Differences between revisions 14 and 19 (spanning 5 versions)
Revision 14 as of 2010-04-29 13:53:07
Size: 2195
Editor: Elifarley
Comment: Removed the 'extensions' section, since it makes no difference here
Revision 19 as of 2010-10-21 22:50:28
Size: 3327
Editor: mpm
Comment:
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
== Acl Extension == #pragma section-numbers 2
= ACL Extension =

Restrict changes via access control lists.

<<TableOfContents>>

== Status ==
Line 6: Line 13:
=== Overview ===
== Overview ==
Line 13: Line 21:
=== Configuration === == Configuration ==
Line 16: Line 24:
Line 17: Line 26:
[hooks]
# You can have ACL checks active at commit time, at push time, or both.		   [hooks]
Line 20: Line 28:
# Activates ACL at push time:
pretxnchangegroup.acl = python:hgext.acl.hook		   # Use this if you want to check access restrictions at commit time
  pretxncommit.acl = python:hgext.acl.hook
  
  # Use this if you want to check access restrictions for pull, push,
  # bundle and serve.
  pretxnchangegroup.acl = python:hgext.acl.hook
Line 23: Line 35:
# Activates ACL at commit time:
pretxncommit.acl = python:hgext.acl.hook		   [acl]
  # Check whether the source of incoming changes is in this list where
  # "serve" == ssh or http, and "push", "pull" and "bundle" are the
  # corresponding hg commands.
  sources = serve
Line 26: Line 41:
[acl]
# This is only checked at push time:
sources = serve # check if source of incoming changes in this list
                       # ("serve" == ssh or http, "push", "pull", "bundle")		   [acl.groups]
  # If a group name is not defined here, and Mercurial is running under
  # a Unix-like system, the list of users will be taken from the OS.
  # Otherwise, an exception will be raised.
  @designers = user1, user2
Line 31: Line 47:
[acl.deny]
# This list is checked first. If a match is found, 'acl.allow' won't be checked.
# if acl.deny not present, no users denied by default
# empty acl.deny = all users allowed
# Format for both lists: glob pattern = user4, user5
# To match everyone, use an asterisk for the user:
# my/glob/pattern = *		   [acl.deny.branches]
  
  # Everyone is denied to the frozen branch:
  frozen-branch = *
  
  # A bad user is denied on all branches:
  * = bad-user
  
  [acl.allow.branches]
  
  # A few users are allowed on branch-a:
  branch-a = user-1, user-2, user-3
  
  # Only one user is allowed on branch-b:
  branch-b = user-1
  
  # The super user is allowed on any branch:
  * = super-user
  
  # Everyone is allowed on branch-for-tests:
  branch-for-tests = *
Line 39: Line 69:
# user6 won't have write access to any file:
** = user6		   [acl.deny]
  # This list is checked first. If a match is found, acl.allow is not
  # checked. All users are granted access if acl.deny is not present.
  # Format for both lists: glob pattern = user, ..., @group, ...
Line 42: Line 74:
# Nobody will be able to change 'DONT-TOUCH-THIS.txt', despite everyone being able to change all other files. See below.)
src/main/resources/DONT-TOUCH-THIS.txt = *		   # To match everyone, use an asterisk for the user:
  # my/glob/pattern = *
Line 45: Line 77:
[acl.allow]
# if acl.allow not present, all users allowed by default
# empty acl.allow = no users allowed		   # user6 will not have write access to any file:
  ** = user6
Line 49: Line 80:
# User 'doc_writer' has write access to any file under the 'docs' folder:
docs/** = doc_writer		   # Group "hg-denied" will not have write access to any file:
  ** = @hg-denied
Line 52: Line 83:
# Everyone (except for 'user6'. See 'acl.deny' above) will have write access to any file under the 'resources' folder (except for 1 file. See 'acl.deny'):
src/main/resources/** = *		   # Nobody will be able to change "DONT-TOUCH-THIS.txt", despite
  # everyone being able to change all other files. See below.
  src/main/resources/DONT-TOUCH-THIS.txt = *
Line 55: Line 87:
.hgtags = release_engineer   [acl.allow]
  # if acl.allow not present, all users allowed by default
  # empty acl.allow = no users allowed
Line 57: Line 91:
  # User "doc_writer" has write access to any file under the "docs"
  # folder:
  docs/** = doc_writer

