[PATCH 2 of 2 v2] hg-ssh: more flexible permissions for hg-ssh

David Schleimer dschleimer at fb.com
Tue May 22 16:39:08 CDT 2012 

> Seems lacking in docs.
 
I'll add some.

> > +        if args[0] == '--all-repos':
> > +            allrepos = True
> > +            args.pop(0)
> 
> One feature. A little worried about this one as it's super-permissive.

I've gotten enough negative feedback about it that I'll live without it.

> > +def rejectpush(ui, **kwargs):
> > +    ui.warn("Permission denied\n")
> > +    # mercurial hooks use unix process conventions for hook return values
> > +    # so a truthy return means failure
> > +    return True
> 
> Should have been a preliminary refactoring.
> 
Not a  refactoring at all.  It's new code that is not useful without the --read-only flag and is necessary for that to work.

> I'm a little confused as to how adding these things onto keys is easier than
> managing the existing config methods.
> 

Existing infrastructure  that assumes a particular unix user, and that uses different keys to differentiate between read-only and read-write access.  There's also enough files that belong to this particular user scattered around enough places that changing it would be hard.
Adding a new unix user (or a pair of new unix users) to many thousands of machines isn't really scalable for the number of services that need one.  We have a  few service users and your application picks one of them based on the permissions it needs.  One of those is the service version control user, for use by cron jobs and daemons that need to talk to version control, regardless of whether that means svn, git, or mercurial.  There are 2 ssh keys for that user, one of which grants read-only access and one of which grants read-write access.  There are 2 (now 3) authorized_keys files for that user, one of which gets distributed to all of our svn machines and has the command set to svnserve -t, with a -R for the read only key, one of which gets distributed to all of our git machines and has the command set to invoke git-shell in non-interactive mode, and now one that gets distributed to all of our mercurial machines and invokes hg-ssh and adds a --read-only for the read-only key.

I'll send another patch with only the --read-only changes, with the modifications people have suggested.

--David

More information about the Mercurial-devel mailing list