Differences between revisions 12 and 13
Revision 12 as of 2010-04-03 10:54:28
Size: 2028
Editor: Elifarley
Comment:
Revision 13 as of 2010-04-20 13:50:24
Size: 2223
Editor: Elifarley
Comment:
Deletions are marked like this. Additions are marked like this.
Line 15: Line 15:
Below is an example configuration file (hgrc) provided with the sources. The acl lists use the pattern = user syntax, where pattern is a glob by default. : Below is an example configuration file (hgrc). The acl lists use the pattern = user syntax, where pattern is a glob by default. :
Line 21: Line 21:
# You can have ACL checks active at commit time, at push time, or both.

# Activates ACL at push time:
Line 23: Line 26:
# Activates ACL at commit time:
pretxncommit.acl = python:hgext.acl.hook
Line 24: Line 30:
# This is only checked at push time:

Acl Extension

This extension is currently being distributed along with Mercurial.

Author: Vadim Gelfer

1. Overview

The ACL extension lets you have fine grained access control to parts of a repository using deny and allow lists. These lists associate glob patterns to users. Furthermore, it can restrict changes depending on its source (http, ssh, pull, push, bundle).

It's recommended that this extension is used with hg-ssh (a restricted shell for Mercurial ssh access) to tighten security.

2. Configuration

Below is an example configuration file (hgrc). The acl lists use the pattern = user syntax, where pattern is a glob by default. :

[extensions]
hgext.acl=

[hooks]
# You can have ACL checks active at commit time, at push time, or both.

# Activates ACL at push time:
pretxnchangegroup.acl = python:hgext.acl.hook

# Activates ACL at commit time:
pretxncommit.acl = python:hgext.acl.hook

[acl]
# This is only checked at push time:
sources = serve        # check if source of incoming changes in this list
                       # ("serve" == ssh or http, "push", "pull", "bundle")

[acl.deny]
# This list is checked first. If a match is found, 'acl.allow' won't be checked.
# if acl.deny not present, no users denied by default
# empty acl.deny = all users allowed
# Format for both lists: glob pattern = user4, user5
# To match everyone, use an asterisk for the user:
# my/glob/pattern = *

# user6 won't have write access to any file:
** = user6

# Nobody will be able to change 'DONT-TOUCH-THIS.txt', despite everyone being able to change all other files. See below.)
src/main/resources/DONT-TOUCH-THIS.txt = *

[acl.allow]
# if acl.allow not present, all users allowed by default
# empty acl.allow = no users allowed

# User 'doc_writer' has write access to any file under the 'docs' folder:
docs/** = doc_writer

# Everyone (except for 'user6'. See 'acl.deny' above) will have write access to any file under the 'resources' folder (except for 1 file. See 'acl.deny'):
src/main/resources/** = *

.hgtags = release_engineer


CategoryExtension

AclExtension (last edited 2015-05-04 18:19:06 by DisplayName)