Basic access to a
git repository is fairly easy.
--shared when initializing your
chgrp <your group> to the repository directory and your done. Now everyone in
<your group> has read and write access to the repository with their account.
So what do I need?
- An easy way to tell which user can actually write or not
- A solution easy to integrate with my actual configuration manager - Here rudder/cfengine
Gitolite - to name the widely used tool for this kind of case - requires to install a bunch of script files, set a common git user, and store all its settings in a specific
git repository. Definitely not practical to integrate in a configuration management tool.
How to do it then?
It is actually very easy to achieve these requirements with only basic linux settings and
- Read access:
- ssh + user group
- Write access:
githook + acl file
Create your new
git init --bare --shared <repo> chgrp -R <your group> <repo> chmod o-rx <repo> ls -ld <repo> drwxrws--- 7 root <your group> 10 Oct 21 09:40 <repo>
<repo>/hooks/update by the following
This script checks the type of command you're sending and validates if your username is listed in the
git.acl file and exits accordingly.
#!/bin/env python import os, sys, subprocess, ConfigParser refname = sys.argv oldrev = sys.argv newrev = sys.argv user = os.getenv('USER') revtype = ['commit', 'delete', 'tag'] config = ConfigParser.RawConfigParser() config.read('./git.acl') users = config.get('users', 'write').split() print refname print "oldrev="+oldrev print "newrev="+newrev print user cmd = 'git cat-file -t %s' % (newrev) process = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=None, shell=True) output = process.communicate() thistype = output[:-1] if ( thistype in revtype and not user in users): print "!!! You're not authorized to push code to this repo" sys.exit(1) sys.exit(0)
[users] write = admin joe bob brad
The script could easily be extented to do more granular rights - allow pushing to branches but not to master, which branches a user could push to, etc... - while still being very easy to deploy using your favorite configuration management tool.