I have a team set up on bitbucket with multiple users, and I'm using the keyring extension for mercurial. I need to set up a subrepo, and in the .hgsub file I need to provide the url for the subrepo.
If I use https://bitbucket.org/team/subrepo then the user needs to authenticate each time they try to pull.
If I use https://userX.bitbucket.org/team/subrepo then each user will need to authenticate with userX's password.
If I use https://team.bitbucket.org/team/subrepo then each user will need the team's password.
Is there a way I can set it up so that the authentication can be saved using the keyring extension, but still have separate credentials for each user, without using ssh?
Yes, you can enter your authentication information into your config file. The documentation for this is here.
In the auth section of each user's config file you can enter the following details:
[auth]
bb.schemes = http https
bb.prefix = bitbucket.org/team
bb.username = userX
The bb part is just a tag to group the settings together - you can use what you like and you can have more than one set if you have more than one Mercurial server that you use.
The example settings say that all repositories that start http://bitbucket.org/team or https://bitbucket.org/team should use the username of userX. The keyring extension will take care of the password after that.
Related
I have set up a mercurial server through SSL. In the apache config file I have set up an authentication using a mysql database.
I would like everyone to be able to pull from the repository without credentials, but restrict the push right to authenticated users. The way it is done now either everyone is authenticated both for pull and push, or nobody is.
My apache configuration is this:
<Location /hg/repo>
AuthType Basic
AuthName "Repository Access"
AuthBasicAuthoritative Off
AuthUserFile /dev/null
AuthMySQL On
AuthMySQL_Authoritative On
AuthMySQL_Host localhost
AuthMySQL_DB repo
AuthMySQL_User repo
AuthMySQL_Password_Table users_auth_external
AuthMySQL_Group_Table users_auth_external
AuthMySQL_Username_Field username
AuthMySQL_Password_Field passwd
AuthMySQL_Group_Field groups
AuthMySQL_Encryption_Types SHA1Sum
Require group pink-image
<LimitExcept GET>
Require valid-user
</LimitExcept>
</Location>
hg also requires authentication for the ssl pull, Regardless on the LimitExcept switch.
Is there a way to limit the authentication only for pushing to the repository?
A simple http access would not be sufficient because if somebody is a developer she checks out the code through https.
SSH access is not possible because some of the developers have the ssh port forbidden by the firewall.
One of the solutions would be if hg would remember the https credentials.
Thank You for reading the question.
The authentication should be wrapped into the exception rule.
<Location /hg/repo>
<LimitExcept GET>
AuthType Basic
AuthName "Repository Access"
AuthBasicAuthoritative Off
AuthUserFile /dev/null
AuthMySQL On
AuthMySQL_Authoritative On
AuthMySQL_Host localhost
AuthMySQL_DB repo
AuthMySQL_User repo
AuthMySQL_Password_Table users_auth_external
AuthMySQL_Group_Table users_auth_external
AuthMySQL_Username_Field username
AuthMySQL_Password_Field passwd
AuthMySQL_Group_Field groups
AuthMySQL_Encryption_Types SHA1Sum
Require group pink-image
</LimitExcept>
</Location>
One of the solutions would be if hg would remember the https credentials.
It can remember the credentials for push and pull. Look under the auth section of hg help config if you don't mind adding the details to one of the config files (either user's config or the repository clone's hgrc)
This would mean putting the password in the config file which you might not like so you could use the Mercurial Keyring Extension instead which stores the password more securely.
It turns out automatic credentials are not enough. The repository aught to be accessible through the web interface. However the same config file pops up an authentication dialog in the browser which makes the web interface unusable.
I have hgweb.wsgi setup on an ubuntu server under apache2. Furthermore I have basic authing using the apache2 htpasswd approach. This all works nicely. However, we want to control what each user have access to and ACL seems to be the best approach. So inside the repos .hg folder I've created a hgrc and modified it according to the documentation for getting ACL up and running ( I've also enabled the extension ). The problem is I get no indication that the hgrc is used at all. If I add [ui] debug = true I still get nothing from the remote client. Sadly I'm not quite sure how to go about debugging this so any help would be much appreciated.
To make sure that a .hg/hgrc file in a repository is being consulted add something noticable to the [web] section like:
[web]
description = Got this from the hgrc
style = coal
name = RENAMED
If you don't see those in the web interface your .hg/hgrc isn't being consulted, and the most common reason for that is -- permissions. Remember that the .hg/hgrc has to owned by a user or group that is trusted by the webserver user (usually apache or www-data or similar). If apache is running under the user apache then chown the .hg/hgrc file over to apache for ownership -- root won't do and htpasswd user is irrelevant.
If that file is being consulted then you need to start poking around in the apache error logs. Turning on debug and verbose will put more messages into the apache error log, not into the remote client's output.
Would anyone know how I can restrict users from pushing to an hg repository if I give then access via hg-ssh?
Some details to help eliminate the obvious:
1) This is a for a shared hosting situation where I don't have root access to install mercurial-server nor can I create the "hg" username that it requires.
