README
author Paul Crowley <paul@lshift.net>
Thu, 17 Apr 2008 16:50:17 +0100
changeset 11 f3c73c9fc0ff
parent 10 524b4a45ef0a
child 12 834426fcbada
permissions -rw-r--r--
add newline to error message

hg-admin-tools version 0.1

A set of tools for managing authorization and access control for
ssh-based Hg repositories

Paul Crowley, paul@lshift.net, 2008-04-15

This software may be used and distributed according to the terms
of the GNU General Public License, incorporated herein by reference.

INSTRUCTIONS FOR USE:

This is only one setup - it can be tweaked in many ways, and is as
specific as it is only in the interests of brevity.

You, and all users of your Hg repository, will need SSH public key
authentication set up, preferably working with ssh-agent so you don't
have to type in your passphrase all the time.  I assume you've done
that in what follows, so if you've done something different you'll
need to change it appropriately.

Create a user called "hg" on the machine where the repository will
live.  I used the command

  sudo adduser --system --shell /bin/sh --group --disabled-password \
    --gecos "Mercural repository" hg

Now create a basic access control setup.  

   cd
   mkdir hg
   cd hg
   hg clone ssh://hg.opensource.lshift.net/hg-admin-tools hg-admin-tools
   mkdir -p hgadmin/keys/admin
   cd hgadmin
   ssh-add -L > keys/admin/myname
   echo "init admin/* *" > hg-ssh-access.conf
   hg init .
   hg add
   hg commit -m "Initial configuration"

You can use whatever you want in place of "myname" and indeed "admin".
The files in ~/hg must be readable by the hg user.  Issue these
commands to become the hg user and set up the repository

   sudo -u hg -s
   cd ~hg
   mkdir admin repos
   hg clone ~/hg/hg-admin-tools admin/hg-admin-tools
   hg clone ~/hg/hgadmin repos/hgadmin
   cp admin/hg-admin-tools/hgadmin-hgrc repos/hgadmin/.hg/hgrc
   cp admin/hg-admin-tools/hg-ssh-wrapper hg-ssh-wrapper
   cd repos/hgadmin
   ../../admin/hg-admin-tools/refresh-auth
    exit

You should now have SSH access to this repository and full control,
which you can test like so:

   cd ~/hg/hgadmin
   echo "[paths]" >> .hg/hgrc
   echo "default = ssh://hg@localhost/hgadmin"  >> .hg/hgrc
   hg pull
   hg push

These attempts to push and pull should report no new changes but
otherwise work.

You can now add other users by putting their keys in an appropriate
subdirectory of the "keys" directory, and control their access by
editing hg-ssh-access.conf.  Changes will take effect as soon as you
push them to the remote ssh server.

Each line of hg-ssh-access.conf has the following syntax:

<rule> <keypattern> <repositorypattern>

The "rule" is either "init", "allow", or "deny".  "keypattern" is a
glob pattern matched against the name of the key used - for example,
in our initial setup "admin/myname" matches "admin/*".
"repositorypattern" is a pattern matched againt the repository name -
so "hgadmin" matches "*".  Only boring characters are allowed in
patterns and key and repository names - see the source for details.
Blank lines and lines that start with "#" are ignored.