mercurial-server: comparison doc/manual.docbook

equal deleted inserted replaced

-:f4688940fe15
+:aa57f48c7585
 <para>
 These rules ensure that root users can do any operation on any repository,
 that no other users can access the <literal>hgadmin</literal> repository,
 and that those with keys in <filename
 class='directory'>keys/users</filename> can read or write to any repository
-but not create repositories. If these are the only rules in effect, they
+but not create repositories.  Some examples of how these rules work:
-have the following consequences:
+</para>
-</para>
+<itemizedlist>
-<itemizedlist>
+<listitem>
-<listitem>
+User <filename class='directory'>root/jay</filename> creates a repository
-Any request from a user with a key under <filename
+<filename class='directory'>foo/bar/baz</filename>. This matches the first
-class='directory'>keys/root</filename> will match the first rule; since
+rule and so will be allowed.
-this rule is <literal>init</literal> the request will always be allowed.
+</listitem>
-</listitem>
+<listitem>
-<listitem>
+User <filename class='directory'>root/jay</filename> changes repository
-Any request to access the <literal>hgadmin</literal> by any other user will
+<filename class='directory'>hgadmin</filename>. Again, this matches the
-not match the first rule, but will match the second rule, and so will be
+first rule and so will be allowed; later rules have no effect.
-denied.
+</listitem>
-</listitem>
+<listitem>
-<listitem>
+User <filename class='directory'>users/sam</filename> tries to read
-Any request to create a repository from a user with a key in <filename
+repository <filename class='directory'>hgadmin</filename>. This does not
-class='directory'>keys/users</filename> will not match the first or second
+match the first rule, but matches the second, and so will be denied.
-rules, but will match the third rule. This is a <literal>write</literal>
+</listitem>
-rule, which doesn't grant the privilege to create repositories, so the
+<listitem>
-request will be denied.
+User <filename class='directory'>users/sam</filename> tries to create
-</listitem>
+repository <filename class='directory'>sams-project</filename>. This does
-<listitem>
+not match the first two rules, but matches the third; this is a
-Any request to access an existing repository from a user with a key in
+<literal>write</literal> rule, which doesn't grant the privilege to create
-<filename class='directory'>keys/users</filename> will not match the first
+repositories, so the request will be denied.
-or second rules, but will match the third rule, which grants
+</listitem>
-<literal>write</literal> privilege, so the request will be allowed.
+<listitem>
-</listitem>
+User <filename class='directory'>users/sam</filename> writes to existing
-<listitem>
+repository <filename class='directory'>projects/main</filename>. Again,
-Any request from any user whose key is in neither <filename
+this matches the third rule, which allows the request.
-class='directory'>keys/root</filename> nor <filename
+</listitem>
-class='directory'>keys/users</filename> will not match any rule and so will
+<listitem>
-be denied. Unless it matches the second rule, in which case it will still
+User <filename class='directory'>pat</filename> tries to write to existing
-be denied.  Changes to the <filename>access.conf</filename> in <literal>hgadmin</literal> will change that, as the example at the start of this section shows.
+repository <filename class='directory'>widget</filename>. Until we change
+the <filename>access.conf</filename> file in <filename
+class='directory'>hgadmin</filename>, this will match no rule, and so will
+be denied.
 </listitem>
 <listitem>
 Any request from a user whose key not under the <filename
 class='directory'>keys</filename> directory at all will always be denied,
 no matter what rules are in effect; because of the way SSH authentication

changeset 153	aa57f48c7585
parent 152	f4688940fe15
child 154	45dac87ae794