3

I have implemented a git server using all necessary hooks mentioned in the Git Hooks section. While implementing the server side hook for user ACL which is available in this link, I have the following issues:

  • I have 130 folders in the repository but I want to deny access to only 2 folders in this repository and allow access to all the other folders.
  • To do so, in the 'acl_file' I have added all the folder names in the specified format. So, there are 130 folders in this file and it is very difficult to go and check whether the user is available in the entry for each folder.
  • Also, I cannot keep checking which developer is checking-in the files in which folder.

All I want is, Is there a way to simply give an entry in this 'acl_file' so that all the users will receive access to all the folders except the two special folders whose access has to be restricted?

Note:

I tried to provide avail to all the folders by giving the following line:

avail|user1,user2| - grant permission to all folders

unavail|user1|xyz - deny permission to xyz folder.

But the user1 gets access for xyz folder even though I have given unavail for the folder.

As this does not work, can anyone provide an alternate method that will provide access to all folders in the repository and deny permission for any specific folder alone?

Orochimaru
  • 105
  • 9

2 Answers2

0

An alternate method would use an alternate tool: gitolite (a perl script which would run alongside your git server, and would be called by your font-end listener, like the Apache Server).

Gitolite is an authorization layer which manages all kinds of ACL, including folder management, through VREFs (update hooks).

The VREF page includes the example:

Another way to use this is when you know what is allowed instead of what is not allowed.
Let's say the QA person is only allowed to touch a file called CHANGELOG and any files in a directory called ReleaseNotes:

repo foo
        RW+                             =   @senior_devs
        RW                              =   @junior_devs
        RW+                             =   QA-guy

        RW+ VREF/NAME/CHANGELOG         =   QA-guy
        RW+ VREF/NAME/ReleaseNotes/     =   QA-guy
        -   VREF/NAME/                  =   QA-guy

A VREF is a hook (managed by gitolite), so the VREF/NAME one is a good fit for file/folder limitations.

Community
  • 1
  • 1
VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • Doesn't gitolite require to get the ssh key from all the developers? – Orochimaru Jan 02 '15 at 11:52
  • @Orochimaru not if you are calling gitolite from your Apache server (if you have one in front of your Git on your Git server). Example: http://stackoverflow.com/a/21303301/6309. In that case, no ssh keys required: only the username/password that Apache will check, since an http or ssh listener are here for authentication, leaving the authorization part to gitolite. – VonC Jan 02 '15 at 11:54
  • That is the problem here for me. I cannot run Apache server in my Git server machine – Orochimaru Jan 02 '15 at 12:08
  • @Orochimaru then ssh it is: all user public key will be registered in the gitolite-admin repo, named after the username, which will allow gitolite to use the right identity in order to perform the authorization. – VonC Jan 02 '15 at 12:10
  • Isn't there a way using this hook script? I would be greatful if there is one. – Orochimaru Jan 02 '15 at 12:33
  • @Orochimaru VREF/NAME *is* a hook (part of the update hook actually: https://github.com/sitaramc/gitolite/blob/master/src/lib/Gitolite/Hooks/Update.pm#L54-L60) – VonC Jan 02 '15 at 13:16
0

Git doesn't support acl within one repository.

To give different access levels to different data you need to split it into different repositories.
After that you'll be able to control access to each repo separately.

Now to gather all that data into one folder you'll need to use Git Submodules.

Victor Yarema
  • 1,183
  • 13
  • 15