wildrepos: expanded access reporting
This feature has *no* warranty, and so no documentation. Not more than
this transcript anyway.
config file:
@prof = u1
@TAs = u2 u3
@students = u4 u5 u6
repo assignments/CREATER/a[0-9][0-9]
C = @students
RW+ = CREATER
RW = WRITERS @TAs
R = READERS @prof
session:
as user "u4":
# check your permissions
$ ssh git@server
PTY allocation request failed on channel 0
hello u4, the gitolite version here is v0.95-31-gbcb14ca
you have the following permissions:
C assignments/CREATER/a[0-9][0-9]
@ @ testing
Connection to localhost closed.
# autovivify repos for assignment 12 and 24
$ git clone git@server:assignments/u4/a12 a12
Initialized empty Git repository in /home/sitaram/t/a12/.git/
Initialized empty Git repository in /home/gitolite/repositories/assignments/u4/a12.git/
warning: You appear to have cloned an empty repository.
$ git clone git@server:assignments/u4/a24 a24
Initialized empty Git repository in /home/sitaram/t/a24/.git/
Initialized empty Git repository in /home/gitolite/repositories/assignments/u4/a24.git/
warning: You appear to have cloned an empty repository.
# check what repos you autovivified
$ ssh git@server expand assignments/u4/a[0-9][0-9]
(u4) assignments/u4/a12
(u4) assignments/u4/a24
as user "u5":
# check your basic permissions
$ ssh git@server
PTY allocation request failed on channel 0
hello u5, the gitolite version here is v0.95-31-gbcb14ca
you have the following permissions:
C assignments/CREATER/a[0-9][0-9]
@ @ testing
Connection to localhost closed.
# see if you have access to any of u4's repos
$ ssh git@server expand assignments/u4/a[0-9][0-9]
# (no output produced)
as user "u4":
# allow "u5" read access to assignment 12
# note you type in "R u5", hit enter, then hit Ctrl-D. Gitolite
# then produces a confirmation message starting "New perms are:"
$ ssh git@server setperms assignments/u4/a12
R u5
New perms are:
R u5
as user "u5":
# again see if you have access to any u4 repos
$ ssh git@server expand assignments/u4/a[0-9][0-9]
(u4) assignments/u4/a12
as user "u4":
# check what permissions you gave to assignment 12
$ ssh git@server getperms assignments/u4/a12
R u5
# add RW access to "u6" to assignment 12
# again, type 'em in, then hit Ctrl-D; and note each time you run
# this you're starting from scratch -- you can't "add to" the
# permissions. Deal with it...
$ ssh git@server setperms assignments/u4/a12
R u5
RW u6
New perms are:
R u5
RW u6
as user "u6":
# check what u4 stuff you have access to
$ ssh git@server expand assignments/u4/a[0-9][0-9]
(u4) assignments/u4/a12
This commit is contained in:
Sitaram Chamarty
parent
f620044156
commit
02cee1d5cf
|
|
@ -134,23 +134,23 @@ cumbersome for non-secret environments.
|
|||
Create a small text file that contains the permissions you desire:
|
||||
|
||||
$ cat > myperms
|
||||
R user1 user3
|
||||
RW user2
|
||||
R u5
|
||||
RW u6
|
||||
(hit ctrl-d here)
|
||||
|
||||
...and use the new "getperms" command to set permissions for your repo:
|
||||
|
||||
$ ssh git@server setperms XXX/XXX/XXX < myperms
|
||||
$ ssh git@server setperms assignments/u4/a12 < myperms
|
||||
New perms are:
|
||||
R user1 user3
|
||||
RW user2
|
||||
R u5
|
||||
RW u6
|
||||
|
||||
'setperms' will helpfully print what the new permissions are but you can also
|
||||
use 'getperms' to check:
|
||||
|
||||
$ ssh git@server getperms XXX/XXX/XXX
|
||||
R user1 user3
|
||||
RW user2
|
||||
$ ssh git@server getperms assignments/u4/a12
|
||||
R u5
|
||||
RW u6
|
||||
|
||||
The following points are important:
|
||||
|
||||
|
|
@ -172,11 +172,6 @@ This still works, except the format is a little more compressed to accommodate
|
|||
a new column (at the start) for "C" permissions, which indicate that you are
|
||||
allowed to *create* repos matching that pattern.
|
||||
|
||||
In addition, there's a second level of reporting now, which is used to find
|
||||
what *actual* repos are available when you supply a pattern.
|
||||
|
||||
XXX to be done XXX
|
||||
|
||||
### Other issues and discussion
|
||||
|
||||
* *what if the repo name being pushed matches more than one pattern*?
|
||||
|
|
|
|||
|
|
@ -156,8 +156,8 @@ sub parse_acl
|
|||
|
||||
# void $r if same as $w (otherwise "readers" overrides "writers"; this is
|
||||
# the same problem that needed a sort sub for the Dumper in the compile
|
||||
# script, but localised to just $readers and $writers)
|
||||
$r = "" if $r eq $w;
|
||||
# script, but in this case it's limited to just $readers and $writers)
|
||||
$r = "NOBODY" if $r eq $w;
|
||||
|
||||
# set up the variables for a parse to interpolate stuff from the dumped
|
||||
# hash (remember the selective conversion of single to double quotes?).
|
||||
|
|
@ -209,5 +209,35 @@ sub report_basic
|
|||
print "$perm\t$r\n\r" if $perm =~ /\S/;
|
||||
}
|
||||
}
|
||||
1;
|
||||
|
||||
# ----------------------------------------------------------------------------
|
||||
# print a report of $user's basic permissions
|
||||
# ----------------------------------------------------------------------------
|
||||
|
||||
sub expand_wild
|
||||
{
|
||||
my($GL_CONF_COMPILED, $repo_base_abs, $repo, $user) = @_;
|
||||
|
||||
# display matching repos (from *all* the repos in the system) that $user
|
||||
# has at least "R" access to
|
||||
|
||||
chdir("$repo_base_abs") or die "chdir $repo_base_abs failed: $!\n";
|
||||
for my $actual_repo (`find . -type d -name "*.git"|sort`) {
|
||||
chomp ($actual_repo);
|
||||
$actual_repo =~ s/^\.\///;
|
||||
$actual_repo =~ s/\.git$//;
|
||||
# it has to match the pattern being expanded
|
||||
next unless $actual_repo =~ /^$repo$/;
|
||||
|
||||
# find the creater and subsitute in repos
|
||||
my ($creater, $read, $write) = &repo_rights($repo_base_abs, $actual_repo, $user);
|
||||
# get access list with this
|
||||
&parse_acl($GL_CONF_COMPILED, "", $creater, $read || "NOBODY", $write || "NOBODY");
|
||||
|
||||
# you need a minimum of "R" access to the regex we're talking about
|
||||
next unless $repos{$repo}{R}{'@all'} or $repos{$repo}{R}{$user};
|
||||
print STDERR "($creater)\t$actual_repo\n";
|
||||
}
|
||||
}
|
||||
|
||||
1;
|
||||
|
|
|
|||
|
|
@ -80,7 +80,7 @@ if ($cmd =~ $CUSTOM_COMMANDS) {
|
|||
}
|
||||
elsif ($repo !~ $REPONAME_PATT and $verb eq 'expand') {
|
||||
# with a wildcard, you can "expand" it to see what repos actually match
|
||||
die "not implemented yet\n";
|
||||
expand_wild($GL_CONF_COMPILED, $repo_base_abs, $repo, $user);
|
||||
} else {
|
||||
die "$cmd doesn't make sense to me\n";
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue