I would like to be able to control access to some mercurial repositories on my server. I thought an easy solution would be to have all limited users have a username that ends with "_external". I would then change the deny_push and deny_read on some .hgrc files to give them access as needed. I setup up my hgweb.config file like below, but the deny_push and deny_read lines are ignored. Is this the correct syntax? Is there a better way to accomplish my goal (I looked into Rhodecode, but it seems to be pretty crashy on Windows).
[web]
style = gitweb
baseurl = /hg
allow_push = *
push_ssl = false
deny_push = *_external
deny_read = *_external
The best option you have is to setup a list with the usernames:
allow_push = user1, user2
deny_push = user3, user5
deny_read = user4
The problem with your syntax is that, you are first allowing push for everybody and then trying to limit the users.
mercurial-server can do this for you. This means connecting to your repository over ssh rather than over http, and authenticating using ssh keypairs, but in my experience that's far more convenient anyway.
Related
I'd like to host two different sets of private repositories off the same server/vhost, and have users see one set or another depending on their credentials.
Is there an easier way of doing this than hosting two separate hgweb instances with separate user accounts and config files?
Technically, nothing prevents you from having this line:
allow_read = user1 user2 user3
in .hg/hgrc of half of your repos, and:
allow_read = user4 user5 user6
in the other half. Even to see the repo in the list, the user has to be in the allow_read list.
However, managing this can prove cumbersome.
I am setting up a central mercurial server, and want to host multiple repositories. Every web page I look at about this says to set up a config file that looks like this:
[collections]
repos/ = repos/
Where /repos is the folder and /repos is the path to use in the URL.
My question is which /repos is which??? I may want to use a name that is not the same as the path, as in:
[collections]
A/ = B/
Is A the physical path or the url path? Such a simple question you would think would have been answered, but I could not find any nontrivial examples.
Ok, I got it. This is on Windows, and here is everything that I need in the hg.conf file:
[paths]
foo = C:\Data\repositories-hg/foo-hg
bar = C:\Data\repositories-hg/bar-hg
This lets met access the repo at the location C:\Data\repositories-hg/foo-hg as:
http://server:8000/foo
Therefore A is the url alias and B is the physical path. There's of course more to set up, but this accomplishes what need for now.
I have about 100 Mercurial repositories served by hgweb. The repositories are stored in a folder hierarchy, but hgweb displays the structure in a "flat" manner. This doesn't scale. Is there a way to display the repositories in a tree-like hierarchy instead?
I like to organize my repos by type, this is what my hgweb config looks like:
[web]
baseurl =
[paths]
/apps = /var/hg/apps/*
/config = /var/hg/config/*
/design = /var/hg/design/*
/music = /var/hg/music/*
/projects = /var/hg/projects/*
/scripts = /var/hg/scripts/*
You can also use ** to make it display directories recursively.
[paths]
/ = /var/hg/**
Check out the docs for other details/options: http://www.selenic.com/mercurial/hgrc.5.html#web.
You might also be interested in RhodeCode which is a more feature-rich web interface for mercurial.
I'm not sure if this was an option at the time of the question, but there's now an option that enables descending into directories.
[web]
descend = True
You then have two options for how to configure your paths. If you specify a path with a single asterisk, it will descend into subdirectories until it finds repositories.
[paths]
/ = /var/hg/*
If you specify a path with two asterisks, it will also descend into repositories to see if there are nested repositories or subrepositories.
[paths]
/ = /var/hg/**
You can find more details on the Mercurial wiki at PublishingRepositories.
(It sounds as if you may also be looking to have the hierarchy displayed in a tree-like fashion. This solution only impacts which repositories will be detected. It will not change how they are displayed. I'm not aware of any built-in way to accomplish a hierarchical display.)
I had the same problem, and I solved by enabling the collapse option:
[web]
collapse = yes
I'm setting up samba on linux for single user access from Windows, and need to prevent password checking. I've added my linux username to smbpasswd. Despite the guest account setting in my smb.conf, files I create are owned by user nobody. How do I get samba to operate as my user id?
smb.conf:
[global]
security = share
guest account = liam
...
[goodstuff]
path = /home/liam
read only = no
guest only = yes
guest ok = yes
If this is a FAQ, apologies; I looked and looked for the answer.
This seems to be a common problem, for me it currently does NOT work if I have it in the share's section, but it works if it is in the global section. This is my share's definition:
[RepoDrive]
comment = USB drive
path = /shr
read only = No
create mask = 0777
directory mask = 0777
guest only = Yes
guest ok = Yes
browseable = No
According to the Samba manual, specifying guest account for the share SHOULD be okay and this is how it SHOULD be done... IMO, Samba has a LOT of issues. Note that if you want to find out as which user you are acting when you are a guest, make sure you have write permissions and create a folder, then you can check out the folder's owner, and this will be the user that samba used. For me, it is "nobody" (the default) if I specify the guest account in the share section.
Note that smbpasswd has nothing to do with these user definitions.
If all else fails, try to use testparm (you need sudo apt-get install samba-common-bin in order to get it). It will show you which parameters of your configuration are actually effective, and detect any irrelevant/incorrect parameters (it eliminates settings that you set to the default value, and rewrites synonyms, e.g. writeable = yes will become read only = no because these are antonyms).
The problem turns out to be
guest only = yes
With that removed, activity happens as the guest account user id.
The solution for me was to add "guest account = accountname" to the share in stead of the [global] part.
mercurial-server manages user database under keys folder. Users and groups are represented by files and folders.
AclExtension relies on linux user group through ssh.
they don't seem to match. or did I miss something?
I have managed to make mercurial-server work. but just don't see how to integrate AclExtension with it so I may have finer grained access control.
Unfortunately, the AclExtension does key its access off of usernames. If you are creating separate UNIX user accounts for each using with hg-ssh you've got everything you need, but if all of your ssh users are using the same Unix user account then the AclExtension isn't going to work for you.
Unless...
I did just look into the acl.py file and it looks like it uses the getpass.py module's getuser which checks the environment for the user name using this code:
for name in ('LOGNAME', 'USER', 'LNAME', 'USERNAME'):
user = os.environ.get(name)
if user:
return user
so it might be possible to fake that out by setting an environment variable in the hg-ssh user's authorized_keys file like this:
command="hg-ssh path/to/repo" environment="LOGNAME=fakeusername" ssh-dss ...
where then you could put fakeusername in ACL rules, and could have a different fakeusername for each key, all running under the same UNIX account.
BTW: Everyone seems to just use hg-ssh alone, I never see the (non-official) mercurial-server app used anymore.
The environment trick doesn't seem to work on my Solaris box; my solution was to pass in the fakeusername as a parameter to hg-ssh and have that set os.environ['LOGNAME'] so that getpass sees it.
command="hg-ssh fakeusername" ssh-dss ...