Trac is being migrated to new services! Issues can be found in our new
YouTrack instance and WIKI pages can be found on our
website.
- Timestamp:
-
Sep 24, 2012, 2:32:58 PM (11 years ago)
- Author:
-
datallah
- Comment:
-
pet peeve - apostrophes for plurals
Legend:
- Unmodified
- Added
- Removed
- Modified
-
|
v17
|
v18
|
|
| 9 | 9 | }}} |
| 10 | 10 | |
| 11 | | == !Read/Write Access for Developers/CPW's/SoC Students == |
| | 11 | == !Read/Write Access for Developers/CPWs/SoC Students == |
| 12 | 12 | |
| 13 | 13 | === Configure Mercurial === |
| … |
… |
|
| 40 | 40 | Pidgin's Mercurial repositories are served by the [http://www.lshift.net/mercurial-server.html mercurial-server] package. This relies entirely upon SSH key-based authentication, providing access control and a layer of accountability. |
| 41 | 41 | |
| 42 | | If you wish, you can simplify Mercurial ssh: URL's by adding the following to `~/.ssh/config`: |
| | 42 | If you wish, you can simplify Mercurial ssh: URLs by adding the following to `~/.ssh/config`: |
| 43 | 43 | {{{ |
| 44 | 44 | Host hg.pidgin.im |
| … |
… |
|
| 68 | 68 | |
| 69 | 69 | === Access Control === |
| 70 | | Access control on Pidgin's Mercurial server is such that all developers can write to our master repositories, but each developer and CPW has their own repositories that anyone can read but only they can write to. The repositories are structured like so (developers/CPW's listed here are for the purpose of example): |
| | 70 | Access control on Pidgin's Mercurial server is such that all developers can write to our master repositories, but each developer and CPW has their own repositories that anyone can read but only they can write to. The repositories are structured like so (developers/CPWs listed here are for the purpose of example): |
| 71 | 71 | |
| 72 | 72 | {{{ |
| … |
… |
|
| 97 | 97 | |
| 98 | 98 | Access control is as follows: |
| 99 | | * Developers and CPW's have write access to `pidgin/*` |
| | 99 | * Developers and CPWs have write access to `pidgin/*` |
| 100 | 100 | * Developers can create and modify repositories in `dev/$NICKNAME/` |
| 101 | 101 | * Crazy Patch Writers can create and modify repositories in `cpw/$NICKNAME/*` |
| … |
… |
|
| 109 | 109 | |
| 110 | 110 | 1. Check out the `hgadmin` repo: `hg clone ssh://hg@hg.pidgin.im/hgadmin pidgin-hgadmin` |
| 111 | | 1. `cd pidgin-hgadmin/keys`. Inhere is a series of directories. The format is self-explaining. Developers go in `devs/$NICKNAME`, CPW's in `cpws/$NICKNAME`, SoC students in `soc/$NICKNAME`. This is to allow a single developer, CPW, or SoC student to have multiple SSH keys, perhaps for multiple machines. |
| | 111 | 1. `cd pidgin-hgadmin/keys`. Inhere is a series of directories. The format is self-explaining. Developers go in `devs/$NICKNAME`, CPWs in `cpws/$NICKNAME`, SoC students in `soc/$NICKNAME`. This is to allow a single developer, CPW, or SoC student to have multiple SSH keys, perhaps for multiple machines. |
| 112 | 112 | 1. Create the appropriate directory. |
| 113 | 113 | 1. Within this directory create a file named for the SSH key being added, for example `user@somehost`. |
| … |
… |
|
| 120 | 120 | |
| 121 | 121 | === A Special Note About "root" Access === |
| 122 | | As indicated above, people who have "root" access to mercurial-server have the ability to configure the server via the `hgadmin` repo. They also have the ability to bypass all ACL's, and thus can write to any repository, including developers', CPWs', and SoC students' repositories. |
| | 122 | As indicated above, people who have "root" access to mercurial-server have the ability to configure the server via the `hgadmin` repo. They also have the ability to bypass all ACLs, and thus can write to any repository, including developers', CPWs', and SoC students' repositories. |
| 123 | 123 | |
| 124 | 124 | Additionally, there is a safety net built into the mercurial-server configuration. In `/etc/mercurial-server` on rock.pidgin.im is a default ACL (`access.conf`) and a `keys` directory structure. This default ACL is what grants "root" users their privileges, and the `keys` directory structure contains the relevant keys in the `keys/root` directory. These keys are located here in the server's filesystem instead of in the hgadmin repository as a safety net. When building the files used by mercurial-server, the tools ''always'' read from `/etc/mercurial-server` ''before'' reading from `hgadmin`; this allows access to the hgadmin repo in the event that it is damaged either through accidental or intentional means. This safety net means that at least two people will ''always'' have access to our repositories. |
All information, including names and email addresses, entered onto this website or sent to mailing lists affiliated with this website will be public. Do not post confidential information, especially passwords!
