a later <literal>write</literal> rule, as in this example:</para> |
144
2dbaddde1fd5
programlisting also needs no initial blank lines
Paul Crowley <paul@lshift.net>
parents:
143
diff
changeset
|
396 |
<programlisting>read repo=specialrepo file=dontwritethis |
2dbaddde1fd5
programlisting also needs no initial blank lines
Paul Crowley <paul@lshift.net>
parents:
143
diff
changeset
|
397 |
write repo=specialrepo |
121
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
398 |
</programlisting> |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
399 |
<para> |
149
dc4ed4edb458
Improvements to file conditions section
Paul Crowley <paul@lshift.net>
parents:
148
diff
changeset
|
400 |
allows all users to read <literal>specialrepo</literal>, and to write to all files |
121
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
401 |
<emphasis>except</emphasis> that any changeset which writes to |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
402 |
<filename>dontwritethis</filename> will be rejected. |
120 | 403 |
</para> |
121
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
404 |
</listitem> |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
405 |
<listitem> |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
406 |
For similar reasons, don't give <literal>init</literal> rules file conditions. |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
407 |
</listitem> |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
408 |
<listitem> |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
409 |
<para>Don't try to deny write access to a particular file on a particular |
149
dc4ed4edb458
Improvements to file conditions section
Paul Crowley <paul@lshift.net>
parents:
148
diff
changeset
|
410 |
branch—a developer can write to the file on another branch and then merge |
121
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
411 |
it in. Either deny all writes to the branch from that user, or allow them |
149
dc4ed4edb458
Improvements to file conditions section
Paul Crowley <paul@lshift.net>
parents:
148
diff
changeset
|
412 |
to write to all the files they can write to on any branch. |
121
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
413 |
</para> |
144
2dbaddde1fd5
programlisting also needs no initial blank lines
Paul Crowley <paul@lshift.net>
parents:
143
diff
changeset
|
414 |
<programlisting>write user=docs/* branch=docs file=docs/* |
121
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
415 |
</programlisting> |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
416 |
<para> |
149
dc4ed4edb458
Improvements to file conditions section
Paul Crowley <paul@lshift.net>
parents:
148
diff
changeset
|
417 |
This rule grants users whose keys are in the <filename |
dc4ed4edb458
Improvements to file conditions section
Paul Crowley <paul@lshift.net>
parents:
148
diff
changeset
|
418 |
class='directory'>docs</filename> subdirectory the power to push changesets |
dc4ed4edb458
Improvements to file conditions section
Paul Crowley <paul@lshift.net>
parents:
148
diff
changeset
|
419 |
into any repository only if those changesets are on the |
dc4ed4edb458
Improvements to file conditions section
Paul Crowley <paul@lshift.net>
parents:
148
diff
changeset
|
420 |
<literal>docs</literal> branch and they affect only those files directly |
dc4ed4edb458
Improvements to file conditions section
Paul Crowley <paul@lshift.net>
parents:
148
diff
changeset
|
421 |
under the <filename class='directory'>docs</filename> directory. However, |
dc4ed4edb458
Improvements to file conditions section
Paul Crowley <paul@lshift.net>
parents:
148
diff
changeset
|
422 |
the rules below have more counterintuitive consequences. |
121
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
423 |
</para> |
144
2dbaddde1fd5
programlisting also needs no initial blank lines
Paul Crowley <paul@lshift.net>
parents:
143
diff
changeset
|
424 |
<programlisting>write user=docs/* branch=docs |
2dbaddde1fd5
programlisting also needs no initial blank lines
Paul Crowley <paul@lshift.net>
parents:
143
diff
changeset
|
425 |
write user=docs/* file=docs/* |
2dbaddde1fd5
programlisting also needs no initial blank lines
Paul Crowley <paul@lshift.net>
parents:
143
diff
changeset
|
426 |
read user=docs/* |
121
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
427 |
</programlisting> |
149
dc4ed4edb458
Improvements to file conditions section
Paul Crowley <paul@lshift.net>
parents:
148
diff
changeset
|
428 |
<para> |
dc4ed4edb458
Improvements to file conditions section
Paul Crowley <paul@lshift.net>
parents:
148
diff
changeset
|
429 |
These rules grant users whose keys are in the <filename |
dc4ed4edb458
Improvements to file conditions section
Paul Crowley <paul@lshift.net>
parents:
148
diff
changeset
|
430 |
