Hosting git repositories -- Gitolite allows you to setup git hosting on a central server, with very fine-grained access control and many (many!) more powerful features.
Find a file
Sitaram Chamarty 509c73b888 gitweb/daemon now work for wild repos also
(thanks to Kevin Fleming for the need/use case)

TODO: tests
TODO: proper documentation; meanwhile, just read this:

  - you can give gitweb and daemon read rights to wild card repos also,
    and it'll all just work -- when a new repo is 'C'reated, it'll pick
    up those rights etc

  - you can assign descriptions (and owners) to individual repos as
    before, except now you can assign them to repos that actually were
    created from wild card patterns.  So for example, you can define
    rules for

        repo foo/..*

    and then assign descriptions like

        foo/repo1 = "repo one"
        foo/repo2 = "repo two"
        foo/dil "scott" = "scott's dilbert repo"

    However, this only works for repos that already exist, and only when
    you push the admin repo.

    Thumb rule: have the user create his wild repo, *then* add and push
    the admin config file with the description.  Not the other way
    around.

implementation notes:

  - wildcard support for git config revamped, refactored...

    it's not just git config that needs wildcard support.  daemon and
    gitweb access also will be needing it soon, so we start by factoring
    out the part that finds the "pattern" given a "real" repo name.

  - GL_NO_DAEMON_NO_GITWEB now gates more than just those two things;
    see doc/big-config.mkd for details

  - we trawl through $GL_REPO_BASE_ABS *once* only, collecting repo
    names and tying them to either the same name or to a wild pattern
    that the repo name was created from

  - nice little subs to setup gitweb, daemon, and git config

  - god bless $GL_REPOPATT and the day I decided to set that env var
    whenever a user hits a wild repo in any way :-)

  - the code in gl-compile-conf is very simple now.  Much nicer than
    before
2010-08-11 22:38:16 +05:30
conf git config settings in wild repos: part 1 2010-08-11 22:38:15 +05:30
contrib Add GL_WILDREPOS_DEFPERMS 2010-06-22 17:20:23 +05:30
doc mirroring support... 2010-08-11 22:37:35 +05:30
hooks mirroring support... 2010-08-11 22:37:35 +05:30
src gitweb/daemon now work for wild repos also 2010-08-11 22:38:16 +05:30
t new tests: t55 and t56 for repo config with wildrepos 2010-08-11 22:38:15 +05:30
.gitattributes docs and .gitattributes hadn't been updated for the change in hooks dir 2010-03-10 06:24:53 +05:30
.gitignore add conf/VERSION to .gitignore 2010-03-02 05:39:19 +05:30
Makefile Makefile: now default is as simple as "make" 2010-05-14 11:27:55 +05:30
README.mkd <sigh> 2010-07-06 05:53:35 +05:30

gitolite

Gitolite is an access control layer on top of git, which allows access control down to the branch level, including specifying who can and cannot rewind a given branch.

This README will give you a quick intro. All documentation is available within the source repo, in markdown format. If you want to read it without cloning the source repo, just hit this link and read nicely HTML-ised versions of all the docs (automatic rendering of markdown to HTML courtesy github).


In this document:


what

Gitolite allows a server to host many git repositories and provide access to many developers, without having to give them real userids on or shell access to the server. The essential magic in doing this is ssh's pubkey access and the authorized_keys file, and the inspiration was an older program called gitosis.

Gitolite can restrict who can read from (clone/fetch) or write to (push) a repository. It can also restrict who can push to what branch or tag, which is very important in a corporate environment. Gitolite can be installed without requiring root permissions, and with no additional software than git itself and perl. It also has several other neat features described below and elsewhere in the doc/ directory.

why

Gitolite is separate from git, and needs to be installed and configured. So... why do we bother?

Gitolite is useful in any server that is going to host multiple git repositories, each with many developers, where some sort of access control is required.

In theory, this can be done with plain old Unix permissions: each user is a member of one or more groups, each group "owns" one or more repositories, and using unix permissions (especially the setgid bit -- chmod g+s) you can allow/disallow users access to repos.

But there are several disadvantages here:

  • every user needs a userid and password on the server. This is usually a killer...!
  • adding/removing access rights involves complex usermod -G ... mumblings which most admins would rather not deal with, thanks to you-know-who
  • viewing (aka auditing) the current set of permissions requires running multiple commands to list directories and their permissions/ownerships, users and their group memberships, and then correlating all these manually
  • auditing historical permissions or permission changes is pretty much impossible without extraneous tools
  • errors or omissions in setting the permissions exactly can cause problems of either kind: false accepts or false rejects
  • without going into ACLs it is not possible to give someone read-only access to a repo; they either get read-write access or no access
  • it is absolutely impossible to restrict pushing by branch name or tag name.

Gitolite does away with all this:

  • it uses ssh magic to remove the need to give actual unix userids to developers
  • it uses a simple but powerful config file format to specify access rights
  • access control changes are affected by modifying this file, adding or removing user's public keys, and "compiling" the configuration
  • this also makes auditing trivial -- all the data is in one place, and changes to the configuration are also logged, so you can audit them.
  • finally, the config file allows distinguishing between read-only and read-write access, not only at the repository level, but at the branch level within repositories.

other features

The most important feature I needed was per-branch permissions. This is pretty much mandatory in a corporate environment, and is almost the single reason I started thinking about writing gitolite.

It's not just "read-only" versus "read-write". Rewinding a branch (aka "non fast forward push") is potentially dangerous, but sometimes needed. So is deleting a branch (which is really just an extreme form of rewind). I needed something in between allowing anyone to do it (the default) and disabling it completely (receive.denyNonFastForwards or receive.denyDeletes).

Here're some more features. All of them, and more, are documented in detail somewhere in gitolite's doc/ subdirectory.

  • simple, yet powerful, config file syntax, including specifying gitweb/daemon access. You'll need this power if you manage lots of users+repos+combinations of access
  • apart from branch-name based restrictions, you can also restrict by file/dir name changed (i.e., output of git diff --name-only)
  • if your requirements are still too complex, you can split up the config file and delegate authority over parts of it
  • easy to specify gitweb owner, description and gitweb/daemon access
  • easy to sync gitweb (http) authorisation with gitolite's access config
  • comprehensive logging [aka: management does not think "blame" is just a synonym for "annotate" :-)]
  • "personal namespace" prefix for each dev
  • migration guide and simple converter for gitosis conf file
  • "exclude" (or "deny") rights at the branch/tag level
  • specify repos using patterns (patterns may include creator's name)
  • define powerful operations on the server side, even github-like forking

security

Due to the environment in which this was created and the need it fills, I consider this a "security" program, albeit a very modest one.

For the first person to find a security hole in it, defined as allowing a normal user (not the gitolite admin) to read a repo, or write/rewind a ref, that the config file says he shouldn't, and caused by a bug in code that is in the "master" branch, (not in the other branches, or the configuration file or in Unix, perl, shell, etc.)... well I can't afford 1000 USD rewards like djb, so you'll have to settle for 5000 INR (Indian Rupees) as a "token" prize :-)

However, there are a few optional features (which must be explicitly enabled in the RC file) where I just haven't had the time to reason about security thoroughly enough. Please read the comments in conf/example.gitolite.rc for details, looking for the word "security".


contact and license

Gitolite is released under GPL v2. See COPYING for details.

sitaramc@gmail.com mailing list: gitolite@googlegroups.com