|
1 hg-admin-tools version 0.1 |
|
2 |
|
3 A set of tools for managing authorization and access control for |
|
4 ssh-based Hg repositories |
|
5 |
|
6 Paul Crowley, paul@lshift.net, 2008-04-15 |
|
7 |
|
8 This software may be used and distributed according to the terms |
|
9 of the GNU General Public License, incorporated herein by reference. |
|
10 |
|
11 INSTRUCTIONS FOR USE: |
|
12 |
|
13 This is only one setup - it can be tweaked in many ways, and is as specific as it is only in the interests of brevity. |
|
14 |
|
15 You, and all users of your Hg repository, will need SSH public key authentication set up, preferably working with ssh-agent so you don't have to type in your passphrase all the time. I assume you've done that in what follows, so if you've done something different you'll need to change it appropriately. |
|
16 |
|
17 Create a user called "hg" on the machine where the repository will live. I used the command |
|
18 |
|
19 sudo adduser --system --shell /bin/sh --group --disabled-password --gecos "Mercural repository" hg |
|
20 |
|
21 Now create a basic access control setup. |
|
22 |
|
23 cd |
|
24 mkdir hg |
|
25 cd hg |
|
26 hg clone ssh://hg.opensource.lshift.net/hg-admin-tools hg-admin-tools |
|
27 mkdir -p hgadmin/keys/admin |
|
28 cd hgadmin |
|
29 ssh-add -L > keys/admin/myname |
|
30 echo "init admin/* *" > hg-ssh-access.conf |
|
31 hg init . |
|
32 hg add |
|
33 hg commit -m "Initial configuration" |
|
34 |
|
35 You can use whatever you want in place of "myname" and indeed "admin". The files in ~/hg must be readable by the hg user. Issue these commands to become the hg user and set up the repository |
|
36 |
|
37 sudo -u hg -s |
|
38 cd ~hg |
|
39 mkdir admin repos |
|
40 hg clone ~/hg/hg-admin-tools admin/hg-admin-tools |
|
41 hg clone ~/hg/hgadmin repos/hgadmin |
|
42 cp admin/hg-admin-tools/hgadmin-hgrc repos/hgadmin/.hg/hgrc |
|
43 cp admin/hg-admin-tools/hg-ssh-wrapper .hg-ssh-wrapper |
|
44 cd repos/hgadmin |
|
45 ../../admin/hg-admin-tools/refresh-auth |
|
46 exit |
|
47 |
|
48 You should now have SSH access to this repository and full control, which you can test like so: |
|
49 |
|
50 cd ~/hg/hgadmin |
|
51 echo "[paths]" >> .hg/hgrc |
|
52 echo "default = ssh://hg@localhost/hgadmin" >> .hg/hgrc |
|
53 hg pull |
|
54 hg push |
|
55 |
|
56 These attempts to push and pull should report no new changes but otherwise work. |
|
57 |
|
58 You can now add other users by putting their keys in an appropriate subdirectory of the "keys" directory, and control their access by editing hg-ssh-access.conf. Changes will take effect as soon as you push them to the remote ssh server. |
|
59 |
|
60 hg-ssh-access.conf has the following syntax: |
|
61 |
|
62 <rule> <keypattern> <repositorypattern> |
|
63 |
|
64 The "rule" is either "init", "allow", or "deny". "keypattern" is a glob pattern matched against the name of the key used - for example, in our initial setup "admin/myname" matches "admin/*". "repositorypattern" is a pattern matched againt the repository name - so "hgadmin" matches "*". Only boring characters are allowed in patterns and key and repository names - see the source for details. Blank lines and lines that start with "#" are ignored. |
|
65 |
|
66 |