|
Size: 1823
Comment: More details given. Added explanation about new feature: support for matching everyone (using an asterisk)
|
← Revision 25 as of 2015-05-04 18:19:06 ⇥
Size: 3823
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| == Acl Extension == | #pragma section-numbers 2 = ACL Extension = Restrict changes via access control lists. |
| Line 3: | Line 5: |
| /!\ '''NOTE: This extension does not enable a workflow similar to that granted by DAV SVN even if they look very similar. Mercurial can't do partial commits, nor can it limit the change list sent (which in effect means all changes across a repository must be sent in its entirety). Such limited functionality can be supplied by [[Subrepository|subrepositories]].''' <<TableOfContents>> == Status == |
|
| Line 6: | Line 13: |
| === Overview === | |
| Line 8: | Line 14: |
| The ACL extension lets you have fine grained access control to parts of a repository using deny and allow lists. These lists associate glob patterns to users. Furthermore, it can restrict changes depending on its source (http, ssh, pull, push, bundle). |
== Overview == The ACL extension lets you have fine grained access control to parts of a repository using deny and allow lists. These lists associate glob patterns to users. Furthermore, it can restrict changes depending on its source (http, ssh, pull, push, bundle). |
| Line 13: | Line 19: |
| === Configuration === | == Configuration == Below is an example configuration file (hgrc). The acl lists use the pattern = user syntax, where pattern is a glob by default. : |
| Line 15: | Line 22: |
| Below is an example configuration file (hgrc) provided with the sources. The acl lists use the pattern = user syntax, where pattern is a glob by default. : | |
| Line 17: | Line 23: |
| [extensions] hgext.acl= |
[hooks] |
| Line 20: | Line 25: |
| [hooks] pretxnchangegroup.acl = python:hgext.acl.hook |
# Use this if you want to check access restrictions at commit time pretxncommit.acl = python:hgext.acl.hook |
| Line 23: | Line 28: |
| [acl] sources = serve # check if source of incoming changes in this list # ("serve" == ssh or http, "push", "pull", "bundle") |
# Use this if you want to check access restrictions for pull, push, # bundle and serve. pretxnchangegroup.acl = python:hgext.acl.hook |
| Line 27: | Line 32: |
| [acl.deny] # This list is checked first. If a match is found, 'acl.allow' won't be checked. # if acl.deny not present, no users denied by default # empty acl.deny = all users allowed # Format for both lists: glob pattern = user4, user5 # To match everyone, use an asterisk for the user: # my/glob/pattern = * |
[acl] # Check whether the source of incoming changes is in this list where # "serve" == ssh or http, and "push", "pull" and "bundle" are the # corresponding hg commands. sources = serve |
| Line 35: | Line 38: |
| # user6 won't have write access to any file: ** = user6 |
[acl.groups] # If a group name is not defined here, and Mercurial is running under # a Unix-like system, the list of users will be taken from the OS. # Otherwise, an exception will be raised. designers = user1, user2 |
| Line 38: | Line 44: |
| [acl.allow] # if acl.allow not present, all users allowed by default # empty acl.allow = no users allowed |
[acl.deny.branches] |
| Line 42: | Line 46: |
| # User 'doc_writer' has write access to any file under the 'docs' folder: docs/** = doc_writer |
# Everyone is denied to the frozen branch: frozen-branch = * |
| Line 45: | Line 49: |
| # Everyone will have write access to any file under the 'resources' folder (except for 'user6'. See 'acl.deny' above): src/main/resources/** = * |
# A bad user is denied on all branches: * = bad-user |
| Line 48: | Line 52: |
| .hgtags = release_engineer | # Only reviewers are allowed to write to the stable branch (by denying # those not in the reviewers group using the negation operator !) stable = !@reviewers |
| Line 50: | Line 56: |
| [acl.allow.branches] # A few users are allowed on branch-a: branch-a = user-1, user-2, user-3 # Only one user is allowed on branch-b: branch-b = user-1 # The super user is allowed on any branch: * = super-user # Everyone is allowed on branch-for-tests: branch-for-tests = * [acl.deny] # This list is checked first. If a match is found, acl.allow is not # checked. All users are granted access if acl.deny is not present. # Format for both lists: glob pattern = user, ..., @group, ... # To match everyone, use an asterisk for the user: # my/glob/pattern = * # user6 will not have write access to any file: ** = user6 # Group "hg-denied" will not have write access to any file: ** = @hg-denied # Nobody will be able to change "DONT-TOUCH-THIS.txt", despite # everyone being able to change all other files. See below. src/main/resources/DONT-TOUCH-THIS.txt = * [acl.allow] # if acl.allow not present, all users allowed by default # empty acl.allow = no users allowed # User "doc_writer" has write access to any file under the "docs" # folder: docs/** = doc_writer # User "jack" and group "designers" have write access to any file # under the "images" folder: images/** = jack, @designers # Everyone (except for "user6" - see acl.deny above) will have write # access to any file under the "resources" folder (except for 1 # file. See acl.deny): src/main/resources/** = * .hgtags = release_engineer |
|
| Line 51: | Line 107: |
| Line 53: | Line 108: |
| CategoryExtension | CategoryBundledExtension |
ACL Extension
Restrict changes via access control lists.
