1 ACCESS.CONF |
|
2 |
|
3 Out of the box, there are just two kinds of users: the ones with keys in |
|
4 "keys/root" and those in "keys/users". However, you can change this by |
|
5 editing "access.conf". There are two "access.conf" files, one in |
|
6 "/etc/mercurial-server" and one in "hgadmin"; the two are simply |
|
7 concatenated before being read. |
|
8 |
|
9 Each line of access.conf has the following syntax: |
|
10 |
|
11 <rule> <condition> <condition> ... |
|
12 |
|
13 Rule is one of |
|
14 |
|
15 init - allow any operation, including the creation of new repositories |
|
16 write - allow reads and writes to this file in this repository |
|
17 read - allow the repo to be read but reject matching writes |
|
18 deny - deny all requests |
|
19 |
|
20 A condition is a globpattern matched against a relative path. The two most |
|
21 important conditions are |
|
22 |
|
23 user=<globpattern> - user's key |
|
24 repo=<globpattern> - repo (as the user supplies it) |
|
25 |
|
26 The first rule in the file which has all its conditions satisfied is used |
|
27 to determine whether an action is allowed. If no rule is matched the |
|
28 request is denied. |
|
29 |
|
30 "*" only matches one directory level, where "**" matches as many as you |
|
31 want. More precisely, "*" matches zero or more characters not including "/" |
|
32 while "**" matches zero or more characters including "/". |
|
33 |
|
34 Blank lines and lines that start with "#" are ignored. |
|
35 |
|
36 access.conf ships with the following contents: |
|
37 |
|
38 init user=root/** |
|
39 deny repo=hgadmin |
|
40 write user=users/** |
|
41 |
|
42 This means: keys in "root" can do anything; keys in "users" cannot create |
|
43 repositories, cannot even read the hgadmin repository, but can read and |
|
44 write any other repository; no other key has any access. |
|
45 |
|
46 More advanced access configuration is covered in file-conditions. |
|
47 |
|