I'm setting up a centrally hosted Mercurial repository. I would like to be able to define only a small set of users that are able to access that repository (maybe 3 or 4) - what do I need to write in the .hg/hgrc file that in order to make it work like this?
thanks, P
Mercurial doesn't provide a user authentication system -- that has to come from something else. However, it does provide an authorization system that uses the "who" answer from the external authentication system to decide what that "who" can do.
Popular external authentication systems include:
HTTP authentication as provided by your web server (Apache, etc.)
SSH authentication as provided by sshd
file system level user authentication as provided by your operating system
Note: hg serve does not have an authentication system, so it's not usable w/ per-user access controls
Accessing mercurial (either its web interface or its command line interface) through one of those systems, properly configured, provided mercurial with the answer to "who?".
Once Mercurial learns who is making the request then the allow_push and allow_read settings in the repository's .hg/hgrc file will determine what that who can do.
So the how of setting this up depends on what means of access you're using, which is what Callahad was asking.
If you are sharing the repository through the Mercurial web interface, then read the Web interface configuration section of the hgrc man page.
Related
I have a centos server with code maintained using a mercurial repo.
To allow a new person to commit code to mercurial, I create a new user, add them to the webdev group, and they can push / pull code by
hg pull ssh://name#server.com.
However, there are some files (config files) that I would not like new users to have access to. Mercurial has been asked not to track these files, so the only way to access them is to ssh into the system and look at the files. Which I dont want new users to be able to do.
In essence, I want my new developers to only pull/push files through hg and disallow ssh-ing directly into the system. What the best way to do this? Can I provide hg access to a repo without providing ssh access to the files?
(or is my approach to the problem flawed?)
Thanks!
This can be really easily done by taking advantage of the command option available in .ssh\authorized_keys files. When you're granting their key access in that file you can prepend a "command=...." argument to their key and that's the only command they can run.
Mercurial ships with a handy script for doing exactly that. It has instructions inside:
https://www.mercurial-scm.org/repo/hg/file/tip/contrib/hg-ssh
In term of an authorization layer (similar to Gitolite for Git), you have mercurial-server (not to be mixed up with the Mercurial light-weight web server hgserve)
mercurial-server gives your developers remote read/write access to centralized Mercurial repositories using SSH public key authentication; it provides convenient and fine-grained key management and access control.
See its repository here.
It is based on the same SSH forced-command mechanism than the script mentioned by Ry4an in his answer (+1 on his answer, because it is already packaged with Mercurial).
See for illustration the "mercurial-server" source of refreshauth.py.
Is there any way to centrally manage mercurial settings for all users of a repository? Are there additional [existing] tools, add-ons, extensions, etc for this?
My use case
We have a repository that includes a few Excel, Word etc files that constantly cause trouble with merging.
With [merge-patterns] entries a la **.doc = internal:fail I can specify the intended behaviour, but I have to set this up for each and every user.
I want this to propagate automatically to anyone who clones the repository.
Environment
We use Kiln 2.6 hosted on our own Windows Server and TortoiseHg 2.2 on our Windows clients.
As far as I know, this possibility doesn't exists in Mercurial and I'm not aware of any extension which let you clone the .hgrc along with the other files.
However, you can do some things to "ease" the process of setup for each user.
Provide a template hgrc in the repository
You can add a "template" .hgrc in the repository. When a user clone the repo, the only thing he as to do is move the template to the right place.
Change the system wide hgrc
If you have some kind of Configuration management system for your clients, you can set the system wide configuration file for each of your users. There's various way of doing it. From the documentation:
(Windows) <install-dir>\Mercurial.ini or
(Windows) <install-dir>\hgrc.d\*.rc or
(Windows) HKEY_LOCAL_MACHINE\SOFTWARE\Mercurial
Per-installation/system configuration files, for the system on which
Mercurial is running. Options in these files apply to all Mercurial
commands executed by any user in any directory. Registry keys contain
PATH-like strings, every part of which must reference a Mercurial.ini
file or be a directory where *.rc files will be read. Mercurial checks
each of these locations in the specified order until one or more
configuration files are detected. If the pywin32 extensions are not
installed, Mercurial will only look for site-wide configuration in
C:\Mercurial\Mercurial.ini.
But obviously this depends on the way your clients are set up, so you will have to find the solution yourself. For example you can:
Set these files on the computer installation
Provide an executable which configure this that every user must run
Configure your in-house configuration management system to set up this on the next computer start
Change the roaming user profile if they have one.
You can use the projrc extension to push a project configuration file to others. It requires that the clients enable the extension first and that they fully trusts the server.
I know it is not possible to create Mercurial repositories remotely using HTTP(S), for instance:
$ hg init https://host.org/repos/project
or
$ hg clone /path/to/local/project https://host.org/repos/project
But, what's the reason? Security issues? No need for it? Simply because nobody has implemented it yet?
Rationale for this question: In my company we share most resources via HTTPS, i.e. access permissions are managed by Apache only and regular users cannot login via SSH on the server. That's just perfect as long as repositories need to be served only (for that purpose we are happy with hgwebdir.cgi). However, we also want to allow the remote creation of repos, without the need to maintain additional/patched scripts on the server and extra tools on clients.
To be clear: This question does not ask for solutions to our particular problem but for the reason why Mercurial does not support this feature itself.
