Sunday, 22 February 2009

git fine-grained access control

If we are going to switch from CVS to Git we are going to need to implement the fine-grained access control features we have now. For example:
  • only certain users are allowed to commit to each branch.
  • only certain paths can be committed to on each branch.
  • only certain users are allowed to create tags in the central repository. (I'd like to get rid of this limitation, but it's there now. Perhaps only limit tag names that match a particular set of regular expressions.)
Since all of the software modules are released at similar times it makes sense it keep them all in one repository, and for internal security reasons the repository is probably only going to be accessible via HTTPS. This means that we won't be able to use Gitosis, which currently only works for SSH access.

Junio Hamano and Carl Baldwin have an update-hook-example that describes how to implement an access control hook script, so we will base things on that. Their example assumes that the user has logged in using ssh so they can use username=$(id -u -n) but since we are coming in via the web we'd have to use the REMOTE_USER environment variable instead.

I think it makes sense to use a configuration file that is similar to the Gitosis config file, which people are familiar with. This is just an ini file that can be parsed using Config::IniFiles or something similar to Gitosis::Config, so this shouldn't be difficult.

Something else worth looking at is gerrit, which describes itself as follows:

Gerrit is a web based code review system, facilitating online code reviews for projects using the Git version control system.

Gerrit makes reviews easier by showing changes in a side-by-side display, and allowing inline comments to be added by any reviewer.

Gerrit simplifies Git based project maintainership by permitting any authorized user to submit changes to the master Git repository, rather than requiring all approved changes to be merged in by hand by the project maintainer. This functionality enables a more centralized usage of Git.

No comments:

Post a Comment

Labels