20

We are considering switching our VCS to either git or subversion. I'd prefer switching to git, but subversion has a nice feature that I don't see in git : per directory access control.

We currently have project1, project2 repositories in cvs, with different permissions. We'd like to have one single repository, with two directories project1 & project2 with different permissions. Is it doable with git as it is with svn ?

I'm aware of submodules, which could probably achieve that, but the goal for us is to be able to do one single commit with changes in project1 & project2.

We mainly have IP issues, and want to be sure that some people can't read (not just push) some directories. So, is git up for the challenge or will I have to use git-svn ?

Thanks

Wam
  • 810
  • 1
  • 8
  • 19

3 Answers3

5

It is doable with a central repo with access (push/pull) managed by gitolite.
See its features.

If you combine that with submodules (which you are aware of), you would only manage per-repo or per branch access and still commit both project1 and project2 (with two commits in case of a subrepo: see this question)

If you insist on working with one repo (even though you have to set of data which could evolve with their own lifecycle, which should make them good candidates for modules), then the gitolite features do include:

file/dir NAME based restrictions

In addition to branch-name based restrictions, gitolite also allows you to restrict what files or directories can be involved in changes being pushed

dpk mentions in the comments that this last feature (the file/dir name restriction) is detailed in the conf/example.conf file of Gitolite.

Community
  • 1
  • 1
VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • Yeah, saw that, but it seems to me that permissions here are about blocking pushs, not read on cloning. I barely see how cloning stuff would go along with this kind of read denial. – Wam Jun 29 '10 at 11:05
  • @Wam: for reading, you *have* to use the submodule approach: gitolite will prevent any cloning and pulling from a repo with the right ACLs (and a submodule is a Git repo of its own). In other word, it will block pull at the repo or branch level. – VonC Jun 29 '10 at 11:09
  • yes, but then I lose the "single commit / single push / single pull" functionnality – Wam Jun 29 '10 at 11:12
  • @Wam: yes, you loose it because in a true configuration management (when you have to commit first your changes to submodules, then commit the new submodule reference to the parent repo), it doesn't make sense: see Git submodules vs. SVN externals: http://stackoverflow.com/questions/3131912/why-are-git-submodules-incompatible-with-svn-externals/3132221#3132221 – VonC Jun 29 '10 at 11:23
  • @Wam: but it is ok though. A simple git alias can make those two commits in one smooth step. – VonC Jun 29 '10 at 11:24
  • Couldn't easily find the documentation for this feature, so I'll just link here for other folks that search and end up on this SO page: https://github.com/sitaramc/gitolite/blob/pu/conf/example.conf –  Jul 25 '11 at 22:45
  • 1
    @dpk: excellent. I have added that link in the answer for more visibility. – VonC Jul 26 '11 at 03:52
  • @VonC the features link is broken – ihebiheb May 17 '16 at 23:06
  • 1
    @ihebiheb Thank you. I have restored this link as well as the last one (`conf/example.conf`) – VonC May 18 '16 at 06:06
3

Try nigit https://github.com/kingsimba/nigit. My team(over 30 people) has been using it for years.

It can manage correlated projects as a whole, by pulling them together, switching branch together, etc. Each project has its own collaborators and permissions.

If someone don't have permission to some source code(subprojects), they can use the compiled binaries.

$ nigit status
=== nigit ===
+ some_new_file
- some_deleted_file
M some_modified_file
? some_untracked_file
=== ncgeo ===
- other_deleted_file
? other_untracked_file
Zhaolin Feng
  • 428
  • 4
  • 8
  • Exactly what I need! This is such a graceful solution to solve the shortcoming of git on per-directory permission. – Wang Yudong Apr 16 '20 at 11:30
  • We have a similar use-case, but need to download conan packages if the user cannot access the corresponding submodule as an alternative. See the issue here: https://github.com/kingsimba/nigit/issues/9 I'm happy for any suggestions. – Stefan Profanter Jan 19 '21 at 09:26
0

I experimented with some kind of Git hooks + partial clone + HTTP reverse proxy to have Github read permission per folder, it's far from perfect but it's a possible direction, it can be found here.

Yaron Shani
  • 176
  • 7