[PATCH RESEND] hgweb: add group authorization

Wagner Bruna wagner.bruna+mercurial at gmail.com
Wed Mar 6 14:41:55 CST 2013 

Em 27-02-2013 13:59, Markus Zapke-Gründemann escreveu:
> Wagner Bruna schrieb:
>> Em 07-02-2013 15:36, Markus Zapke-Gründemann escreveu:
>>> # HG changeset patch
>>> # User Markus Zapke-Gründemann <markus at keimlink.de>
>>> # Date 1360231888 -3600
>>> # Node ID d2dbfdee987a51efb6f4ad69e3b116aa22553326
>>> # Parent  2fefd1170bf269e26bb304553009f38e0117c342
>>> hgweb: add group authorization.
>>
>> (sorry for taking so long to reply, I was kind of internet-impaired these days)
>>
>> Very useful feature IMHO. I have a few suggestions below:
>>
>>> diff --git a/mercurial/help/config.txt b/mercurial/help/config.txt
>>> --- a/mercurial/help/config.txt
>>> +++ b/mercurial/help/config.txt
>>> @@ -1286,8 +1286,12 @@ The full set of options is:
>>>      push is not allowed. If the special value ``*``, any remote user can
>>>      push, including unauthenticated users. Otherwise, the remote user
>>>      must have been authenticated, and the authenticated user name must
>>> -    be present in this list. The contents of the allow_push list are
>>> -    examined after the deny_push list.
>>> +    be present in this list. It is also possible to use groups in this
>>> +    list. A group name is prefixed by an ``@``. Groups can either be
>>> +    groups defined in the ``groups_section`` or Unix groups. If a group
>>> +    from the ``groups_section`` has the same name as an Unix group it
>>> +    is used instead. The contents of the allow_push list are examined
>>> +    after the deny_push list.
>>>  
>>>  ``allow_read``
>>>      If the user has not already been denied repository access due to
>>> @@ -1297,8 +1301,12 @@ The full set of options is:
>>>      denied for the user. If the list is empty or not set, then access
>>>      is permitted to all users by default. Setting allow_read to the
>>>      special value ``*`` is equivalent to it not being set (i.e. access
>>> -    is permitted to all users). The contents of the allow_read list are
>>> -    examined after the deny_read list.
>>> +    is permitted to all users). It is also possible to use groups in
>>> +    this list. A group name is prefixed by an ``@``. Groups can either
>>> +    be groups defined in the ``groups_section`` or Unix groups. If a
>>> +    group from the ``groups_section`` has the same name as an Unix group
>>> +    it is used instead. The contents of the allow_read list are examined
>>> +    after the deny_read list.
>>>  
>>>  ``allowzip``
>>>      (DEPRECATED) Whether to allow .zip downloading of repository
>>> @@ -1366,8 +1374,13 @@ The full set of options is:
>>>      Whether to deny pushing to the repository. If empty or not set,
>>>      push is not denied. If the special value ``*``, all remote users are
>>>      denied push. Otherwise, unauthenticated users are all denied, and
>>> -    any authenticated user name present in this list is also denied. The
>>> -    contents of the deny_push list are examined before the allow_push list.
>>> +    any authenticated user name present in this list is also denied. It
>>> +    is also possible to use groups in this list. A group name is
>>> +    prefixed by an ``@``. Groups can either be groups defined in the
>>> +    ``groups_section`` or Unix groups. If a group from the
>>> +    ``groups_section`` has the same name as an Unix group it is used
>>> +    instead. The contents of the deny_push list are examined before the
>>> +    allow_push list.
>>>  
>>>  ``deny_read``
>>>      Whether to deny reading/viewing of the repository. If this list is
>>> @@ -1380,9 +1393,12 @@ The full set of options is:
>>>      deny_read and allow_read are empty or not set, then access is
>>>      permitted to all users by default. If the repository is being
>>>      served via hgwebdir, denied users will not be able to see it in
>>> -    the list of repositories. The contents of the deny_read list have
>>> -    priority over (are examined before) the contents of the allow_read
>>> -    list.
>>> +    the list of repositories. It is also possible to use groups in this
>>> +    list. A group name is prefixed by an ``@``. Groups can either be
>>> +    groups defined in the ``groups_section`` or Unix groups. If a group
>>> +    from the ``groups_section`` has the same name as an Unix group it is
>>> +    used instead. The contents of the deny_read list have priority over
>>> +    (are examined before) the contents of the allow_read list.
>>>  
>>>  ``descend``
>>>      hgwebdir indexes will not descend into subdirectories. Only repositories
>>> @@ -1400,6 +1416,30 @@ The full set of options is:
>>>  ``errorlog``
>>>      Where to output the error log. Default is stderr.
>>>  
>>> +``groups_section``
>>> +    Name of hgrc section used to define groups for authorization.
>>> +    Default is ``web.groups``. Use the section to define the groups used
>>> +    by authorization.
>>> +
>>> +    Example::
>>> +
>>> +        [web]
>>> +        allow_read = @devs
>>> +
>>> +        [web.groups]
>>
>> Minor nit: the dot could cause some confusion with the section.key notation,
>> so I'd call it simply "webgroups" (or even "usergroups").
> I've used the same notation used by the acl extension. It uses acl.allow and
> acl.deny for example. IMO this is a good design. One can see that this is a
> subsection of the web section.

Fair enough.

>>> +        devs = alice, bob, clara, david
>>> +
>>> +    Groups can contain other groups::
>>> +
>>> +        [web]
>>> +        allow_read = @devs, @testers
>>> +        allow_push = @devs
>>> +
>>> +        [web.groups]
>>> +        devs = alice, bob, clara, david
>>> +        ci = hudson
>>> +        testers = @ci, lisa, mario
>>
>> What about a different notation, similar to the [auth] section, supporting
>> per-group attributes:
>>
>>
>> [webgroups]
>>
>> devs.type = hgconfig
>> devs.members = alice, bob, clara, david
>>
>> # this would pull members from the same named unix group...
>> anotherteam.type = unix
>> # ...or perhaps explicitly:
>> # anotherteam.group = anotherteamunixgroup
>>
>> # the '@' marker would be fully optional then:
>> @ci.members = hudson
>> # @ci.type = hgconfig would be the default here
> I don't see the advantage of the explicit declaration in your solution.

It's mainly for extensibility: some of those "attributes" would be useful for
other group providers (they could specify an LDAP query, for instance). I
agree it's not particularly useful for plain config and Unix groups.

> The current implementation is simpler and therefore easier to understand.
> If it would be possible to "overwrite" Unix groups with groups created
> in hgrc this could cause some confusion.

But your implementation already allows that, since a group defined in
web.options overrides a same-named Unix group.

> The @ marker is again taken from the acl extension which is using it also
> for groups.
> 
>> Together with a bit more flexibility in the _ismember function below (that
>> could be implemented in a follow-up patch), additional group providers could
>> then be easily added through extensions (ldap comes to mind).
> The integration of LDAP or many other services can be easily done on Unix-based
> systems using PAM. I think it's easier to rely on PAM then implementing
> everything again in hgweb.

Possibly (that's the setup I have at work, fortunately), but hgweb works on
non-Unix platforms too.

Regards,
Wagner

> Regards
> 
> Markus

More information about the Mercurial-devel mailing list