class='directory'>docs</filename> subdirectory the power to change any file directly under the <filename class='directory'>docs</filename> directory, or any file at all in the <literal>docs</literal> branch. Indirectly, however, this adds up to the power to change any file on any branch, simply by making the change on the docs branch and then merging the change into another branch. |
dc4ed4edb458
Improvements to file conditions section
Paul Crowley <paul@lshift.net>
parents:
148
diff
changeset
|
431 |
</para> |
121
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
432 |
</listitem> |
62185dc7d0c9
Document file and branch conditions in Docbook
Paul Crowley <paul@lshift.net>
parents:
120
diff
changeset
|
433 |
</itemizedlist> |
120 | 434 |
</section> |
435 |
</section> |
|
436 |
<section> |
|
126
fd7ebe95d8e5
Move how it works section later
Paul Crowley <paul@lshift.net>
parents:
125
diff
changeset
|
437 |
<title>How mercurial-server works</title> |
fd7ebe95d8e5
Move how it works section later
Paul Crowley <paul@lshift.net>
parents:
125
diff
changeset
|
438 |
<para> |
fd7ebe95d8e5
Move how it works section later
Paul Crowley <paul@lshift.net>
parents:
125
diff
changeset
|
439 |
All of the repositories controlled by mercurial-server are owned by a |
151
5758cf47ff43
cleanups to the security section
Paul Crowley <paul@lshift.net>
parents:
150
diff
changeset
|
440 |
single user, the <systemitem |
5758cf47ff43
cleanups to the security section
Paul Crowley <paul@lshift.net>
parents:
150
diff
changeset
|
441 |
class="username">hg</systemitem> user, which is why all URLs for |
155
3bff97f72a33
ssh:// is the start of a URI
Paul Crowley <paul@lshift.net>
parents:
154
diff
changeset
|
442 |
mercurial-server repositories start with <uri>ssh://hg@...</uri>. |
126
fd7ebe95d8e5
Move how it works section later
Paul Crowley <paul@lshift.net>
parents:
125
diff
changeset
|
443 |
Each SSH key that has access to the repository has an entry in |
fd7ebe95d8e5
Move how it works section later
Paul Crowley <paul@lshift.net>
parents:
125
diff
changeset
|
444 |
<filename>~hg/.ssh/authorized_keys</filename>; this is how the SSH daemon |
fd7ebe95d8e5
Move how it works section later
Paul Crowley <paul@lshift.net>
parents:
125
diff
changeset
|
445 |
knows to give that key access. When the user connects over SSH, their |
150
02b464a6b433
Improvements to how it works section
Paul Crowley <paul@lshift.net>
parents:
149
diff
changeset
|
446 |
commands are run in a custom restricted shell; this shell knows which key |
02b464a6b433
Improvements to how it works section
Paul Crowley <paul@lshift.net>
parents:
149
diff
changeset
|
447 |
was used to connect, determines what the user is trying to do, checks the |
02b464a6b433
Improvements to how it works section
Paul Crowley <paul@lshift.net>
parents:
149
diff
changeset
|
448 |
access rules to decide whether to allow it, and if allowed invokes |
02b464a6b433
Improvements to how it works section
Paul Crowley <paul@lshift.net>
parents:
149
diff
changeset
|
449 |
Mercurial internally, without forking. |
126
fd7ebe95d8e5
Move how it works section later
Paul Crowley <paul@lshift.net>
parents:
125
diff
changeset
|
450 |
</para> |
fd7ebe95d8e5
Move how it works section later
Paul Crowley <paul@lshift.net>
parents:
125
diff
changeset
|
451 |
<para> |
fd7ebe95d8e5
Move how it works section later
Paul Crowley <paul@lshift.net>
parents:
125
diff
changeset
|
452 |
This restricted shell also ensures that certain Mercurial extensions are |
fd7ebe95d8e5
Move how it works section later
Paul Crowley <paul@lshift.net>
parents:
125
diff
changeset
|
453 |
loaded when the user acts on a repository; these extensions check the |
fd7ebe95d8e5
Move how it works section later
Paul Crowley <paul@lshift.net>
parents:
125
diff
changeset
|
454 |
access control rules for any changeset that the user tries to commit, and |
fd7ebe95d8e5
Move how it works section later
Paul Crowley <paul@lshift.net>
parents:
125
diff
changeset
|
455 |
log all pushes and pulls into a per-repository access log. |
fd7ebe95d8e5
Move how it works section later
Paul Crowley <paul@lshift.net>
parents:
125
diff
changeset
|
456 |
</para> |
fd7ebe95d8e5
Move how it works section later
Paul Crowley <paul@lshift.net>
parents:
125
diff
changeset
|
457 |
<para> |
fd7ebe95d8e5
Move how it works section later
Paul Crowley <paul@lshift.net>
parents:
125
diff
changeset
|
458 |
<command>refresh-auth</command> recurses through the <filename |
fd7ebe95d8e5
Move how it works section later
Paul Crowley <paul@lshift.net>
parents:
125
diff
changeset
|
459 |
class='directory'>/etc/mercurial-server/keys</filename> and the <filename |
fd7ebe95d8e5
Move how it works section later
Paul Crowley <paul@lshift.net>
parents:
125
diff
changeset
|
460 |
class='directory'>keys</filename> directory in the |
