11

I'm really at a loss here. I've read through quite a few examples, and tried all of them. The most basic ones work fine, but anytime I try to move to something a bit more complicated everything falls apart (even when I'm directly copying the example). Also, for the record I am on gitolite version 3 as shown by the server spam:

    this is gitolite@ubuntuserver running gitolite3 v3.1-2-g3eefc06 on git 1.7.9.5

All this said what I am TRYING to accomplish is (I THINK) relatively simple. I have a group of junior developers [@scrubs], and I only want them to create and commit to new branches, and be able to read/pull master. That way I can review their code before it gets merged in.

I have a group of senior developers [@vets] that I want to have free reign.

My config file is as follows:

     @scrubs         = al ted matthew
     @vets           = kevin will guy

     @offlimitbranches = master$

     repo    gitolite-admin
             RW+     =   @vets matthew

     repo    dawebsite
             RW+                     =   @vets
             -   @offlimitbranches   =   @scrubs
             RW+                     =   @scrubs
             R   @offlimitbranches   =   @scrubs
             R                       =   daemon
             option deny-rules = 1

     dawebsite "Owner"               = "This is THE site"

I noticed nothing worked at all for denying till I added :

    option deny-rules = 1

of which I think I found in maybe one out of 20 examples (a touch of a rant forgive the frustration.

With this current set up vets can do anything as expected.

scrubs can neither pull or push to master (and I think that's because it grabs the first rule it can possible match?) Scrubs also can not pull or push to any non master branch, nor push newly created branches. Each attempt returns the same message "FATAL: [R/W] any dawebsite matthew DENIED by refs/heads/master$"

I've tried using master, master$, @offlimitbranches and even refs/heads/master to no avail for the branch ref.

If anyone can help shed some light on this for me I'd be quite appreciative.

Update**

Playing around with things I've noticed that if i remove matthew from the scrubs group and try to manipulate him directly with 

    -       master$         =   matthew
    RW+                     =   matthew

if he moves to a new branch and tried the following: (thanks VonC for the heads up on the logs)

git pull origin newBranch
git push origin newBranch

each returns an error

PULL:

ARGV=matthew    SOC=git-upload-pack 'dawebsite.git'     FROM=172.24.1.198
access(dawebsite, matthew, R, 'any'),-> R any dawebsite matthew DENIED by refs/heads/master$
trigger,Writable,access_1,ACCESS_1,dawebsite,matthew,R,any,R any dawebsite,matthew DENIED by refs/heads/master$
R any dawebsite matthew DENIED by refs/heads/master$<<newline>>(or you mis-spelled the reponame)

PUSH:

ARGV=matthew    SOC=git-receive-pack 'dawebsite.git'    FROM=172.24.1.198
access(dawebsite, matthew, W, 'any'),-> W any medehrdev matthew DENIED by refs/heads/master$
trigger,Writable,access_1,ACCESS_1,dawebsite,matthew,W,any,W any dawebsite matthew DENIED by refs/heads/master$
W any dawebsite matthew DENIED by refs/heads/master$<<newline>>(or you mis-spelled the reponame)

It seems all my branches match against the ref master$ is that because they are all spawned off of master?

VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
mmorales
  • 107
  • 1
  • 2
  • 7
  • 1
    Try looking at the gitolite *logs* (within the `.gitolite` directory) whenever you have a denied command: it can help you understand why gitolite elected to deny said command. – VonC Oct 19 '12 at 20:25
  • 1
    You can't deny your @scrubs from reading any branches, see http://stackoverflow.com/questions/4668885/deny-read-of-specific-repository-branches-with-gitolite – r3m0t Oct 20 '12 at 23:21
  • I'm not looking to deny read at the end of the day, I want to deny write, But I can't find a write only permissions, Is there some way I can do that? – mmorales Oct 22 '12 at 13:22
  • @mmorales have you found solution in the result? – gaRex Nov 23 '12 at 14:39
  • @mmorales if my solution works in your environment - then pls accept answer to help future others people to see solution. – gaRex Nov 23 '12 at 16:02

2 Answers2

14

My config, that is working now:

@gatekeepers = ustimenko
@developers  = ustimenko user1 user2
@deployers   = puppet

@project     = repo1
@project     = cakephp

repo @project
    RW+                 = @gatekeepers  
    R   master develop  = @developers
    -   master develop  = @developers
    RW+                 = @developers
    R                   = @deployers
  1. Gatekeepers have full access.
  2. Developers can read master and develop branches, then they denied other actions there.
  3. Developers can do all other things.
  4. Deployers can read all.
gaRex
  • 4,144
  • 25
  • 37
  • 1
    I had to use `master$` to make it work with `@project = prefix/..*` – flob May 30 '13 at 16:33
  • if master and develop are readonly, how developers merge code to these two branches? – brucenan Sep 12 '13 at 03:43
  • @brucenan, devlead do it. Or deployment engineer in more big companies. – gaRex Sep 12 '13 at 05:19
  • @gaRex normally, developer will create a new branch to fix a bug or implement a feature, and this branch is local. How others can merge it to develop and master? – brucenan Sep 12 '13 at 06:04
  • 2
    @brucenan, dev creates local branch, commits there many-many commits. Then pushes branch on central bare repo, from where devlead takes it. Then after review dev rebases it, removes many small commits by squashing them in a few significant commits and pushes branch back. Then devlead takes it and merges in develop. – gaRex Sep 12 '13 at 06:11
  • I see. All branches will be pushed to origin. Then merge it by others. Thanks. – brucenan Sep 12 '13 at 06:12
  • @brucenan in a more simples cases devlead just merges branch to develop at once. Just gogoel for "dvcs gatekeeper model" – gaRex Sep 12 '13 at 06:13
0

Hmm i have looked in the documentation. And tried it here.

@anything is for a group of users or other groups. What you try there is not correct. You can't use the "@" operator as variable sign. Documentation of Groups

repo    dawebsite
    RW+                 =   @vets
    -   branch1         =   @scrubs
    RW+                 =   @scrubs
    R   branch1         =   @scrubs
    R                   =   daemon
    option deny-rules = 1

Gitolite permissions

ZeWaren
  • 3,978
  • 2
  • 20
  • 21
René Höhle
  • 26,716
  • 22
  • 73
  • 82
  • I'm sorry I should have stated that I've tried using master, master$, @offlimitbranches and even refs/heads/master to no avail. – mmorales Oct 19 '12 at 19:48