Restrict Mercurial repository access
-
21-04-2021 - |
Question
I have a Mercurial server using mercurial-server. I edited access.conf
in hgadmin
repo as follows:
deny repo=a/b
read user=x/**
read user=y/**
write repo=a/b user=x/abc
write repo=a/b user=y/z
But user z
still can't access this repo. Any ideas?
Solution
user=globpattern
: path to the user's key
So the path of z's key might be wrong, or the path of the repo is off.
When considering a request, mercurial-server steps through all the rules in
/etc/mercurial-server/access.conf
and then all the rules inaccess.conf
inhgadmin
, looking for a rule which matches on every condition.
The first match determines whether the request will be allowed; if there is no match in either file, the request will be denied.
Other possibility: Maybe a deny rule (applicable for user z
) is found first.
OTHER TIPS
The first matching rule applies. In this instance the deny rule is first, so it will match first; no user will be given access to repo a/b no matter what other rules follow this one.
Try placing the two write rules above the deny rule.
Note also that any rules in /etc/mercurial-server/access.conf will logically precede these rules.
There is one more especiality about mercurial server that you may need to know. That you can not duplicate keys several times in keys/ of hgadmin. Because on server side those keys are compiled into /var/lib/mercurial-server/.ssh/authorized_keys. So if you specify same key in different key files in keys/ then when hg do ssh it will use first occurence of the key in authorixed_keys and probbaly refer to first only repo and disable access to another repos which refer to another file (but with same key)