See Manual:Preventing access on mediawiki.org, section "Restrict viewing of all pages".
Specifically, to allow everyone to read (but not edit) the Main Page and a page named Public stuff, and to allow only sysops to read and edit all pages, you'd add the following lines to your LocalSettings.php:
# prevent editing and reading by anons (except for exception listed below):
$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['*']['read'] = false;
# same for normal registered users:
$wgGroupPermissions['user']['edit'] = false;
$wgGroupPermissions['user']['read'] = false;
# allow everyone read access to these pages:
$wgWhitelistRead = array( "Main Page", "Public stuff" );
# allow sysops to read and edit normally:
$wgGroupPermissions['sysop']['edit'] = true;
$wgGroupPermissions['sysop']['read'] = true;
Of course, you can replace sysop
above with your own custom user group; I just used it in the example because it exists in a stock MediaWiki install.
(Some older example code suggests also including "Special:UserLogin"
and possibly "Special:ChangePassword"
and "Special:PasswordReset"
in $wgWhitelistRead
. In modern MediaWiki versions this should be unnecessary, although still harmless.)