VREF/NAME permissions on specific branches of a repo
461 views
Skip to first unread message
TheBigOne
Jun 27, 2012, 10:27:45 AM6/27/12
to gitolite
Hi,
I found out how to set the branch permissions and also how to set the
folder permissions within a repository but what about settings folder
permissions on special branches of a repo?
I want to give RW permissions on the master branch only for a special
folder and
RW permissions on all directories in the test and dev branch.
Currently my permissions are as follows:
repo puppet-development
RW+ = @admins
RW puppet.test = @tester
RW puppet.dev = @tester @developer
RW+ = @tester
RW+ NAME/manifests/hosts/ = @tester
- NAME/ = @tester
- @prod = @developer
The problem here is that - NAME/ = @tester is also valid in all
branches of the repo but is should only be valid for the master
branch.
Any help is really appreciated
Is there a way to work around?
I found out how to set the branch permissions and also how to set the
folder permissions within a repository but what about settings folder
permissions on special branches of a repo?
I want to give RW permissions on the master branch only for a special
folder and
RW permissions on all directories in the test and dev branch.
Currently my permissions are as follows:
repo puppet-development
RW+ = @admins
RW puppet.test = @tester
RW puppet.dev = @tester @developer
RW+ = @tester
RW+ NAME/manifests/hosts/ = @tester
- NAME/ = @tester
- @prod = @developer
The problem here is that - NAME/ = @tester is also valid in all
branches of the repo but is should only be valid for the master
branch.
Any help is really appreciated
Is there a way to work around?
Sitaram Chamarty
Jun 28, 2012, 10:17:39 PM6/28/12
to TheBigOne, gitolite
* you want to allow pushing to 'master'
* you want to allow writing a file say 'foo' (or files in
manifests/hosts/, in your case)
* but not when both are combined (for some users)
Assuming that is correct, here's something that I just tested:
repo testing
# explicitly permit the refs you want to check later.
# In some cases you may need them *before* more generic
# rules
RW+ refs/heads/master = u1 u2
RW+ = @all
RW+ VREF/NAME/foo = u1 u2
RW+ VREF/NAME/ = u1 u2
# set up a deny combo and call it rule 'r1'. Do NOT use
# globs here (like refs/.* or refs/heads/.*)
option deny-combo.r1 = refs/heads/master VREF/NAME/foo
# now deny users u1 and u2 if they push combo 'r1'
- VREF/deny-combo/r1 = u1 u2
You also need to add
'RecordRefs::access_2',
to the 'ACCESS_2' list in the rc file.
----
The code behind all this is in the following two files, with
explanations following:
(I am not sure if the mailing list archive preserves
attachments, and I want this email to be useful by itself for
anyone searching for something like this later, so I in-lined
them. They're not very big).
src/lib/Gitolite/Triggers/RecordRefs.pm:
package Gitolite::Triggers::RecordRefs;
use strict;
use warnings;
sub access_2 {
$ENV{GL_REFS} .= "$_[5] " unless $_[5] =~ /DENIED/;
}
1;
All this is doing is recording each ref that got matched. See
the 'triggers' doc for arguments. Briefly, this is the refex
that allowed any specific match to proceed. For the master
branch, this will be 'refs/heads/master'. For any other, it
will be 'refs/.*' because that is what an empty refex becomes,
internally. This is why you need to explicitly make sure the
correct rule matches.
src/VREF/deny-combo:
#!/bin/bash
rule=$8
refs=`gitolite git-config $GL_REPO gitolite-options\\.deny-combo\\.$rule`
echo >&2 "refs=$refs."
echo >&2 "GL_REFS=$GL_REFS."
for i in $refs
do
echo " $GL_REFS " | grep " $i " || exit 0
done >/dev/null
echo $7 bad combo: $GL_REFS
When you invoke a VREF by saying 'VREF/deny-combo/r1', argument
8 is 'r1'. That's our 'rule number/name', so you then get the
option value out for that rule.
Split it out into fields, and if any of the fields does *not*
exist in the list of recorded refs, exit without printing
anything.
Other print the refex with an additional message. See the vref
document for how this gets treatedm but basically it triggers
the "-" in the VREF invocation in the conf file.
TheBigOne
Jun 29, 2012, 6:47:17 AM6/29/12
to gito...@googlegroups.com
Hi
I tried a lot to get it working, but it won`t.
I can see in the logs that the rules are at least called, but I can always push to the master and test branch.
I `m pretty sure that I missed something or missunderstood something from your explanation. I read it again and again without success at the end.
repo puppet-development
# Admins can do everything
RW+ refs/heads/master = u1
RW+ refs/heads/puppet.test = u1
RW+ refs/heads/puppet.dev = u1
RW+ = u2
option deny-combo.r1 = refs/heads/master VREF/NAME/manifests/hosts
# write and push permission on all branches for this directory
RW VREF/NAME/manifests/hosts = u1
- VREF/deny-combo/r1 = u1
This should allow the user to push files to the test branch to the folder manifests/hosts but disallow by rule r1 to push the files to the master branch right?
I also checked the file RecordRefs.pm and tried to print the $_[5] to a file. It was always refs/heads/master. It doesn`t got anytime the string DENIED.
Here is the gitolite.log
I pushed first to test branch and then switched to master and both are working.
http://pastebin.com/r8ga75k6
I tried a lot to get it working, but it won`t.
I can see in the logs that the rules are at least called, but I can always push to the master and test branch.
I `m pretty sure that I missed something or missunderstood something from your explanation. I read it again and again without success at the end.
repo puppet-development
# Admins can do everything
RW+ refs/heads/master = u1
RW+ refs/heads/puppet.test = u1
RW+ refs/heads/puppet.dev = u1
RW+ = u2
option deny-combo.r1 = refs/heads/master VREF/NAME/manifests/hosts
# write and push permission on all branches for this directory
RW VREF/NAME/manifests/hosts = u1
- VREF/deny-combo/r1 = u1
This should allow the user to push files to the test branch to the folder manifests/hosts but disallow by rule r1 to push the files to the master branch right?
I also checked the file RecordRefs.pm and tried to print the $_[5] to a file. It was always refs/heads/master. It doesn`t got anytime the string DENIED.
Here is the gitolite.log
I pushed first to test branch and then switched to master and both are working.
http://pastebin.com/r8ga75k6
Sitaram Chamarty
Jun 29, 2012, 7:14:12 AM6/29/12
to TheBigOne, gito...@googlegroups.com
Oops; I forgot to mention you need the latest gitolite.
Well not exactly the latest but at least 5300809, which is just over 3
weeks old.
Well not exactly the latest but at least 5300809, which is just over 3
weeks old.
TheBigOne
Jun 29, 2012, 8:05:00 AM6/29/12
to gito...@googlegroups.com
Hi,
it looks much better :)
Now I have a good starting point for further tests.
Thanks for your effort.
it looks much better :)
Now I have a good starting point for further tests.
Thanks for your effort.
Reply all
Reply to author
Forward
0 new messages