doc/manual.docbook
changeset 153 aa57f48c7585
parent 152 f4688940fe15
child 154 45dac87ae794
equal deleted inserted replaced
152:f4688940fe15 153:aa57f48c7585
   220 <para>
   220 <para>
   221 These rules ensure that root users can do any operation on any repository,
   221 These rules ensure that root users can do any operation on any repository,
   222 that no other users can access the <literal>hgadmin</literal> repository,
   222 that no other users can access the <literal>hgadmin</literal> repository,
   223 and that those with keys in <filename
   223 and that those with keys in <filename
   224 class='directory'>keys/users</filename> can read or write to any repository
   224 class='directory'>keys/users</filename> can read or write to any repository
   225 but not create repositories. If these are the only rules in effect, they
   225 but not create repositories.  Some examples of how these rules work:
   226 have the following consequences:
   226 </para>
   227 </para>
   227 <itemizedlist>
   228 <itemizedlist>
   228 <listitem>
   229 <listitem>
   229 User <filename class='directory'>root/jay</filename> creates a repository
   230 Any request from a user with a key under <filename
   230 <filename class='directory'>foo/bar/baz</filename>. This matches the first
   231 class='directory'>keys/root</filename> will match the first rule; since
   231 rule and so will be allowed.
   232 this rule is <literal>init</literal> the request will always be allowed.
   232 </listitem>
   233 </listitem>
   233 <listitem>
   234 <listitem>
   234 User <filename class='directory'>root/jay</filename> changes repository
   235 Any request to access the <literal>hgadmin</literal> by any other user will
   235 <filename class='directory'>hgadmin</filename>. Again, this matches the
   236 not match the first rule, but will match the second rule, and so will be
   236 first rule and so will be allowed; later rules have no effect.
   237 denied.
   237 </listitem>
   238 </listitem>
   238 <listitem>
   239 <listitem>
   239 User <filename class='directory'>users/sam</filename> tries to read
   240 Any request to create a repository from a user with a key in <filename
   240 repository <filename class='directory'>hgadmin</filename>. This does not
   241 class='directory'>keys/users</filename> will not match the first or second
   241 match the first rule, but matches the second, and so will be denied.
   242 rules, but will match the third rule. This is a <literal>write</literal>
   242 </listitem>
   243 rule, which doesn't grant the privilege to create repositories, so the
   243 <listitem>
   244 request will be denied.
   244 User <filename class='directory'>users/sam</filename> tries to create
   245 </listitem>
   245 repository <filename class='directory'>sams-project</filename>. This does
   246 <listitem>
   246 not match the first two rules, but matches the third; this is a
   247 Any request to access an existing repository from a user with a key in
   247 <literal>write</literal> rule, which doesn't grant the privilege to create
   248 <filename class='directory'>keys/users</filename> will not match the first
   248 repositories, so the request will be denied.
   249 or second rules, but will match the third rule, which grants
   249 </listitem>
   250 <literal>write</literal> privilege, so the request will be allowed.
   250 <listitem>
   251 </listitem>
   251 User <filename class='directory'>users/sam</filename> writes to existing
   252 <listitem>
   252 repository <filename class='directory'>projects/main</filename>. Again,
   253 Any request from any user whose key is in neither <filename
   253 this matches the third rule, which allows the request.
   254 class='directory'>keys/root</filename> nor <filename
   254 </listitem>
   255 class='directory'>keys/users</filename> will not match any rule and so will
   255 <listitem>
   256 be denied. Unless it matches the second rule, in which case it will still
   256 User <filename class='directory'>pat</filename> tries to write to existing
   257 be denied.  Changes to the <filename>access.conf</filename> in <literal>hgadmin</literal> will change that, as the example at the start of this section shows.
   257 repository <filename class='directory'>widget</filename>. Until we change
       
   258 the <filename>access.conf</filename> file in <filename
       
   259 class='directory'>hgadmin</filename>, this will match no rule, and so will
       
   260 be denied.
   258 </listitem>
   261 </listitem>
   259 <listitem>
   262 <listitem>
   260 Any request from a user whose key not under the <filename
   263 Any request from a user whose key not under the <filename
   261 class='directory'>keys</filename> directory at all will always be denied,
   264 class='directory'>keys</filename> directory at all will always be denied,
   262 no matter what rules are in effect; because of the way SSH authentication
   265 no matter what rules are in effect; because of the way SSH authentication