Questions regarding deny push & repo creation for customers

Angel Ezquerra angel.ezquerra at gmail.com
Fri Jan 9 21:21:54 UTC 2015


El 09/01/2015 21:22, "Matt Mackall" <mpm at selenic.com> escribió:
>
> On Fri, 2015-01-09 at 18:28 +0000, Mcadams, Philip W wrote:
> > Hello,
> >
> > I have a couple of problems that we are trying to solve internally and
seeking help from the wider Mercurial community:
> >
> >
> > 1)      Disallow pushing to a repository: Currently our team is trying
> > to solve a problem of locking down our main repository once someone
> > pushes bad code to allow engineers to fix the repository.  The
> > original process used was to send an email to all engineers stating to
> > "not push" until informed that they could.  As you could guess that
> > process has not been successful.  Currently we are working on a hook
> > to manage the allow/deny push and in the meantime we are simply
> > removing the write permissions directly on the repository (we are on
> > windows).  We've found documentation on modifying the .hgrc file's
> > "allow_push" parameter and are still testing it.  My question is if
> > there an official method recommended by Mercurial to solve this
> > problem?  Is changing the "allow_push" parameter it? Ideally we would
> > like the customer to have control of the lock/unlock and are
> > considering creating a script that would allow the customer to update
> > the hgrc file directly through their script.  Before continuing to
> > hack at this I thought I'd ask is if there way to solve this problem
> > that we are not considering.
>
> Usually people working at a larger scale where they'd encounter these
> sorts of issues regularly have already implemented some sort of gating
> between push and the main repo to solve other problems like review
> sign-off, automated testing, etc. Since we don't aim to solve _that_ set
> of problems out of the box, we haven't gotten many questions about this.
>
> There are any number of ways to make hg reject pushes. The ideal one
> would give a clear indication of the cause so people don't waste time
> banging their head against their desks wondering why their credentials
> don't work. So that probably means adding a hook that returns an error
> message: "the repo is locked for maintenance; see your email".
>
> > 2)      Automating Repo Creation: Currently there is a request for
> > customers to be able to create their own Mercurial repositories.  Our
> > current process involves the Mercurial systems administrator manually
> > creating repository's directly on the Mercurial server.  We are
> > working on creating a Web interface that would allow a customer to
> > create a repo and apply the appropriate permissions.  My question here
> > is if there is a way to do this through the hgweb directly or through
> > a third party tool that I'm not aware of?
>
> I don't know of such a tool. And hgweb makes an effort to maximally
> distance itself from admin and security concerns. It's already a bit of
> a configuration headache, making it a security nightmare out of the box
> is unappealing.
>
> I've always hoped someone would make a simple user and repo management
> add-on that did that (and only that), but web folks tend to be grandiose
> and want to create entire take-it-or-leave-it solutions like Kallithea.

I actually made a set of simple, custom cgi scripts that let you create new
repos and new repository "links" (repository hard links) a while ago. We
use them in our internal apache based Windows hgweb server.

I might publish them somewhere if there is some interest. They work well
but when I wrote them I never thought they would be made public so the code
could be improved a lot.

Angel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mercurial-scm.org/pipermail/mercurial/attachments/20150109/62f670d9/attachment-0002.html>


More information about the Mercurial mailing list