doc/manual.docbook
changeset 144 2dbaddde1fd5
parent 143 afb1d57ca9f7
child 145 bc2b93fa662d
equal deleted inserted replaced
143:afb1d57ca9f7 144:2dbaddde1fd5
   150 <para>
   150 <para>
   151 mercurial-server offers much more fine-grained access control than this division into two classes of users.  Let's suppose you wish to give Pat access to the <literal>widget</literal> repository, but no other.  We first copy Pat's SSH public key into the <filename
   151 mercurial-server offers much more fine-grained access control than this division into two classes of users.  Let's suppose you wish to give Pat access to the <literal>widget</literal> repository, but no other.  We first copy Pat's SSH public key into the <filename
   152 class='directory'>keys/widget/pat</filename> directory in <literal>hgadmin</literal>.  Now mercurial-server knows about Pat's key, but will give Pat no access to anything because the key is not under either <filename
   152 class='directory'>keys/widget/pat</filename> directory in <literal>hgadmin</literal>.  Now mercurial-server knows about Pat's key, but will give Pat no access to anything because the key is not under either <filename
   153 class='directory'>keys/root</filename> or <filename
   153 class='directory'>keys/root</filename> or <filename
   154 class='directory'>keys/users</filename>.  To grant this key access, we must give mercurial-server a new access rule, so we create a file in <literal>hgadmin</literal> called <filename>access.conf</filename>, with the following contents:</para>
   154 class='directory'>keys/users</filename>.  To grant this key access, we must give mercurial-server a new access rule, so we create a file in <literal>hgadmin</literal> called <filename>access.conf</filename>, with the following contents:</para>
   155 <programlisting>
   155 <programlisting>write repo=widget user=widget/**
   156     write repo=widget user=widget/**
       
   157 </programlisting>
   156 </programlisting>
   158 <para>
   157 <para>
   159 Pat will have read and write access as soon as we add, commit, and push these files.
   158 Pat will have read and write access as soon as we add, commit, and push these files.
   160 </para>
   159 </para>
   161 <para>
   160 <para>
   162 Each line of <filename>access.conf</filename> has the following syntax:
   161 Each line of <filename>access.conf</filename> has the following syntax:
   163 </para>
   162 </para>
   164 <programlisting>
   163 <programlisting><replaceable>rule</replaceable> <replaceable>condition</replaceable> <replaceable>condition...</replaceable>
   165 <replaceable>rule</replaceable> <replaceable>condition</replaceable> <replaceable>condition...</replaceable>
       
   166 </programlisting>
   164 </programlisting>
   167 <para>
   165 <para>
   168 Blank lines and lines that start with <literal>#</literal> are ignored. Rule is one of
   166 Blank lines and lines that start with <literal>#</literal> are ignored. Rule is one of
   169 </para>
   167 </para>
   170 <itemizedlist>
   168 <itemizedlist>
   185 When considering a request, mercurial-server steps through all the rules in <filename>/etc/mercurial-server/access.conf</filename> and then all the rules in <filename>access.conf</filename> in <literal>hgadmin</literal> looking for a rule which matches on every condition.  If it does not find such a rule, it denies the request; otherwise it checks whether the rule grants sufficient privilege to allow it.
   183 When considering a request, mercurial-server steps through all the rules in <filename>/etc/mercurial-server/access.conf</filename> and then all the rules in <filename>access.conf</filename> in <literal>hgadmin</literal> looking for a rule which matches on every condition.  If it does not find such a rule, it denies the request; otherwise it checks whether the rule grants sufficient privilege to allow it.
   186 </para>
   184 </para>
   187 <para>
   185 <para>
   188 By default, <filename>/etc/mercurial-server/access.conf</filename> has the following rules:
   186 By default, <filename>/etc/mercurial-server/access.conf</filename> has the following rules:
   189 </para>
   187 </para>
   190 <programlisting>
   188 <programlisting>init user=root/**
   191     init user=root/**
   189 deny repo=hgadmin
   192     deny repo=hgadmin
   190 write user=users/**
   193     write user=users/**
       
   194 </programlisting>
   191 </programlisting>
   195 <para>
   192 <para>
   196 These rules ensure that root users can do any operation on any repository, that no other users can access the <literal>hgadmin</literal> repository, and that those with keys in <filename class='directory'>keys/users</filename> can read or write to any repository but not create repositories.
   193 These rules ensure that root users can do any operation on any repository, that no other users can access the <literal>hgadmin</literal> repository, and that those with keys in <filename class='directory'>keys/users</filename> can read or write to any repository but not create repositories.
   197 </para>
   194 </para>
   198 <para>
   195 <para>
   316 <listitem>
   313 <listitem>
   317 <para>You cannot limit read access to a subset of a repository with a "read"
   314 <para>You cannot limit read access to a subset of a repository with a "read"
   318 rule and a file condition: any user who has access to a repository can read
   315 rule and a file condition: any user who has access to a repository can read
   319 all of it and its full history. Such a rule can only have the effect of
   316 all of it and its full history. Such a rule can only have the effect of
   320 masking a later "write" rule, as in this example:</para>
   317 masking a later "write" rule, as in this example:</para>
   321 <programlisting>
   318 <programlisting>read repo=specialrepo file=dontwritethis
   322    read repo=specialrepo file=dontwritethis
   319 write repo=specialrepo
   323    write repo=specialrepo
       
   324 </programlisting>
   320 </programlisting>
   325 <para>
   321 <para>
   326 allows all users to read specialrepo, and to write to all files
   322 allows all users to read specialrepo, and to write to all files
   327 <emphasis>except</emphasis> that any changeset which writes to
   323 <emphasis>except</emphasis> that any changeset which writes to
   328 <filename>dontwritethis</filename> will be rejected.
   324 <filename>dontwritethis</filename> will be rejected.
   336 branch - a developer can write to the file on another branch and then merge
   332 branch - a developer can write to the file on another branch and then merge
   337 it in. Either deny all writes to the branch from that user, or allow them
   333 it in. Either deny all writes to the branch from that user, or allow them
   338 to write to all the files they can write to on any branch. In other words,
   334 to write to all the files they can write to on any branch. In other words,
   339 something like this will have the intended effect:
   335 something like this will have the intended effect:
   340 </para>
   336 </para>
   341 <programlisting>
   337 <programlisting>write user=docs/* branch=docs file=docs/*
   342    write user=docs/* branch=docs file=docs/*
       
   343 </programlisting>
   338 </programlisting>
   344 <para>
   339 <para>
   345 But something like this will not have the intended effect; it will
   340 But something like this will not have the intended effect; it will
   346 effectively allow these users to write to any file on any branch, by
   341 effectively allow these users to write to any file on any branch, by
   347 writing it to "docs" first:
   342 writing it to "docs" first:
   348 </para>
   343 </para>
   349 <programlisting>
   344 <programlisting>write user=docs/* branch=docs
   350   write user=docs/* branch=docs
   345 write user=docs/* file=docs/*
   351   write user=docs/* file=docs/*
   346 read user=docs/*
   352   read user=docs/*
       
   353 </programlisting>
   347 </programlisting>
   354 </listitem>
   348 </listitem>
   355 </itemizedlist>
   349 </itemizedlist>
   356 </section>
   350 </section>
   357 </section>
   351 </section>