Current state of the art in sharing repositories via SSH

Tom Anderson tom.anderson at e2x.co.uk
Tue Jun 28 13:40:34 CDT 2011


Hello!

Firstly, apologies if this is a FAQ, or has been discussed recently.
If so, point me in the right direction and tell me to get lost.

I work for a software company that is considering moving a smallish
project (~20 developers) to Mercurial. Or Git. I'm gently arguing for
Mercurial. FWIW, all our machines run Linux.

We're interested in having a central repository which everyone can
push to, in the normal boring way of small commercial software
projects. We're interested in having access control, so we can, for
example, restrict write access to release branches to the release
team.

I'm assuming we should be looking at SSH-based, rather than
HTTP-based, access for this. Does that sound reasonable?

I've read:

http://mercurial.selenic.com/wiki/PublishingRepositories
http://mercurial.selenic.com/wiki/SharedSSH

And i see that my options are having an OS user for each person, or
having a single OS user, and sharing it. Our machines are managed by
an infrastructure team that is only partially part of our team; it
would be really nice not to require their involvement in managing our
repository, so i lean towards a shared SSH solution.

I like the look of the ACL extension - it's built-in, which is
convenient, and i assume is some sort of mark of quality, and it seems
pretty powerful. However, am i right in thinking that it requires the
use of separate OS users?

I looked at hg-ssh, hg-login, and hg-gateway, and it seems they either
don't have access control at a grain finer than whole repositories, or
require you to write shell scripts to get it. mercurial-server,
however, looks pretty good - the same as the ACL extension in power.

Are there any other options i should consider?

It seems a shame that the ACL extension can't be used with a shared
account. I've had a look at the code, and it looks like it wouldn't be
that hard to make it possible (famous last words). There's a bit in
the main hook() function that says:

    user = None
    if source == 'serve' and 'url' in kwargs:
        url = kwargs['url'].split(':')
        if url[0] == 'remote' and url[1].startswith('http'):
            user = urllib.unquote(url[3])

    if user is None:
        user = getpass.getuser()

A couple of lines in there could look for some sort of effective
username defined somewhere, and if it's set, use it. The easiest way
to do that would be to have a special config property - or perhaps
even ui.username - which gets set with a --config flag to Mercurial by
the shared account script. Obviously you'd want some sort of master
switch to enable that - otherwise it would be a gaping hole in the
security of ACLs when used not through a shared account! It would be a
way to have something as powerful as mercurial-server, using exactly
the same code as for individual accounts (so bringing consistency and
parsimony), and requiring only a very simple shared account script.
Does this seem like a feasible idea? if so, i'd be happy to spend some
time on it and contribute it back.

Thanks,
tom

-- 
Tom Anderson         |                e2x Ltd, 1 Norton Folgate, London E1 6DB
(e) tom at e2x.co.uk    |    (m) +44 (7960) 989794    |    (f) +44 (20) 7100 3749


More information about the Mercurial mailing list