ACLs and hgweb?

Ezra.Smith at bentley.com Ezra.Smith at bentley.com
Wed Feb 27 14:50:16 CST 2008 

From: Jeff Abbott [mailto:fdiv_bug at sniping.org] 
Sent: Wednesday, February 27, 2008 3:25 PM
To: Ezra Smith
Cc: mercurial at selenic.com
Subject: Re: ACLs and hgweb?

> Heya, Ezra!  Thanks for the feedback!

Ezra.Smith at bentley.com wrote:

> > We're running on a Windows network here, and we've found that the
best
> > way to integrate Mercurial with our current access control setup was
to
> > use filesystem permissions and repository hooks. Hgweb already works
> > well with filesystem permissions by default. If a user can't read a
> > directory, it doesn't show up on the web interface.

> Really?  How does that work?  At least with Apache on Linux, the hgweb

> script is running as the Apache user, not as the logged-in user.  Are 
> you using NTLM authentication with IIS, or some such?

Ah, yeah, we are using NTLM with IIS. Basic or Digest authentication
would suit our purposes as well, but NTLM was a goal because it's
convenient to do passwordless authentication after logging in once, and
people are already used to it from CVSNT.

In any case, I suppose things do get trickier for you if you can't make
the cgi process run as the authenticated user.

> > To handle pushes and pulls more elegantly, we wrote some Python
scripts
> > that get called from prechangegroup and preoutgoing hooks. For any
user
> > trying to push/pull/clone a repository, a hook will find out what
groups
> > the user belongs to, match it against groups that have read or write
> > access to the repository, and proceed accordingly.

> I was also looking into hooks, and I found no clear way to identify
the 
> location which was being pulled from, or the REMOTE_USER setting.  Am
I 
> missing something?

An external hook (not an in-process one, mind you) is run with the
target repository as its working directory, so our scripts start by
checking that. As for the user who is doing the pull...this one stems
from the cgi-process-runs-as-the-user thing again. The hook will be run
with the name/permissions of whoever is authenticated to the web server
and is accessing the repository, so we check who the hooks are running
as. 

> > It's really easy to work with now that we have it set up. To change
a
> > repository's access controls, all we have to do is change its
> > permissions in the filesystem, and that lets us control everything
with
> > ActiveDirectory groups.

> This sounds pretty ideal, frankly, but I guess I'm doing something
wrong 
> with regards to how I'm trying to implement it here because it's
doesn't 
> seem to work for me the way it works for you.  :-\

> Thanks,
> Jeff

More information about the Mercurial mailing list