How does Gitolite check that current user has a write/read permission to given repository? Is this done by custom shell? If yes then how it work?
Asked
Active
Viewed 972 times
1 Answers
1
It is using the ssh forced command mechanism to call the gitolite-shell script.
Gitolite register a user by adding to the ~git/ssh/authorized_keys a line similar to:
command="/devit_home/users/vobadm/gitpoc/ce7/gitolite/bin/gitolite-shell gitoliteadm",no-port-forwarding,no-X11-for warding,no-agent-forwarding,no-pty ssh-rsa AAAAB3N
The user id is derived directly from the name of the public key.
For more, see "How do programs like gitolite work?".
The read/write access are the declared in the gitolite.conf file.
Most of gitolite's power is in the
conf/gitolite.conffile, which specifies detailed access control for repos.
Everything except adding users happens from this file.
@staff = dilbert alice # line 1
@projects = foo bar # line 2
repo @projects baz # line 3
RW+ = @staff # line 4
- master = ashok # line 5
RW = ashok # line 6
R = wally # line 7
-
Thanks. I'm just trying to write pure shell, my own, Git permission server which will work upon the Redis. It will be used as web app deployment tool, and I was bothering how to achieve that :) – Hauleth Apr 10 '13 at 12:05
-
@ŁukaszNiemier will you use ssh or https access? – VonC Apr 10 '13 at 12:30
-
I think that it will be SSH only. But maybe in future it will be extracted as independent tool (now it is will be inside my [Puppet module](https://github.com/haulet/puppet-gitdeploy/)). Then maybe I add auth through HTTP also. – Hauleth Apr 10 '13 at 12:42
-
@ŁukaszNiemier ok, in that case, forced command is relevant. But you can link Gitolite with any mechanism able to authenticate a user (and call gitolite-shell). Gitolite is only an authoriation layer, it doesn't authenticate: http://gitolite.com/gitolite/auth.html. See another version of that explanation at http://stackoverflow.com/questions/9339272/gitolite-can-connect-via-ssh-cant-clone/9340778#9340778. – VonC Apr 10 '13 at 12:49