2) When I allow a user to connect via SSH to a shared hosting site, they will basically have their public key in my authorized_keys file and they will have be authenticated as me (i.e. they will have my credentials on the server). I can restrict their access to only a few hg repositories by specifying a "command=" clause in my authorized_keys file as documented here: https://www.mercurial-scm.org/repo/hg-stable/raw-file/tip/contrib/hg-ssh. However that gives the user full access to these repositories. Can I restrict this to pull-only access?
Any of these would solve my problem:
1) I know that mercurial-server solves this problem somehow because all the users their share the same user account called "hg". How do they do it? Can I do the same without root-access to set up things?
OR 2) Is there is a patch that I can add to hg-ssh such that hg-ssh can take some permissions on its command-line. Something like "hg-ssh -read-only repo1 repo2 -read-write repo3".
OR 3) Get "hg -R {repo} serve --stdio" to take a command line option such that it will not allow push.
The quick and dirty way would be to tweak the command= value to be something like this:
command=hg-ssh --config hooks.pretxnchangegroup=false repo1 repo2
but that's just the AclExtension done sloppily.
mercurial-server gives you the simplest control over this. You can install it as a non-root user, but you have to take a little longer to understand how it works.
Use the AclExtension. It lets you block access for ssh actions as well as http actions, and since it's enabled/disabled by hooks you'll be able to bypass it when you're logged in interactively.
Is there a way to configure TortoiseHg to store my password?
I have a project hosted on Google Code that I access using TortoiseHg. Whenever I want to push changes to Google Code TortoiseHg prompts me for a username and password. Google Code requires me to use an auto-generated password, and it gets quite repetitive to look it up every time.
Both existing answers suggest storing your username and password unencrypted in plain-text, which is a bit of a no-no.
You should use the Keyring extension instead, as it has been specifically designed for securely saving authentication passwords. It already comes bundled with TortoiseHg, so all you have to do is activate it by writing the following in your mercurial.ini file:
[extensions]
mercurial_keyring=
You will also have to associate your username with the push url by editing your repository-specific .hg\hgrc file like in the example below:
[paths]
default = https://<your_username>#bitbucket.org/tortoisehg/thg
For more details on associating your username with the url, see the Repository Configuration (SMTP) section of the Keyring extension page.
Three steps, watch screenshot.
Note: This stores your password in plaintext.
Security warning
Although this answer is accepted as of 2017-09-15, it is not a recommended solution. You should never store your passwords in plain text. Use the mercurial_keyring extension instead. See another answer here.
You can change your push URL to https://username:password#hostname.com/repo.
This is explained in Google Code's and Mercurial's FAQs.
EDIT: Mercurial FAQ explains another way to do it:
With Mercurial 1.3 you can also add an auth section to your hgrc file:
[auth]
example.prefix = https://hg.example.net/
example.username = foo
example.password = bar
If you want to configure it via TortoiseHg, Repository Setting dialog is available.
After opening the dialog, please switch to 'Sync' tab.
You can add a path with HTTPS auth information.
http://tortoisehg.bitbucket.io/manual/2.9/settings.html#module-web.settings
Simply modify the hgrc file in the .hg directory of your local repository so it looks like this:
[paths]
default = https://name:password#yourproj.googlecode.com/hg/
where name is your Google Code login without the gmail/googlemail bit e.g. 'fredb' (not fredb#gmail.com), password is the Google-generated password, and yourproj is the name of your GC project. So something like:
default = https://fred:xyz123#fredproj.googlecode.com/hg/
This works for me using SSH. I know the password it's in text plain, but this is not a problem in this project.
You have to change myUser and MyOPas for your credentials and the path to: TortoisePlink.exe.
Edit the mercurial.ini
[reviewboard]
password = myPass
[ui]
username = myUser
ssh = "C:\Program Files\TortoiseHg\lib\TortoisePlink.exe" -l myUser -pw myPass
If you want to store the password in mercurial.ini and it doesn't work anymore after you upgrade to TortoiseHg 4.9 or higher a possible solution is to add the port to the prefix:
[auth]
tax.prefix = http://server:8080
tax.username = cerveser
tax.password = mypassword
I'm setting up a centrally hosted Mercurial repository. I would like to be able to define only a small set of users that are able to access that repository (maybe 3 or 4) - what do I need to write in the .hg/hgrc file that in order to make it work like this?
thanks, P
Mercurial doesn't provide a user authentication system -- that has to come from something else. However, it does provide an authorization system that uses the "who" answer from the external authentication system to decide what that "who" can do.
Popular external authentication systems include:
HTTP authentication as provided by your web server (Apache, etc.)
SSH authentication as provided by sshd
file system level user authentication as provided by your operating system
Note: hg serve does not have an authentication system, so it's not usable w/ per-user access controls
Accessing mercurial (either its web interface or its command line interface) through one of those systems, properly configured, provided mercurial with the answer to "who?".
Once Mercurial learns who is making the request then the allow_push and allow_read settings in the repository's .hg/hgrc file will determine what that who can do.
So the how of setting this up depends on what means of access you're using, which is what Callahad was asking.
If you are sharing the repository through the Mercurial web interface, then read the Web interface configuration section of the hgrc man page.