equal
deleted
inserted
replaced
1 hg-admin-tools version 0.1 |
1 hg-admin-tools |
2 |
2 |
3 A set of tools for managing authorization and access control for |
3 A set of tools for managing authorization and access control for |
4 ssh-based Mercurial repositories |
4 ssh-based Mercurial repositories |
5 |
5 |
6 Paul Crowley, paul@lshift.net, 2008 |
6 Paul Crowley, paul@lshift.net, 2008 |
48 the key file as the identifier for the developer. These keys will |
48 the key file as the identifier for the developer. These keys will |
49 live in the "keys" subdirectory of a repository, "hgadmin". A hook in |
49 live in the "keys" subdirectory of a repository, "hgadmin". A hook in |
50 this repository re-runs "refresh-auth" on the most recent version |
50 this repository re-runs "refresh-auth" on the most recent version |
51 after every push. |
51 after every push. |
52 |
52 |
53 INSTRUCTIONS FOR USE |
53 GETTING STARTED |
54 |
54 |
55 This is only one setup - it can be tweaked in many ways, and is as |
55 This is only one setup - it can be tweaked in many ways, and is as |
56 specific as it is only in the interests of brevity. |
56 specific as it is only in the interests of brevity. |
57 |
57 |
58 You, and all users of your Hg repository, will need SSH public key |
58 You, and all users of your Hg repository, will need SSH public key |
68 --gecos "Mercural repository" hg |
68 --gecos "Mercural repository" hg |
69 |
69 |
70 Issue these commands to become the hg user and set up the repository. |
70 Issue these commands to become the hg user and set up the repository. |
71 Use your own name in place of "myname". |
71 Use your own name in place of "myname". |
72 |
72 |
|
73 ssh-add -L >> /tmp/my-ssh-public-key |
73 sudo -u hg -s |
74 sudo -u hg -s |
74 cd ~hg |
75 cd ~hg |
75 mkdir -p admin repos/hgadmin/keys/admin |
76 mkdir -p admin repos/hgadmin/keys/admin |
76 cd admin |
77 cd admin |
77 tar xvzf /tmp/hg-admin-tools.tar.gz |
78 hg clone http://hg.opensource.lshift.net/hg-admin-tools |
78 mv hg-admin-tools* hg-admin-tools |
|
79 cp hg-admin-tools/hg-ssh-wrapper ~ |
79 cp hg-admin-tools/hg-ssh-wrapper ~ |
80 cd ../repos/hgadmin |
80 cd ../repos/hgadmin |
81 hg init . |
81 hg init . |
82 echo "init admin/* *" > hg-ssh-access.conf |
82 echo "init admin/* *" > hg-ssh-access.conf |
83 cp /tmp/my-ssh-public-key keys/admin/myname |
83 cp /tmp/my-ssh-public-key keys/admin/myname |
|
84 hg add |
|
85 hg commit |
84 cp ~/admin/hg-admin-tools/hgadmin-hgrc .hg/hgrc |
86 cp ~/admin/hg-admin-tools/hgadmin-hgrc .hg/hgrc |
85 ../../admin/hg-admin-tools/refresh-auth |
87 ../../admin/hg-admin-tools/refresh-auth |
86 exit |
88 exit |
87 |
89 |
88 You should now have SSH access to this repository and full control. |
90 You should now have SSH access to this repository and full control. |
94 cd hgadmin |
96 cd hgadmin |
95 |
97 |
96 You can now add other users by putting their keys in an appropriate |
98 You can now add other users by putting their keys in an appropriate |
97 subdirectory of the "keys" directory, and control their access by |
99 subdirectory of the "keys" directory, and control their access by |
98 editing hg-ssh-access.conf. Changes will take effect as soon as you |
100 editing hg-ssh-access.conf. Changes will take effect as soon as you |
99 push them to the remote ssh server. |
101 push them to the remote repository. |
|
102 |
|
103 HG-SSH-ACCESS.CONF |
100 |
104 |
101 Each line of hg-ssh-access.conf has the following syntax: |
105 Each line of hg-ssh-access.conf has the following syntax: |
102 |
106 |
103 <rule> <keypattern> <repositorypattern> |
107 <rule> <keypattern> <repositorypattern> |
104 |
108 |
106 glob pattern matched against the name of the key used - for example, |
110 glob pattern matched against the name of the key used - for example, |
107 in our initial setup "admin/myname" matches "admin/*". |
111 in our initial setup "admin/myname" matches "admin/*". |
108 "repositorypattern" is a pattern matched againt the repository name - |
112 "repositorypattern" is a pattern matched againt the repository name - |
109 so "hgadmin" matches "*". Only boring characters are allowed in |
113 so "hgadmin" matches "*". Only boring characters are allowed in |
110 patterns and key and repository names - see the source for details. |
114 patterns and key and repository names - see the source for details. |
111 Blank lines and lines that start with "#" are ignored. |
115 Blank lines and lines that start with "#" are ignored. The first rule |
112 |
116 to match both the key and the repository applies: "deny" will deny all |
|
117 matching requests, "allow" allows read/write access to existing |
|
118 repositories, and "init" allows that and creation of new repositories. |