  # User "jack" and group "designers" have write access to any file
  # under the "images" folder:
  images/** = jack, @designers

  # Everyone (except for "user6" - see acl.deny above) will have write
  # access to any file under the "resources" folder (except for 1
  # file. See acl.deny):
  src/main/resources/** = *

  .hgtags = release_engineer
Line 60: Line 108:
CategoryExtension CategoryBundledExtension

ACL Extension

Restrict changes via access control lists.

Contents

  1. Status
  2. Overview
  3. Configuration

1. Status

This extension is currently being distributed along with Mercurial.

Author: Vadim Gelfer

2. Overview

The ACL extension lets you have fine grained access control to parts of a repository using deny and allow lists. These lists associate glob patterns to users. Furthermore, it can restrict changes depending on its source (http, ssh, pull, push, bundle).

It's recommended that this extension is used with hg-ssh (a restricted shell for Mercurial ssh access) to tighten security.

3. Configuration

Below is an example configuration file (hgrc). The acl lists use the pattern = user syntax, where pattern is a glob by default. : 

  [hooks]

  # Use this if you want to check access restrictions at commit time
  pretxncommit.acl = python:hgext.acl.hook
  
  # Use this if you want to check access restrictions for pull, push,
  # bundle and serve.
  pretxnchangegroup.acl = python:hgext.acl.hook

  [acl]
  # Check whether the source of incoming changes is in this list where
  # "serve" == ssh or http, and "push", "pull" and "bundle" are the
  # corresponding hg commands.
  sources = serve

  [acl.groups]
  # If a group name is not defined here, and Mercurial is running under
  # a Unix-like system, the list of users will be taken from the OS.
  # Otherwise, an exception will be raised.
  @designers = user1, user2

  [acl.deny.branches] 
  
  # Everyone is denied to the frozen branch: 
  frozen-branch = * 
  
  # A bad user is denied on all branches: 
  * = bad-user 
  
  [acl.allow.branches] 
  
  # A few users are allowed on branch-a: 
  branch-a = user-1, user-2, user-3 
  
  # Only one user is allowed on branch-b: 
  branch-b = user-1 
  
  # The super user is allowed on any branch: 
  * = super-user 
  
  # Everyone is allowed on branch-for-tests: 
  branch-for-tests = * 

  [acl.deny]
  # This list is checked first. If a match is found, acl.allow is not
  # checked. All users are granted access if acl.deny is not present.
  # Format for both lists: glob pattern = user, ..., @group, ...

  # To match everyone, use an asterisk for the user:
  # my/glob/pattern = *

  # user6 will not have write access to any file:
  ** = user6

  # Group "hg-denied" will not have write access to any file:
  ** = @hg-denied

  # Nobody will be able to change "DONT-TOUCH-THIS.txt", despite
  # everyone being able to change all other files. See below.
  src/main/resources/DONT-TOUCH-THIS.txt = *

  [acl.allow]
  # if acl.allow not present, all users allowed by default
  # empty acl.allow = no users allowed

  # User "doc_writer" has write access to any file under the "docs"
  # folder:
  docs/** = doc_writer

  # User "jack" and group "designers" have write access to any file
  # under the "images" folder:
  images/** = jack, @designers

  # Everyone (except for "user6" - see acl.deny above) will have write
  # access to any file under the "resources" folder (except for 1
  # file. See acl.deny):
  src/main/resources/** = *

  .hgtags = release_engineer

CategoryBundledExtension

AclExtension (last edited 2015-05-04 18:19:06 by DisplayName)