Mercurial Mercurial > hg > mercurial-server / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | zip | gz | bz2 | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
added a README to describe how this works.
authorPaul Crowley <paul@lshift.net>
Tue, 15 Apr 2008 18:13:53 +0100
changeset 2 a69f7bea408c
parent 1 5bc7446cd2d1
child 3 7e659a6870de
added a README to describe how this works.
README file | annotate | diff | comparison | revisions
hgadmin-hgrc file | annotate | diff | comparison | revisions 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/README	Tue Apr 15 18:13:53 2008 +0100
@@ -0,0 +1,66 @@
+hg-admin-tools version 0.1
+
+A set of tools for managing authorization and access control for
+ssh-based Hg repositories
+
+Paul Crowley, paul@lshift.net, 2008-04-15
+
+This software may be used and distributed according to the terms
+of the GNU General Public License, incorporated herein by reference.
+
+INSTRUCTIONS FOR USE:
+
+This is only one setup - it can be tweaked in many ways, and is as specific as it is only in the interests of brevity.
+
+You, and all users of your Hg repository, will need SSH public key authentication set up, preferably working with ssh-agent so you don't have to type in your passphrase all the time.  I assume you've done that in what follows, so if you've done something different you'll need to change it appropriately.
+
+Create a user called "hg" on the machine where the repository will live.  I used the command
+
+sudo adduser --system --shell /bin/sh --group --disabled-password --gecos "Mercural repository" hg
+
+Now create a basic access control setup.  
+
+   cd
+   mkdir hg
+   cd hg
+   hg clone ssh://hg.opensource.lshift.net/hg-admin-tools hg-admin-tools
+   mkdir -p hgadmin/keys/admin
+   cd hgadmin
+   ssh-add -L > keys/admin/myname
+   echo "init admin/* *" > hg-ssh-access.conf
+   hg init .
+   hg add
+   hg commit -m "Initial configuration"
+
+You can use whatever you want in place of "myname" and indeed "admin".  The files in ~/hg must be readable by the hg user.  Issue these commands to become the hg user and set up the repository
+
+   sudo -u hg -s
+   cd ~hg
+   mkdir admin repos
+   hg clone ~/hg/hg-admin-tools admin/hg-admin-tools
+   hg clone ~/hg/hgadmin repos/hgadmin
+   cp admin/hg-admin-tools/hgadmin-hgrc repos/hgadmin/.hg/hgrc
+   cp admin/hg-admin-tools/hg-ssh-wrapper .hg-ssh-wrapper
+   cd repos/hgadmin
+   ../../admin/hg-admin-tools/refresh-auth
+    exit
+
+You should now have SSH access to this repository and full control, which you can test like so:
+
+   cd ~/hg/hgadmin
+   echo "[paths]" >> .hg/hgrc
+   echo "default = ssh://hg@localhost/hgadmin"  >> .hg/hgrc
+   hg pull
+   hg push
+
+These attempts to push and pull should report no new changes but otherwise work.
+
+You can now add other users by putting their keys in an appropriate subdirectory of the "keys" directory, and control their access by editing hg-ssh-access.conf.  Changes will take effect as soon as you push them to the remote ssh server.
+
+hg-ssh-access.conf has the following syntax:
+
+<rule> <keypattern> <repositorypattern>
+
+The "rule" is either "init", "allow", or "deny".  "keypattern" is a glob pattern matched against the name of the key used - for example, in our initial setup "admin/myname" matches "admin/*".  "repositorypattern" is a pattern matched againt the repository name - so "hgadmin" matches "*".  Only boring characters are allowed in patterns and key and repository names - see the source for details.  Blank lines and lines that start with "#" are ignored.
+
+
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/hgadmin-hgrc	Tue Apr 15 18:13:53 2008 +0100
@@ -0,0 +1,4 @@
+[hooks]
+changegroup.aaaaa_update = hg update -C default > /dev/null
+changegroup.refreshauth = ../../admin/hg-admin-tools/refresh-auth
+
mercurial-server