UPDATE
Here's a more technical description of the situation I'm thinking of. Supposed hgwebdir.cgi serves a collection of repositories in /path/to/repos at https://.../repos (with pushing enabled). Every user allowed to access this URL (as configured in Apache) may pull and push changesets, effectively this means that hgwebdir.cgi (and thus hg) edits and creates files below /path/to/repos. Now, what's the barrier in letting hgwebdir.cgi also create new repositories below /path/to/repos?
I think the reason is that adding support for creating repositories will bring in a fair amount of baggage:
if you can create repositories you would expect to be able to delete them. While that might seem simple, it would be a big step away from the safe manner in which Mercurial normally works -- there is no destructive commands in standard Mercurial.
people would also want to edit the .hg/hgrc files to set the description and contact information -- standard Mercurial never changes the config files, so this would again be a new thing.
people would also want to manage users' access to the new repositories -- this means editing .htaccess files or the equivalent for other webservers.
... and so on. Implementing this "little" feature will open up for a lot of extra feature requests and we only have a few Mercurial developers that are also sawy web developers.
However, there is now an excellent open source solution: Kallithea gives you a "mini-Bitbucket" that you can deploy on your own server. It will do all of the above. I would install that on my server if I needed something more powerful than plain hgweb.cgi. It supports both Mercurial and Git.
As far as I know, none of the SCM alternatives allow the creation of remote repositories natively. SVN, CVS, Git, et al.
That's usually the job of a hosting provider: SourceForge, Google Code, BitBucket. All of them implement the repository creation on top of their authetication infrastructure.
For example, Debian's Mercurial hosting is limited to Debian Developers, and to create a new repository you need to login via SSH to the server and create the repository on your local home folder, much like Apache's public_html directory.
Various answers (including your own) give some pretty good reasons why the functionality isn't there (separation of concerns mostly), but if you really want to add it you could do so with just a line or two of shell. Here's a hideously unsafe example I gave quite a while ago showing how to add that funcionality in high trust environments: Remote Repository Creation in Mercurial over HTTP
At the company where I work we are using hg as (d)vcs.
Most of the repositories in use are kept in a cenralized space and served via hgweb.
For ease of use and better user experiance (and overview) I like to have something like gitorious (github, bitbucket).
It should allow
hg as backend (or else I'd install gitorious...)
local installation (not per developer, but locally on our site / not hosted)
easy (web-based) repository-creation
personal forking (cloning, but keeping the new repo physically on the same server)
merge requests
A good tool is RhodeCode that serves Mercurial. It looks really good, has user management, grouping, LDAP integration hook control and some graphing options.
The current release (1.3.x) supports git repositories.
You should make this decision looking at the PublishingRepositories wiki page.
My preferred solution is to use the hg-ssh script that already comes with your mercurial install. It makes it very easy to give multiple people ssh access without creating a separate system account for each, and without giving them shell access. It's very easily configured in the .ssh/authorized_keys file of the single shared user.
Repository creation isn't web-based, but it's very easy and personal forking is completely supported:
hg clone ssh://shared#server/main/repo ssh://shared#server/my-personal/repo
I then set up the hgweb script that comes with mercurial to provide a read-only view, and rely on ssh:// for all writes (though hgweb also does writes / push just fine).
If you really think web based repo creation is easier than one-line ssh-based creation I've previously written a stupidly simple script to do so:
http://ry4an.org/unblog/UnBlog/2009-09-17
Someone is going to suggest "mercurial server", and I'd recommend against it. It's not current and never added much value over ssh.
BitBucket.
They are the official HG host, and are actually very good.
I'm completely biased, since I'm a developer on it, but Kiln does a very good job helping you create and manage repositories. It also has code reviews and is commercially supported. You can install on your own server, or Fog Creek will host it for you.
I'm trying to propose switching from CVS and SVN to Mercurial at work. Before I do, I'd like to have any foreseeable questions answered.
How can I set up a repository to allow push and authenticate users?
I'm more familiar with administering SVN, and in SVN it was just a few lines like:
[users]
userA = passwordA
userB = passwordB
And then for permissions it was like:
[general]
userA = write
userB = read
I would really like something like svnserve that allowed me to circumvent using a full-blown apache, since all I need is a central location for pushing change sets. I know that Mercurial doesn't necessarily require a central location, but I think it would be convenient in my workplace.
Thanks!
Try using SCM Manager. It works well for Mercurial. It has a built-in HTTP/HTTPS server and allows you to manage authentication. The only requirement is Java.
http://www.scm-manager.org
https://bitbucket.org/sdorra/scm-manager
Briefly, to setup Mercurial with authentication:
Follow the Getting Started Guide here. If you're using Windows, be sure to use
scm-server\bin\scm-server.bat
to start SCM Manager.
Click on Repository Types > Mercurial Settings > Start Configuration Wizard > Select: Download and Install to install the Mercurial plugin for SCM Manager.
Be patient, downloading takes a while.
When it's finished installing, the screen will go back to the Repository Config window. Restart SCM Manager. After you restart and you should now be able to create and host Mercurial repositories over HTTP.
Double check security: General > Config and uncheck Allow Anonymous Access.Security > Users and deactivate anonymous.
You can also use SCM Manager to host Git and SVN repositories as well.
Mercurial Server is an awesome solution, which I've used on a few occasions.
As #nlucaroni mentioned in the comment, one option is using SSH authentication. It allows authenticated pull and push. We use it in our company together with Apache-hosted HTTP access for anonymous pull-only repositories. See the "ssh" solution at the Publishing Mercurial Repositories.
You can try the textauth extension. Please give it a go and send some feedback to Mercurial mailing list, then perhaps you will see it integrated into a coming release of Mercurial.