154
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
461 |
<filename |
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
462 |
class='directory'>hgadmin</filename> repository, creating an entry in |
126
fd7ebe95d8e5
Move how it works section later
Paul Crowley <paul@lshift.net>
parents:
125
diff
changeset
|
463 |
<filename>~hg/.ssh/authorized_keys</filename> for each one. This is redone |
154
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
464 |
automatically whenever a change is pushed to <filename |
45dac87ae794
Repository names are directories
Paul Crowley <paul@lshift.net>
parents:
153
diff
changeset
|
465 |
class='directory'>hgadmin</filename>. |
126
fd7ebe95d8e5
Move how it works section later
Paul Crowley <paul@lshift.net>
parents:
125
diff
changeset
|
466 |
</para> |
fd7ebe95d8e5
Move how it works section later
Paul Crowley <paul@lshift.net>
parents:
125
diff
changeset
|
467 |
</section> |
fd7ebe95d8e5
Move how it works section later
Paul Crowley <paul@lshift.net>
parents:
125
diff
changeset
|
468 |
<section> |
120 | 469 |
<title>Security</title> |
470 |
<para> |
|
151
5758cf47ff43
cleanups to the security section
Paul Crowley <paul@lshift.net>
parents:
150
diff
changeset
|
471 |
mercurial-server relies entirely on <command>sshd</command> to grant access to remote users. |
120 | 472 |
As a result, it runs no daemons, installs no setuid programs, and no part |
151
5758cf47ff43
cleanups to the security section
Paul Crowley <paul@lshift.net>
parents:
150
diff
changeset
|
473 |
of it runs as <systemitem |
5758cf47ff43
cleanups to the security section
Paul Crowley <paul@lshift.net>
parents:
150
diff
changeset
|
474 |
class="username">root</systemitem> except the install process: all programs run as the user |
5758cf47ff43
cleanups to the security section
Paul Crowley <paul@lshift.net>
parents:
150
diff
changeset
|
475 |
<systemitem |
5758cf47ff43
cleanups to the security section
Paul Crowley <paul@lshift.net>
parents:
150
diff
changeset
|
476 |
class="username">hg</systemitem>. Any attack on mercurial-server can only be started if the attacker |
137 | 477 |
already has a public key in <filename>~hg/.ssh/authorized_keys</filename>, |
151
5758cf47ff43
cleanups to the security section
Paul Crowley <paul@lshift.net>
parents:
150
diff
changeset
|
478 |
otherwise <command>sshd</command> will bar the way. |
120 | 479 |
</para> |
480 |
<para> |
|
481 |
No matter what command the user tries to run on the remote system via SSH, |
|
482 |
mercurial-server is run. It parses the command line the user asked for, and |
|
151
5758cf47ff43
cleanups to the security section
Paul Crowley <paul@lshift.net>
parents:
150
diff
changeset
|
483 |
interprets and runs the corresponding operation itself if access is |
120 | 484 |
allowed, so users can only read and add to history within repositories; |
151
5758cf47ff43
cleanups to the security section
Paul Crowley <paul@lshift.net>
parents:
150
diff
changeset
|
485 |
they cannot run any other command. In addition, every push and pull is |
120 | 486 |
logged with a datestamp, changeset ID and the key that performed the |
487 |
operation. |
|
488 |
</para> |
|
489 |
<para> |
|
490 |
However, while the first paragraph holds no matter what bugs |
|
491 |
mercurial-server contains, the second depends on the relevant code being |
|
492 |
correct; though the entire codebase is short, mercurial-server is a fairly |
|
493 |
new program and may harbour bugs. Backups are essential! |
|
494 |
</para> |
|
495 |
</section> |
|
496 |
<section> |
|
129 | 497 |
<title>Legalese</title> |
498 |
<para> |
|
499 |
This program is free software; you can redistribute it and/or modify it |
|
500 |
under the terms of the GNU General Public License as published by the Free |
|
501 |
Software Foundation; either version 2 of the License, or (at your option) |
|
502 |
any later version. |
|
503 |
</para> |
|
504 |
<para> |
|
505 |
This program is distributed in the hope that it will be useful, but |
|
506 |
WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY |
|
507 |
or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for |
|
508 |
more details. |
|
509 |
</para> |
|
510 |
<para> |
|
511 |
You should have received a copy of the GNU General Public License along |
|
512 |
with this program; if not, write to the Free Software Foundation, Inc., 51 |
|
513 |
Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
|
514 |
</para> |
|
515 |
</section> |
|
516 |
<section> |
|
120 | 517 |
<title>Thanks</title> |
518 |
<para> |
|
519 |
Thanks for reading this far. If you use mercurial-server, please tell me about |
|
520 |
it. |
|
521 |
</para> |
|
522 |
<para> |
|
523 |
Paul Crowley, <email>paul@lshift.net</email>, 2009 |
|
119 | 524 |
</para> |
525 |
</section> |
|
526 |
</article> |
|
527 |