![/!\](/moin-static/modernized/img/alert.png "/!\"){kind=small}
NOTE: This extension does not enable a workflow similar to that granted by DAV SVN even if they look very similar. Mercurial can't do partial commits, nor can it limit the change list sent (which in effect means all changes across a repository must be sent in its entirety). Such limited functionality can be supplied by subrepositories.
Contents
1. Status
This extension is currently being distributed along with Mercurial.
Author: Vadim Gelfer
2. Overview
The ACL extension lets you have fine grained access control to parts of a repository using deny and allow lists. These lists associate glob patterns to users. Furthermore, it can restrict changes depending on its source (http, ssh, pull, push, bundle).
It's recommended that this extension is used with hg-ssh (a restricted shell for Mercurial ssh access) to tighten security.
3. Configuration
Below is an example configuration file (hgrc). The acl lists use the pattern = user syntax, where pattern is a glob by default. :
[hooks] # Use this if you want to check access restrictions at commit time pretxncommit.acl = python:hgext.acl.hook # Use this if you want to check access restrictions for pull, push, # bundle and serve. pretxnchangegroup.acl = python:hgext.acl.hook [acl] # Check whether the source of incoming changes is in this list where # "serve" == ssh or http, and "push", "pull" and "bundle" are the # corresponding hg commands. sources = serve [acl.groups] # If a group name is not defined here, and Mercurial is running under # a Unix-like system, the list of users will be taken from the OS. # Otherwise, an exception will be raised. designers = user1, user2 [acl.deny.branches] # Everyone is denied to the frozen branch: frozen-branch = * # A bad user is denied on all branches: * = bad-user # Only reviewers are allowed to write to the stable branch (by denying # those not in the reviewers group using the negation operator !) stable = !@reviewers [acl.allow.branches] # A few users are allowed on branch-a: branch-a = user-1, user-2, user-3 # Only one user is allowed on branch-b: branch-b = user-1 # The super user is allowed on any branch: * = super-user # Everyone is allowed on branch-for-tests: branch-for-tests = * [acl.deny] # This list is checked first. If a match is found, acl.allow is not # checked. All users are granted access if acl.deny is not present. # Format for both lists: glob pattern = user, ..., @group, ... # To match everyone, use an asterisk for the user: # my/glob/pattern = * # user6 will not have write access to any file: ** = user6 # Group "hg-denied" will not have write access to any file: ** = @hg-denied # Nobody will be able to change "DONT-TOUCH-THIS.txt", despite # everyone being able to change all other files. See below. src/main/resources/DONT-TOUCH-THIS.txt = * [acl.allow] # if acl.allow not present, all users allowed by default # empty acl.allow = no users allowed # User "doc_writer" has write access to any file under the "docs" # folder: docs/** = doc_writer # User "jack" and group "designers" have write access to any file # under the "images" folder: images/** = jack, @designers # Everyone (except for "user6" - see acl.deny above) will have write # access to any file under the "resources" folder (except for 1 # file. See acl.deny): src/main/resources/** = * .hgtags = release_engineer