cool new feature: show rules in access control decision
13 views
Skip to first unread message
Sitaram Chamarty
Apr 21, 2014, 11:54:35 AM4/21/14
to Gitolite Google Groups, gitolite...@googlegroups.com, Michel Bourget
[This email is best viewed in a monospace font].
Hi all,
Following a discussion with Michel (in cc), I finally figured out a way
for gitolite to show the access control decision on demand. I had
earlier thought it would not be possible because the syntactic sugar
feature loses file/line info very early on, but I managed to work it
out. It'll tell you the conf file name and line number of each rule
that was considered, and what happened with that rule.
Getting this feature requires:
* the latest (as yet untagged; soon -- I promise) gitolite as of today
* add a line
RULE_INFO => 1,
to the rc file (inside the %RC hash but outside the ENABLE list)
* make a fresh push of the gitolite-admin repo (or run 'gitolite
compile' on the server)
Here are some sample outputs of the "show" mode of the access command:
Note that the following legend is printed on all invocations; I removed it from
the command outputs below for brevity.
d => skipped deny rule due to ref unknown or 'any',
r => skipped due to refex not matching,
p => skipped due to perm (W, +, etc) not matching,
D => explicitly denied,
A => explicitly allowed,
F => denied due to fallthru (no rules matched)
$ gitolite access -s foss-1 PHB R
A boss.conf:7 R = @boss
refs/.*
$ gitolite access -s foss-1 PHB W
p boss.conf:7 R = @boss
p foss.conf:7 R = @all
F (fallthru)
W any foss-1 PHB DENIED by fallthru
$ gitolite access -s foss-1 u5 W
p foss.conf:7 R = @all
d gitolite.conf:15 - master = u5
A gitolite.conf:16 RW+ dev = u5
refs/heads/dev
$ gitolite access -s foss-1 u5 W refs/heads/foo
p foss.conf:7 R = @all
r gitolite.conf:15 - master = u5
r gitolite.conf:16 RW+ dev = u5
A gitolite.conf:17 RW = u5
refs/.*
$ gitolite access -s foss-1 u5 + refs/heads/foo
p foss.conf:7 R = @all
r gitolite.conf:15 - master = u5
r gitolite.conf:16 RW+ dev = u5
p gitolite.conf:17 RW = u5
F (fallthru)
+ refs/heads/foo foss-1 u5 DENIED by fallthru
The conf files for these, with line numbers, are:
gitolite.conf:
1 repo gitolite-admin
2 RW+ = admin
3
4 repo testing
5 RW+ = @all
6
7 include "boss.conf"
8 include "foss.conf"
9
10 repo foss-1
11 RW+ = u1
12 RW = u2
13 RW+ master = u3
14 RW master = u4
15 - master = u5
16 RW+ dev = u5
17 RW = u5
boss.conf:
1 # boss conf file
2 # bosses can read all repos
3
4 @boss = PHB
5
6 repo @all
7 R = @boss
foss.conf:
1 # foss conf file
2 # everyone can read foss repos
3
4 @foss = foss-1 foss-2
5
6 repo @foss
7 R = @all
Hi all,
Following a discussion with Michel (in cc), I finally figured out a way
for gitolite to show the access control decision on demand. I had
earlier thought it would not be possible because the syntactic sugar
feature loses file/line info very early on, but I managed to work it
out. It'll tell you the conf file name and line number of each rule
that was considered, and what happened with that rule.
Getting this feature requires:
* the latest (as yet untagged; soon -- I promise) gitolite as of today
* add a line
RULE_INFO => 1,
to the rc file (inside the %RC hash but outside the ENABLE list)
* make a fresh push of the gitolite-admin repo (or run 'gitolite
compile' on the server)
Here are some sample outputs of the "show" mode of the access command:
Note that the following legend is printed on all invocations; I removed it from
the command outputs below for brevity.
d => skipped deny rule due to ref unknown or 'any',
r => skipped due to refex not matching,
p => skipped due to perm (W, +, etc) not matching,
D => explicitly denied,
A => explicitly allowed,
F => denied due to fallthru (no rules matched)
$ gitolite access -s foss-1 PHB R
A boss.conf:7 R = @boss
refs/.*
$ gitolite access -s foss-1 PHB W
p boss.conf:7 R = @boss
p foss.conf:7 R = @all
F (fallthru)
W any foss-1 PHB DENIED by fallthru
$ gitolite access -s foss-1 u5 W
p foss.conf:7 R = @all
d gitolite.conf:15 - master = u5
A gitolite.conf:16 RW+ dev = u5
refs/heads/dev
$ gitolite access -s foss-1 u5 W refs/heads/foo
p foss.conf:7 R = @all
r gitolite.conf:15 - master = u5
r gitolite.conf:16 RW+ dev = u5
A gitolite.conf:17 RW = u5
refs/.*
$ gitolite access -s foss-1 u5 + refs/heads/foo
p foss.conf:7 R = @all
r gitolite.conf:15 - master = u5
r gitolite.conf:16 RW+ dev = u5
p gitolite.conf:17 RW = u5
F (fallthru)
+ refs/heads/foo foss-1 u5 DENIED by fallthru
The conf files for these, with line numbers, are:
gitolite.conf:
1 repo gitolite-admin
2 RW+ = admin
3
4 repo testing
5 RW+ = @all
6
7 include "boss.conf"
8 include "foss.conf"
9
10 repo foss-1
11 RW+ = u1
12 RW = u2
13 RW+ master = u3
14 RW master = u4
15 - master = u5
16 RW+ dev = u5
17 RW = u5
boss.conf:
1 # boss conf file
2 # bosses can read all repos
3
4 @boss = PHB
5
6 repo @all
7 R = @boss
foss.conf:
1 # foss conf file
2 # everyone can read foss repos
3
4 @foss = foss-1 foss-2
5
6 repo @foss
7 R = @all
Sitaram Chamarty
May 10, 2014, 10:33:32 PM5/10/14
to Gitolite Google Groups, gitolite...@googlegroups.com, Michel Bourget
Amendment, now that v3.6 has been released. You don't need to add
anything to the rc file; I decided it's not a big deal to enable it
by default.
anything to the rc file; I decided it's not a big deal to enable it
by default.
Reply all
Reply to author
Forward
0 new messages