Questions regarding deny push & repo creation for customers

Matt Mackall mpm at selenic.com
Fri Jan 9 20:21:53 UTC 2015


On Fri, 2015-01-09 at 18:28 +0000, Mcadams, Philip W wrote:
> Hello,
> 
> I have a couple of problems that we are trying to solve internally and seeking help from the wider Mercurial community:
> 
> 
> 1)      Disallow pushing to a repository: Currently our team is trying
> to solve a problem of locking down our main repository once someone
> pushes bad code to allow engineers to fix the repository.  The
> original process used was to send an email to all engineers stating to
> "not push" until informed that they could.  As you could guess that
> process has not been successful.  Currently we are working on a hook
> to manage the allow/deny push and in the meantime we are simply
> removing the write permissions directly on the repository (we are on
> windows).  We've found documentation on modifying the .hgrc file's
> "allow_push" parameter and are still testing it.  My question is if
> there an official method recommended by Mercurial to solve this
> problem?  Is changing the "allow_push" parameter it? Ideally we would
> like the customer to have control of the lock/unlock and are
> considering creating a script that would allow the customer to update
> the hgrc file directly through their script.  Before continuing to
> hack at this I thought I'd ask is if there way to solve this problem
> that we are not considering.

Usually people working at a larger scale where they'd encounter these
sorts of issues regularly have already implemented some sort of gating
between push and the main repo to solve other problems like review
sign-off, automated testing, etc. Since we don't aim to solve _that_ set
of problems out of the box, we haven't gotten many questions about this.

There are any number of ways to make hg reject pushes. The ideal one
would give a clear indication of the cause so people don't waste time
banging their head against their desks wondering why their credentials
don't work. So that probably means adding a hook that returns an error
message: "the repo is locked for maintenance; see your email".

> 2)      Automating Repo Creation: Currently there is a request for
> customers to be able to create their own Mercurial repositories.  Our
> current process involves the Mercurial systems administrator manually
> creating repository's directly on the Mercurial server.  We are
> working on creating a Web interface that would allow a customer to
> create a repo and apply the appropriate permissions.  My question here
> is if there is a way to do this through the hgweb directly or through
> a third party tool that I'm not aware of?

I don't know of such a tool. And hgweb makes an effort to maximally
distance itself from admin and security concerns. It's already a bit of
a configuration headache, making it a security nightmare out of the box
is unappealing.

I've always hoped someone would make a simple user and repo management
add-on that did that (and only that), but web folks tend to be grandiose
and want to create entire take-it-or-leave-it solutions like Kallithea.

-- 
Mathematics is the supreme nostalgia of our time.





More information about the Mercurial mailing list