Using access.conf

Using access.conf -mercurial-server offers much more fine-grained access control than this division into two classes of users. Let's suppose you wish to give Pat access to the widget repository, but no other. We first copy Pat's SSH public key into the keys/pat directory in hgadmin. This tells mercurial-server about Pat's key, but gives Pat no access to anything because the key is not under either widget repository, but no other. We first copy Pat's SSH public key into the keys/pat directory in hgadmin. This tells mercurial-server about Pat's key, but gives Pat no access to anything because the key is not under either keys/root or keys/users. To grant this key access, we must give mercurial-server a new access rule, so we create a file in hgadmin called access.conf, with the following contents: +class='directory'>keys/users. To grant this key access, we must give mercurial-server a new access rule, so we create a file in hgadmin called access.conf, with the following contents: # Give Pat access to the "widget" repository write repo=widget user=pat -Pat will have read and write access to the widget repository as soon as we add, commit, and push these files. +Pat will have read and write access to the widget repository as soon as we add, commit, and push these files. Each line of access.conf has the following syntax: @@ -204,7 +213,8 @@ When considering a request, mercurial-server steps through all the rules in /etc/mercurial-server/access.conf and then all the -rules in access.conf in hgadmin +rules in access.conf in hgadmin looking for a rule which matches on every condition. The first match determines whether the request will be allowed; if there is no match in either file, the request will be denied. @@ -219,7 +229,8 @@ These rules ensure that root users can do any operation on any repository, -that no other users can access the hgadmin repository, +that no other users can access the hgadmin repository, and that those with keys in keys/users can read or write to any repository but not create repositories. Some examples of how these rules work: @@ -272,7 +283,8 @@ /etc/mercurial-server and hgadmin mercurial-server consults two distinct locations to collect information about what to allow: /etc/mercurial-server and its own hgadmin repository. This is useful for several reasons: +class='directory'>/etc/mercurial-server and its own hgadmin repository. This is useful for several reasons: @@ -285,7 +297,8 @@ xlink:href="http://reductivelabs.com/products/puppet">Puppet -If a change to hgadmin leaves you "locked out", hgadmin leaves you "locked out", /etc/mercurial-server allows you a way back in. @@ -293,16 +306,21 @@ -Rules in /etc/mercurial-server/access.conf are checked before those in hgadmin, and keys in /etc/mercurial-server/keys will be present no matter how hgadmin changes. +Rules in /etc/mercurial-server/access.conf are checked before those in hgadmin, and keys in /etc/mercurial-server/keys will be present no matter how hgadmin changes. We anticipate that once mercurial-server is successfully installed and -working you will usually want to use hgadmin for most +working you will usually want to use hgadmin for most access control tasks. Once you have the right keys and -access.conf set up in hgadmin, you +access.conf set up in hgadmin, you can delete /etc/mercurial-server/access.conf and all of /etc/mercurial-server/keys, -turning control entirely over to hgadmin. +turning control entirely over to hgadmin. /etc/mercurial-server/remote-hgrc is in the @@ -438,9 +456,11 @@ refresh-auth recurses through the /etc/mercurial-server/keys and the keys directory in the -hgadmin repository, creating an entry in +hgadmin repository, creating an entry in ~hg/.ssh/authorized_keys for each one. This is redone -automatically whenever a change is pushed to hgadmin. +automatically whenever a change is pushed to hgadmin.