# HG changeset patch # User Paul Crowley # Date 1208279633 -3600 # Node ID a69f7bea408c0aff225e40c371d651f2baa24a03 # Parent 5bc7446cd2d1d84379a8a90e6db98ee451b9eaca added a README to describe how this works. diff -r 5bc7446cd2d1 -r a69f7bea408c README --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/README Tue Apr 15 18:13:53 2008 +0100 @@ -0,0 +1,66 @@ +hg-admin-tools version 0.1 + +A set of tools for managing authorization and access control for +ssh-based Hg repositories + +Paul Crowley, paul@lshift.net, 2008-04-15 + +This software may be used and distributed according to the terms +of the GNU General Public License, incorporated herein by reference. + +INSTRUCTIONS FOR USE: + +This is only one setup - it can be tweaked in many ways, and is as specific as it is only in the interests of brevity. + +You, and all users of your Hg repository, will need SSH public key authentication set up, preferably working with ssh-agent so you don't have to type in your passphrase all the time. I assume you've done that in what follows, so if you've done something different you'll need to change it appropriately. + +Create a user called "hg" on the machine where the repository will live. I used the command + +sudo adduser --system --shell /bin/sh --group --disabled-password --gecos "Mercural repository" hg + +Now create a basic access control setup. + + cd + mkdir hg + cd hg + hg clone ssh://hg.opensource.lshift.net/hg-admin-tools hg-admin-tools + mkdir -p hgadmin/keys/admin + cd hgadmin + ssh-add -L > keys/admin/myname + echo "init admin/* *" > hg-ssh-access.conf + hg init . + hg add + hg commit -m "Initial configuration" + +You can use whatever you want in place of "myname" and indeed "admin". The files in ~/hg must be readable by the hg user. Issue these commands to become the hg user and set up the repository + + sudo -u hg -s + cd ~hg + mkdir admin repos + hg clone ~/hg/hg-admin-tools admin/hg-admin-tools + hg clone ~/hg/hgadmin repos/hgadmin + cp admin/hg-admin-tools/hgadmin-hgrc repos/hgadmin/.hg/hgrc + cp admin/hg-admin-tools/hg-ssh-wrapper .hg-ssh-wrapper + cd repos/hgadmin + ../../admin/hg-admin-tools/refresh-auth + exit + +You should now have SSH access to this repository and full control, which you can test like so: + + cd ~/hg/hgadmin + echo "[paths]" >> .hg/hgrc + echo "default = ssh://hg@localhost/hgadmin" >> .hg/hgrc + hg pull + hg push + +These attempts to push and pull should report no new changes but otherwise work. + +You can now add other users by putting their keys in an appropriate subdirectory of the "keys" directory, and control their access by editing hg-ssh-access.conf. Changes will take effect as soon as you push them to the remote ssh server. + +hg-ssh-access.conf has the following syntax: + + + +The "rule" is either "init", "allow", or "deny". "keypattern" is a glob pattern matched against the name of the key used - for example, in our initial setup "admin/myname" matches "admin/*". "repositorypattern" is a pattern matched againt the repository name - so "hgadmin" matches "*". Only boring characters are allowed in patterns and key and repository names - see the source for details. Blank lines and lines that start with "#" are ignored. + + diff -r 5bc7446cd2d1 -r a69f7bea408c hgadmin-hgrc --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/hgadmin-hgrc Tue Apr 15 18:13:53 2008 +0100 @@ -0,0 +1,4 @@ +[hooks] +changegroup.aaaaa_update = hg update -C default > /dev/null +changegroup.refreshauth = ../../admin/hg-admin-tools/refresh-auth +