Differences between revisions 1 and 11 (spanning 10 versions)
Revision 1 as of 2007-01-17 18:21:56
Size: 1174
Comment: Add ACL extension contents
Revision 11 as of 2010-04-03 10:48:46
Size: 1823
Editor: Elifarley
Comment: More details given. Added explanation about new feature: support for matching everyone (using an asterisk)
Deletions are marked like this. Additions are marked like this.
Line 3: Line 3:
'''This extension is currently being distributed along with Mercurial.'''

''Author: Vadim Gelfer''
Line 8: Line 11:
It's recommended that this extension is used with hg-ssh (a restricted shell for mercurial ssh access) to tighten security. It's recommended that this extension is used with [[SharedSSH#head-479a09967fe00153f64bf5fa08ae0b5ede15c388|hg-ssh]] (a restricted shell for Mercurial ssh access) to tighten security.
Line 18: Line 21:
pretxtnchangegroup.acl = python:hgext.acl.hook pretxnchangegroup.acl = python:hgext.acl.hook
Line 24: Line 27:
[acl.deny]
# This list is checked first. If a match is found, 'acl.allow' won't be checked.
# if acl.deny not present, no users denied by default
# empty acl.deny = all users allowed
# Format for both lists: glob pattern = user4, user5
# To match everyone, use an asterisk for the user:
# my/glob/pattern = *

# user6 won't have write access to any file:
** = user6
Line 27: Line 41:

# User 'doc_writer' has write access to any file under the 'docs' folder:
Line 28: Line 44:

# Everyone will have write access to any file under the 'resources' folder (except for 'user6'. See 'acl.deny' above):
src/main/resources/** = *
Line 30: Line 50:
[acl.deny]
# if acl.deny not present, no users denied by default
# empty acl.deny = all users allowed
glob pattern = user4, user5
** = user6
Line 36: Line 51:

----
CategoryExtension

Acl Extension

This extension is currently being distributed along with Mercurial.

Author: Vadim Gelfer

1. Overview

The ACL extension lets you have fine grained access control to parts of a repository using deny and allow lists. These lists associate glob patterns to users. Furthermore, it can restrict changes depending on its source (http, ssh, pull, push, bundle).

It's recommended that this extension is used with hg-ssh (a restricted shell for Mercurial ssh access) to tighten security.

2. Configuration

Below is an example configuration file (hgrc) provided with the sources. The acl lists use the pattern = user syntax, where pattern is a glob by default. :

[extensions]
hgext.acl=

[hooks]
pretxnchangegroup.acl = python:hgext.acl.hook

[acl]
sources = serve        # check if source of incoming changes in this list
                       # ("serve" == ssh or http, "push", "pull", "bundle")

[acl.deny]
# This list is checked first. If a match is found, 'acl.allow' won't be checked.
# if acl.deny not present, no users denied by default
# empty acl.deny = all users allowed
# Format for both lists: glob pattern = user4, user5
# To match everyone, use an asterisk for the user:
# my/glob/pattern = *

# user6 won't have write access to any file:
** = user6

[acl.allow]
# if acl.allow not present, all users allowed by default
# empty acl.allow = no users allowed

# User 'doc_writer' has write access to any file under the 'docs' folder:
docs/** = doc_writer

# Everyone will have write access to any file under the 'resources' folder (except for 'user6'. See 'acl.deny' above):
src/main/resources/** = *

.hgtags = release_engineer


CategoryExtension

AclExtension (last edited 2015-05-04 18:19:06 by DisplayName)