4

I have GITOLITE on my server and I want to configure access to my repository. I want to restrict access to some branches for some users. I try a lot of variants how to configure gitolite.conf file and I didn't find solution how to restrict acces to some branches.

1)

@developers1 = user1
@developers2 = user2

repo dbatest 
   RW+    = @developers1
   R test = @developers2
   - test = @developers2
   RW+    = @developers2

When user2 executed command: git push origin test: push succeed In gitolite log I had this lines:

http    ARGV=user2  SOC=git-receive-pack 'dbatest'  FROM=10.65.184.239
6453    pre_git dbatest user2   W   any refs/.*
6453    system,git,http-backend
6453    END

2)

@developers1 = user1
@developers2 = user2

repo dbatest 
   RW+    = @developers1
   - test = @developers2
   RW+    = @developers2

When user2 executed command: git push origin test: push succeed In gitolite log I had this lines:

http    ARGV=user2  SOC=git-receive-pack 'dbatest'  FROM=10.65.184.239
6457    pre_git dbatest user2   W   any refs/.*
6457        system,git,http-backend
6457    END

3)

@developers1 = user1
@developers2 = user2

repo dbatest 
   RW+    = @developers1
   R test = @developers2
   - test = @developers2
   RW+    = @developers2
   option deny-rules = 1

When user2 executed command: git push origin test: push denied and he saw this message:

fatal: remote error: FATAL: W any dbatest user2 DENIED by refs/heads/test
(or you mis-spelled the reponame)

And in gitolite log i had this:

8161    http    ARGV=user2  SOC=git-receive-pack 'dbatest'  FROM=10.65.184.239
8161    die W any dbatest user2 DENIED by refs/heads/test<<newline>>(or you mis-spelled the reponame)

It's look like good, but when he try to push something into the master branch he had this meesage to.

I tryed mix this lines in my gitolite config file but they didn't work for me.

I will be happy if someone can help me with it. I want to restrict write access to some branches for some developers. I cann't create additional repository I must to use restrict policy on one main repository.

Big Thanks!

Sufelfay
  • 43
  • 1
  • 4

3 Answers3

3

If I look at the official documentation:

repo foo bar

    RW+                     =   alice @teamleads
    -   master              =   dilbert @devteam
    -   refs/tags/v[0-9]    =   dilbert @devteam
    RW+ dev/                =   dilbert @devteam
    RW                      =   dilbert @devteam
    R                       =   @managers

dilbert and the dev team has these restrictions

they can do anything to branches whose names start with "dev/"
**they can create or fast-forward push, but not rewind or delete, any branch except `master`**

So this looks right:

- test  = @developers2
   RW+  = @developers2

However gitolite has two checks:

  • one when the ref is unknown (in which case - test is ignored),
  • one for the ref is known.

In your case, the ref (test) should be known and the deny rule apply.

You can debug more by tracing the logic of your specific rules with:

gitolite access -s dbatest user2 W test

The OP Sufelfay confirms in the comments that it works with 3.5.3, not with 3.6.x.

VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • Thanks for your reply. I restore my config file from second version above. And execute command this command. My output is: D => explicitly denied, D gitolite.conf:15 - test = @developers2 How i understand this should works fine, but unfortunately it dosen't – Sufelfay Apr 24 '15 at 07:00
  • @Sufelfay by the way, what version of gitolite are you using? – VonC Apr 24 '15 at 07:01
  • My version is v 3.6.2. – Sufelfay Apr 24 '15 at 07:11
  • @Sufelfay do you have any other config file (other than the `gitolite.conf`), like `subs/xxx.conf`? – VonC Apr 24 '15 at 07:47
  • In gitolite folder no i haven't but in apache folder i have a lot of conf files. To connect my users i use HTTP not SSH it's maybe a reason of my problem? – Sufelfay Apr 24 '15 at 08:14
  • @Sufelfay does your apache config calls gitolite? I do use https access as well, but my config do call gitolite: https://github.com/VonC/compileEverything/blob/6a16d5c36efeaeb3bf5aacc83c3e07a113e3ae85/apache/env.conf.tpl#L242-L246 – VonC Apr 24 '15 at 08:17
  • Thanks, my config easier then yours but it has all for gitolite correct work. What version of gitolite do you use? You update your gitolite-admin repository via SSH or local? – Sufelfay Apr 24 '15 at 08:30
  • @Sufelfay 3.5.x. I update it both from local or remote (https or ssh) – VonC Apr 24 '15 at 08:32
  • thank you very much! I installed gitolite version 3.5.3 on my server and now it works. Thanks – Sufelfay Apr 24 '15 at 12:30
  • @Sufelfay OK. I have included your conclusion in the answer for more visibility. – VonC Apr 24 '15 at 12:40
2

I know it's an old topic, but I did some research recently and ended up here. Quick update about the commentary from the answer at the top .

I'm using v3.6.4 and the following solution is working:

@teamA = user1 user2
@teamB = user3 user4

repo foo
RW+ = @teamA
R = @teamB
RW+ ref/heads/banana = @teamB

In this case, the teamB is allowed to clone the repo "foo" and push only to the branch "banana"

Persike
  • 63
  • 5
1

As Sufelfay said in the comments to the other posting, this is a bug in recent versions of Gitolite.

The access check is split into two phases. During the inital phase the ref is unknown and Gitolite is supposed to skip all rules referring to refs.

In fact, however, it applies all rules but ignores the ref specification. Thus ...

- test = @developers2

... is evaluated as ...

- = @developers2

... during the first phase. To make matters worse, the error indicates the very last rule which was processed. This rule may be unrelated.

As workaround you can add an access rule for any before the deny rules:

RW  any   =  @developers2
-   test  =  @developers2
...
Hendrik Brummermann
  • 8,242
  • 3
  • 31
  • 55