mercurial-servermercurial-server makes a group of repositories available to the developersyou choose, identified by ssh keys, with easy key and access managementbased on hg.http://www.lshift.net/mercurial-server.htmlCopyright (C) 2008-2009 LShift Ltd. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.SUMMARYmercurial-server makes a group of repositories available to the developersyou choose, identified by ssh keys, with easy key and access managementbased on hg.All of the repositories controlled by mercurial-server are owned by asingle user (the "hg" user in what follows), but many remote users can acton them, and different users can have different permissions. We don't usefile permissions to achieve that - instead, developers log in as the "hg"user when they connect to the repository host using ssh, using ssh URLs ofthe form "ssh://hg@repository-host/repository-name". A restricted shellprevents them from using this access for unauthorized purposes. Developersare authenticated only using SSH keys; no other form of authentication issupported. To give a user access to the repository, place their key in anappropriately-named subdirectory of "/etc/mercurial-server/keys" and run"/usr/local/share/mercurial-server/refresh-auth". You can then control whataccess they have to what repositories by editing the control file"/etc/mercurial-server/access.conf", which can match the names of these keysagainst a glob pattern. For convenient remote control of access, you can instead (if you have theprivileges) make changes to a special repository called "hgadmin", whichcontains its own "access.conf" file and "keys" directory. Changes pushed tothis repository take effect immediately. The two "access.conf" files areconcatenated, and the keys directories merged.QUICK STARTYou and all developers using this system will need an SSH public key, andwill almost certainly want to be running ssh-agent (or its equivalent, egPageant under Windows). If you're not familiar with ssh-agent, you shouldlearn about that before using this.In what follows, certain operations (eg installing mercurial-server itself)have to be done on the repository server (which we call "repository-host"),but any operation that involves checking in or out of Mercurial can be donewherever is most convenient to you; the most usual arrangment would be thatyou'd do these things at the machine you sit at, and on which you runssh-agent, which is what authenticates you when you talk to the repositoryserver.Ensure there is no user called "hg" on the repository host, and run"./install". This installs the mercurial-server files and control files, andcreates and sets up the "hg" user.Place your SSH public key in the directory "/etc/mercurial-server/keys/root".I suggest creating yourself a directory and naming the key after your hostname(ie the file is called something like"/etc/mercurial-server/keys/root/yourname/yourhostname") so that you caneasily manage users who have a different key on each host they use. Then run"/usr/local/share/mercurial-server/refresh-auth".The repository is now ready to use, and you are now the sole user able tochange and create repositories on this repository host. CREATING REPOSITORIESTo create a new repository, you clone a local repository onto the remoteserver. So if you want a new empty repository called "myproject", you can do(as yourself): hg init myproject hg clone myproject ssh://hg@repository-host/myprojectADDING OTHER USERSBecause your key is in the "keys/root" subdirectory, you have the equivalentof "root privileges" over mercurial-server (not the whole computer, justmercurial-server). You can add other root users by putting their keys next toyours, or you can make less privileged users by putting their keys in the"keys/users" subdirectory - these users will be able to read and write to anyrepository (except one - see below) but will not be able to create newrepositories. As always, when you change "/etc/mercurial-server/keys" you needto re-run "/usr/local/share/mercurial-server/refresh-auth".LOGGINGEvery push and pull is logged with the key used: see the file .hg/serve-log ineach repository.USING HGADMINIt can be inconvenient to log on to the repository server, become root, copykeys around, and run "refresh-auth" every time you want to change userprivileges. This is where mercurial-server shines :-) Suppose you have anotheruser's SSH public key in the file "/tmp/theirkey" (on the machine you sit at,not necessarily the repository server) and you want to give them user-levelaccess to the repository server. Run these commands: hg clone ssh://hg@repository-server/hgadmin cd hgadmin mkdir keys/users/thatuser cp /tmp/theirkey keys/users/thatuser/theirhostname hg add hg commit -m "Added key for thatuser" hg pushIn other words, hgadmin is a version controlled version of"/etc/mercurial-server", and changes to it take effect immediately -"refresh-auth" is run after every push. With the default access.conf file (see doc/configuring-access for moredetails) only users in "keys/root" can act on "hgadmin" - those with keys in"keys/users" cannot even read this repository. So multiple admins can useMercurial's version control to cooperate on controlling access to therepository server in a natural way.You can also create an "access.conf" file in hgadmin, and this is appended to/etc/mercurial-server/access.conf whenever this is read - in other words,rules in the latter take precedence over those in the former. So once you'reworking with "hgadmin", it can be convenient to remove all the keys in"/etc/mercurial-server/keys" and all the entries in"/etc/mercurial-server/access.conf" and use hgadmin to control everything. Ifyou find yourself locked out, you can get back in again by restoring some ofthe entries you removed from these files.MORE INFORMATIONFor more on how to use mercurial-server and configure access, see the files inthe doc directory.THANKSThanks for reading this far. If you use mercurial-server, please tell me aboutit.Paul Crowley, paul@lshift.net, 2009