发表新帖
发表新帖

Gitolite restrict access to branch

后端 未结
关注
3 995
生来不讨喜
生来不讨喜 2021-01-03 08:15

I have GITOLITE on my server and I want to configure access to my repository. I want to restrict access to some branches for some users. I try a lot of variants how to confi

相关标签:
3条回答
  • 太阳男子
    2021-01-03 08:46

    If I look at the official documentation:

    repo foo bar

    RW+                     =   alice @teamleads
    -   master              =   dilbert @devteam
    -   refs/tags/v[0-9]    =   dilbert @devteam
    RW+ dev/                =   dilbert @devteam
    RW                      =   dilbert @devteam
    R                       =   @managers

    dilbert and the dev team has these restrictions

    they can do anything to branches whose names start with "dev/"
**they can create or fast-forward push, but not rewind or delete, any branch except `master`**

    So this looks right:

    - test  = @developers2
   RW+  = @developers2

    However gitolite has two checks:

    • one when the ref is unknown (in which case - test is ignored),
    • one for the ref is known.

    In your case, the ref (test) should be known and the deny rule apply.

    You can debug more by tracing the logic of your specific rules with:

    gitolite access -s dbatest user2 W test

    The OP Sufelfay confirms in the comments that it works with 3.5.3, not with 3.6.x.

    0 讨论(0)
  • 耶瑟儿~
    2021-01-03 08:57

    As Sufelfay said in the comments to the other posting, this is a bug in recent versions of Gitolite.

    The access check is split into two phases. During the inital phase the ref is unknown and Gitolite is supposed to skip all rules referring to refs.

    In fact, however, it applies all rules but ignores the ref specification. Thus ...

    - test = @developers2

    ... is evaluated as ...

    - = @developers2

    ... during the first phase. To make matters worse, the error indicates the very last rule which was processed. This rule may be unrelated.

    As workaround you can add an access rule for any before the deny rules: 

    RW  any   =  @developers2
-   test  =  @developers2
...
    0 讨论(0)
  • 刺人心
    2021-01-03 09:03

    I know it's an old topic, but I did some research recently and ended up here. Quick update about the commentary from the answer at the top .

    I'm using v3.6.4 and the following solution is working:

    @teamA = user1 user2
@teamB = user3 user4

repo foo
RW+ = @teamA
R = @teamB
RW+ ref/heads/banana = @teamB

    In this case, the teamB is allowed to clone the repo "foo" and push only to the branch "banana"

    0 讨论(0)
 看不清?
提交回复
热议问题