doc/configuring-access
changeset 112 3035990989ee
parent 83 86ec1268d306
child 114 241475f6440c
equal deleted inserted replaced
111:eace50ec6427 112:3035990989ee
     1 ACCESS.CONF
     1 ACCESS.CONF
     2 
     2 
     3 Out of the box, there are just two kinds of users: the ones with keys in
     3 Out of the box, there are just two kinds of users: the ones with keys in
     4 "keys/root" and those in "keys/users". However, you can change this by editing
     4 "keys/root" and those in "keys/users". However, you can change this by
     5 "access.conf". There are two "access.conf" files, one in
     5 editing "access.conf". There are two "access.conf" files, one in
     6 "/etc/mercurial-server" and one in "hgadmin"; the two are simply concatenated
     6 "/etc/mercurial-server" and one in "hgadmin"; the two are simply
     7 before being read.
     7 concatenated before being read.
     8 
     8 
     9 Each line of access.conf has the following syntax:
     9 Each line of access.conf has the following syntax:
    10 
    10 
    11 <rule> <condition> <condition> ...
    11 <rule> <condition> <condition> ...
    12 
    12 
    21 important conditions are
    21 important conditions are
    22 
    22 
    23     user=<globpattern> - user's key
    23     user=<globpattern> - user's key
    24     repo=<globpattern> - repo (as the user supplies it)
    24     repo=<globpattern> - repo (as the user supplies it)
    25 
    25 
    26 The first rule in the file which has all its conditions satisfied is used to
    26 The first rule in the file which has all its conditions satisfied is used
    27 determine whether an action is allowed.
    27 to determine whether an action is allowed. If no rule is matched the
       
    28 request is denied.
    28 
    29 
    29 Paths cannot contain any special characters except "/"; glob patterns cannot
    30 Paths cannot contain any special characters except "/"; glob patterns
    30 contain any special characters except "/" and "*". "*" matches zero or more
    31 cannot contain any special characters except "/" and "*". "*" matches zero
    31 characters not including "/" while "**" matches zero or more characters
    32 or more characters not including "/" while "**" matches zero or more
    32 including "/".
    33 characters including "/".
    33 
    34 
    34 Blank lines and lines that start with "#" are ignored.
    35 Blank lines and lines that start with "#" are ignored.
    35 
    36 
    36 access.conf ships with the following contents:
    37 access.conf ships with the following contents:
    37 
    38 
    38     init user=root/**
    39     init user=root/**
    39     deny repo=hgadmin
    40     deny repo=hgadmin
    40     write user=users/**
    41     write user=users/**
    41 
    42 
    42 This means: keys in "root" can do anything; keys in "users" cannot create
    43 This means: keys in "root" can do anything; keys in "users" cannot create
    43 repositories, cannot even read the hgadmin repository, but can read and write
    44 repositories, cannot even read the hgadmin repository, but can read and
    44 any other repository; no other key has any access.
    45 write any other repository; no other key has any access.
    45 
    46 
    46 More advanced access configuration is covered in file-conditions.
    47 More advanced access configuration is covered in file-conditions.
    47 
    48