150 <para> |
150 <para> |
151 mercurial-server offers much more fine-grained access control than this division into two classes of users. Let's suppose you wish to give Pat access to the <literal>widget</literal> repository, but no other. We first copy Pat's SSH public key into the <filename |
151 mercurial-server offers much more fine-grained access control than this division into two classes of users. Let's suppose you wish to give Pat access to the <literal>widget</literal> repository, but no other. We first copy Pat's SSH public key into the <filename |
152 class='directory'>keys/widget/pat</filename> directory in <literal>hgadmin</literal>. Now mercurial-server knows about Pat's key, but will give Pat no access to anything because the key is not under either <filename |
152 class='directory'>keys/widget/pat</filename> directory in <literal>hgadmin</literal>. Now mercurial-server knows about Pat's key, but will give Pat no access to anything because the key is not under either <filename |
153 class='directory'>keys/root</filename> or <filename |
153 class='directory'>keys/root</filename> or <filename |
154 class='directory'>keys/users</filename>. To grant this key access, we must give mercurial-server a new access rule, so we create a file in <literal>hgadmin</literal> called <filename>access.conf</filename>, with the following contents:</para> |
154 class='directory'>keys/users</filename>. To grant this key access, we must give mercurial-server a new access rule, so we create a file in <literal>hgadmin</literal> called <filename>access.conf</filename>, with the following contents:</para> |
155 <programlisting> |
155 <programlisting>write repo=widget user=widget/** |
156 write repo=widget user=widget/** |
|
157 </programlisting> |
156 </programlisting> |
158 <para> |
157 <para> |
159 Pat will have read and write access as soon as we add, commit, and push these files. |
158 Pat will have read and write access as soon as we add, commit, and push these files. |
160 </para> |
159 </para> |
161 <para> |
160 <para> |
162 Each line of <filename>access.conf</filename> has the following syntax: |
161 Each line of <filename>access.conf</filename> has the following syntax: |
163 </para> |
162 </para> |
164 <programlisting> |
163 <programlisting><replaceable>rule</replaceable> <replaceable>condition</replaceable> <replaceable>condition...</replaceable> |
165 <replaceable>rule</replaceable> <replaceable>condition</replaceable> <replaceable>condition...</replaceable> |
|
166 </programlisting> |
164 </programlisting> |
167 <para> |
165 <para> |
168 Blank lines and lines that start with <literal>#</literal> are ignored. Rule is one of |
166 Blank lines and lines that start with <literal>#</literal> are ignored. Rule is one of |
169 </para> |
167 </para> |
170 <itemizedlist> |
168 <itemizedlist> |
185 When considering a request, mercurial-server steps through all the rules in <filename>/etc/mercurial-server/access.conf</filename> and then all the rules in <filename>access.conf</filename> in <literal>hgadmin</literal> looking for a rule which matches on every condition. If it does not find such a rule, it denies the request; otherwise it checks whether the rule grants sufficient privilege to allow it. |
183 When considering a request, mercurial-server steps through all the rules in <filename>/etc/mercurial-server/access.conf</filename> and then all the rules in <filename>access.conf</filename> in <literal>hgadmin</literal> looking for a rule which matches on every condition. If it does not find such a rule, it denies the request; otherwise it checks whether the rule grants sufficient privilege to allow it. |
186 </para> |
184 </para> |
187 <para> |
185 <para> |
188 By default, <filename>/etc/mercurial-server/access.conf</filename> has the following rules: |
186 By default, <filename>/etc/mercurial-server/access.conf</filename> has the following rules: |
189 </para> |
187 </para> |
190 <programlisting> |
188 <programlisting>init user=root/** |
191 init user=root/** |
189 deny repo=hgadmin |
192 deny repo=hgadmin |
190 write user=users/** |
193 write user=users/** |
|
194 </programlisting> |
191 </programlisting> |
195 <para> |
192 <para> |
196 These rules ensure that root users can do any operation on any repository, that no other users can access the <literal>hgadmin</literal> repository, and that those with keys in <filename class='directory'>keys/users</filename> can read or write to any repository but not create repositories. |
193 These rules ensure that root users can do any operation on any repository, that no other users can access the <literal>hgadmin</literal> repository, and that those with keys in <filename class='directory'>keys/users</filename> can read or write to any repository but not create repositories. |
197 </para> |
194 </para> |
198 <para> |
195 <para> |
316 <listitem> |
313 <listitem> |
317 <para>You cannot limit read access to a subset of a repository with a "read" |
314 <para>You cannot limit read access to a subset of a repository with a "read" |
318 rule and a file condition: any user who has access to a repository can read |
315 rule and a file condition: any user who has access to a repository can read |
319 all of it and its full history. Such a rule can only have the effect of |
316 all of it and its full history. Such a rule can only have the effect of |
320 masking a later "write" rule, as in this example:</para> |
317 masking a later "write" rule, as in this example:</para> |
321 <programlisting> |
318 <programlisting>read repo=specialrepo file=dontwritethis |
322 read repo=specialrepo file=dontwritethis |
319 write repo=specialrepo |
323 write repo=specialrepo |
|
324 </programlisting> |
320 </programlisting> |
325 <para> |
321 <para> |
326 allows all users to read specialrepo, and to write to all files |
322 allows all users to read specialrepo, and to write to all files |
327 <emphasis>except</emphasis> that any changeset which writes to |
323 <emphasis>except</emphasis> that any changeset which writes to |
328 <filename>dontwritethis</filename> will be rejected. |
324 <filename>dontwritethis</filename> will be rejected. |
336 branch - a developer can write to the file on another branch and then merge |
332 branch - a developer can write to the file on another branch and then merge |
337 it in. Either deny all writes to the branch from that user, or allow them |
333 it in. Either deny all writes to the branch from that user, or allow them |
338 to write to all the files they can write to on any branch. In other words, |
334 to write to all the files they can write to on any branch. In other words, |
339 something like this will have the intended effect: |
335 something like this will have the intended effect: |
340 </para> |
336 </para> |
341 <programlisting> |
337 <programlisting>write user=docs/* branch=docs file=docs/* |
342 write user=docs/* branch=docs file=docs/* |
|
343 </programlisting> |
338 </programlisting> |
344 <para> |
339 <para> |
345 But something like this will not have the intended effect; it will |
340 But something like this will not have the intended effect; it will |
346 effectively allow these users to write to any file on any branch, by |
341 effectively allow these users to write to any file on any branch, by |
347 writing it to "docs" first: |
342 writing it to "docs" first: |
348 </para> |
343 </para> |
349 <programlisting> |
344 <programlisting>write user=docs/* branch=docs |
350 write user=docs/* branch=docs |
345 write user=docs/* file=docs/* |
351 write user=docs/* file=docs/* |
346 read user=docs/* |
352 read user=docs/* |
|
353 </programlisting> |
347 </programlisting> |
354 </listitem> |
348 </listitem> |
355 </itemizedlist> |
349 </itemizedlist> |
356 </section> |
350 </section> |
357 </section> |
351 </section> |