README
changeset 13 1206ed37090a
parent 12 834426fcbada
child 14 e7d5254cd0ca
equal deleted inserted replaced
12:834426fcbada 13:1206ed37090a
     1 hg-admin-tools version 0.1
     1 hg-admin-tools
     2 
     2 
     3 A set of tools for managing authorization and access control for
     3 A set of tools for managing authorization and access control for
     4 ssh-based Mercurial repositories
     4 ssh-based Mercurial repositories
     5 
     5 
     6 Paul Crowley, paul@lshift.net, 2008
     6 Paul Crowley, paul@lshift.net, 2008
    48 the key file as the identifier for the developer.  These keys will
    48 the key file as the identifier for the developer.  These keys will
    49 live in the "keys" subdirectory of a repository, "hgadmin".  A hook in
    49 live in the "keys" subdirectory of a repository, "hgadmin".  A hook in
    50 this repository re-runs "refresh-auth" on the most recent version
    50 this repository re-runs "refresh-auth" on the most recent version
    51 after every push.
    51 after every push.
    52 
    52 
    53 INSTRUCTIONS FOR USE
    53 GETTING STARTED
    54 
    54 
    55 This is only one setup - it can be tweaked in many ways, and is as
    55 This is only one setup - it can be tweaked in many ways, and is as
    56 specific as it is only in the interests of brevity.
    56 specific as it is only in the interests of brevity.
    57 
    57 
    58 You, and all users of your Hg repository, will need SSH public key
    58 You, and all users of your Hg repository, will need SSH public key
    68     --gecos "Mercural repository" hg
    68     --gecos "Mercural repository" hg
    69 
    69 
    70 Issue these commands to become the hg user and set up the repository.
    70 Issue these commands to become the hg user and set up the repository.
    71 Use your own name in place of "myname".
    71 Use your own name in place of "myname".
    72 
    72 
       
    73    ssh-add -L >> /tmp/my-ssh-public-key
    73    sudo -u hg -s
    74    sudo -u hg -s
    74    cd ~hg
    75    cd ~hg
    75    mkdir -p admin repos/hgadmin/keys/admin
    76    mkdir -p admin repos/hgadmin/keys/admin
    76    cd admin
    77    cd admin
    77    tar xvzf /tmp/hg-admin-tools.tar.gz
    78    hg clone http://hg.opensource.lshift.net/hg-admin-tools
    78    mv hg-admin-tools* hg-admin-tools
       
    79    cp hg-admin-tools/hg-ssh-wrapper ~
    79    cp hg-admin-tools/hg-ssh-wrapper ~
    80    cd ../repos/hgadmin
    80    cd ../repos/hgadmin
    81    hg init .
    81    hg init .
    82    echo "init admin/* *" > hg-ssh-access.conf
    82    echo "init admin/* *" > hg-ssh-access.conf
    83    cp /tmp/my-ssh-public-key keys/admin/myname
    83    cp /tmp/my-ssh-public-key keys/admin/myname
       
    84    hg add
       
    85    hg commit
    84    cp ~/admin/hg-admin-tools/hgadmin-hgrc .hg/hgrc
    86    cp ~/admin/hg-admin-tools/hgadmin-hgrc .hg/hgrc
    85    ../../admin/hg-admin-tools/refresh-auth
    87    ../../admin/hg-admin-tools/refresh-auth
    86    exit
    88    exit
    87 
    89 
    88 You should now have SSH access to this repository and full control.
    90 You should now have SSH access to this repository and full control.
    94    cd hgadmin
    96    cd hgadmin
    95 
    97 
    96 You can now add other users by putting their keys in an appropriate
    98 You can now add other users by putting their keys in an appropriate
    97 subdirectory of the "keys" directory, and control their access by
    99 subdirectory of the "keys" directory, and control their access by
    98 editing hg-ssh-access.conf.  Changes will take effect as soon as you
   100 editing hg-ssh-access.conf.  Changes will take effect as soon as you
    99 push them to the remote ssh server.
   101 push them to the remote repository.
       
   102 
       
   103 HG-SSH-ACCESS.CONF
   100 
   104 
   101 Each line of hg-ssh-access.conf has the following syntax:
   105 Each line of hg-ssh-access.conf has the following syntax:
   102 
   106 
   103 <rule> <keypattern> <repositorypattern>
   107 <rule> <keypattern> <repositorypattern>
   104 
   108 
   106 glob pattern matched against the name of the key used - for example,
   110 glob pattern matched against the name of the key used - for example,
   107 in our initial setup "admin/myname" matches "admin/*".
   111 in our initial setup "admin/myname" matches "admin/*".
   108 "repositorypattern" is a pattern matched againt the repository name -
   112 "repositorypattern" is a pattern matched againt the repository name -
   109 so "hgadmin" matches "*".  Only boring characters are allowed in
   113 so "hgadmin" matches "*".  Only boring characters are allowed in
   110 patterns and key and repository names - see the source for details.
   114 patterns and key and repository names - see the source for details.
   111 Blank lines and lines that start with "#" are ignored.
   115 Blank lines and lines that start with "#" are ignored.  The first rule
   112 
   116 to match both the key and the repository applies: "deny" will deny all
       
   117 matching requests, "allow" allows read/write access to existing
       
   118 repositories, and "init" allows that and creation of new repositories.