How to Setup Mercurial Security.. specifically the users.

Keep in mind that the basic model of Mercurial cannot actually prevent anybody from checking something in. The only thing it can do is prevent those users from uploading something to the your copy of the repository.

IIS can set up authentication so that Mercurial knows which user is doing the uploading and so only certain users are even allowed to try to upload. If all you care about is limiting who has commit access to your repository you can stop right here. But if you want something finer grained, I think you are currently out of luck.

But, if it ever ends up working with web server authentication, you'll have to use the ACL extension if you want finer grained access control than simple who's allowed to send changesets to your repository.

The way the ACL extension works when changes are being sent over a network is as a pre-transaction hook on changegroups (a set of Mercurial revisions). It can look through these changegroups to make sure all the changes satisfy a given set of criteria. There are a wide variety of criteria that can be specified.

The ACL extension can be configured either in the global hgrc file, in which case it applies to all repositories, or the .hg/hgrc file of the repository you want to control access to. In my opinion the global option isn't terribly useful.

Ok I did read that.. my understanding is that you do all that in the HGRC.. where am i supposed to put the hgrc file? does it go in the config forlder of mercurial or does it go in the .hg folder and do you need a seperate one for each repo? This is what i'm not getting.

Sifter3 2010-08-30 02:02:32

.hgrc is a repository configuration file. It exists in the .hg directory of an HG repository

Crippledsmurf 2010-08-30 02:17:27

@Crippledsmurf - Actually, `.hgrc` is a per-user configuration file that's usually in a user's home directory. I'm not sure what the Windows equivalent is. The per-repository file is `.hg/hgrc` (no dot).

Omnifarious 2010-08-30 02:26:31

Indeed I revoke my previous statement. I apologize if it caused any confusion

Crippledsmurf 2010-08-30 02:31:48

Am I only going to be able to test this if the servers port is exposed to the web?

Sifter3 2010-08-30 02:38:30

@Sifter3 - No. You should be able to test it internally. There is nothing special about connections from the Internet at large vs. connections coming from an internal IP. Basically, configure IIS to only allow HTTP GET operations unless the user is from a particular set of authenticated users. Or, if you want to limit read access too, restrict all operations, including HTTP GET.

Omnifarious 2010-08-30 02:45:57

Can I get it to ask for a user name if I use [ui] username = ???? password = ???? where i have ???? what would i put there to have it do that if you type commit.. ?? is there a way or is the only way by typing -u

Sifter3 2010-08-30 02:59:52

@Sifter3 - Refer to your IIS documentation. It should tell you how to set up HTTP authentication for IIS.

Omnifarious 2010-08-30 04:16:36

Ok it seems to be blocking the repos.. when browsing them via a web browser, but seems to have no affect on the command prompt... is that what the ACL Extension is supposed to do?

Sifter3 2010-08-30 06:26:04

@Sifter3 - Yes. But the ACL extension relies on the user information the OS gives it. I do not know how it interacts with Windows at all. I suspect it will work just fine if you have account names that have no spaces in them.

Omnifarious 2010-08-30 10:58:24

@Omnifarious - Under site authentication in IIS7 would I need to use Basic or Windows authentication.. I'm assuming windows i would have to use windows auth.. IIS7 gives a way to specify users apart from windows when under the global web server it gives a manage users choice I'm not sure how that will interact...which brings up the question of ACL setup.. for every user will they have to be manually typed in there as well as being added in the windows manage users list? seems really redundant and annoying if thats the case.

Sifter3 2010-08-30 16:36:12

@Sifter3 - Well, whether or not the ACL setup works at all with IIS7's authentication is an interesting question. But yes, the users will have to be put in both places. Though, again, as I pointed out, if you do not need anything beyond "is allowed to commit" and "is allowed to read" permissions then IIS7 access control is enough. All reads are done through HTTP GET and/or HEAD requests, and all commits through PUT requests.

Omnifarious 2010-08-30 17:27:13

To answer the Question no ACL extension doesn't do anything What I did was in Authentication I enabled "Windows authentication" and "Basic authentication" in IIS7 for the website itself. It said in this first walkthrough say just to use basic authentication...not the case. Setup a normal user not power user or admin.. then in the hgweb.config you just list out under the [web]baseurl = /allow_push = user1, user2, user3, admin1, admin2push_ssl = falseI left push_ssl = false until for testing purposes technically you don't really need that unless you want that level of security.

Sifter3 2010-08-31 00:01:50

@Sifter3 - To be fair, you have never made it clear what kind of security you wanted. And I told you several times that if all you wanted was basic security over who was and wasn't allowed to push the ACL extension was not necessary. I'm sorry I missed the `[web]` config section stuff. I should've researched more carefully.

Omnifarious 2010-08-31 00:08:15

@Omnifarious - Now if I set push_ssl = true what would I need to do from there..I know we need to purchase a SSL cert. which is being worked on.. just curious what gotchas i might run into?

Sifter3 2010-08-31 00:14:54

@Sifter3 - An SSL cert is not strictly necessary actually. Otherwise, it should just work. Yes, I checked. Mercurial does not check the certificate for validity. I consider SSL certs to be of very questionable utility in general.

Omnifarious 2010-08-31 03:43:58

ansaurus

tags:

views:

answers:

How to Setup Mercurial Security.. specifically the users.

related questions