通过 httpd 访问时,Gitolite 不遵守规则
Gitolite doesn't respect rules when accessed through httpd
我说服办公室我们应该搬到 Git。因为我们刚刚开始,所以我使用普通 git 设置了一个 git 服务器,并使用 nginx 在它前面设置了 https。我们暂时不使用gitlab或类似的东西。
我收到的一个问题是是否可以限制新同事对特定分支(尤其是 master)的访问。这在过去会为我们省去很多麻烦:-)
在我寻找解决方案的过程中,我发现 gitolite 非常有前途,所以我尝试并设置了它。我通过 gitolite 获得了 git 和 运行,所以我开始深入研究规则。
但是,我不能把它们弄对。 gitolite 似乎忽略了 the second check
我的 gitlolite-admin/conf/gitolite.conf
看起来像这样(我有一个更复杂的,但在调试时我将它精简到最低限度)
@starters = auric
# project groups
@protected = master$
repo gitolite-admin
RW+ = admin
repo testing
RW+ = @all
repo playground
R = @starters # allow read from protected
- @protected = @starters # deny anything else
RW+ = @starters # allow everything on other branches
在文档中指定您可以 trace the access control decision。
gitolite access -s playground auric
的输出是这样的
拉取权限
$ gitolite access -s playground auric R master
legend:
d => skipped deny rule due to ref unknown or 'any',
r => skipped due to refex not matching,
p => skipped due to perm (W, +, etc) not matching,
D => explicitly denied,
A => explicitly allowed,
F => denied due to fallthru (no rules matched)
A gitolite.conf:14 R = @starters # allow read from protected
refs/.*
推送访问
$ gitolite access -s playground auric W master
p gitolite.conf:14 R = @starters # allow read from protected
D gitolite.conf:15 - @protected = @starters # deny anything else
W refs/heads/master playground auric DENIED by refs/heads/master$
倒带推送访问
$ gitolite access -s playground auric + master
p gitolite.conf:14 R = @starters # allow read from protected
D gitolite.conf:15 - @protected = @starters # deny anything else
+ refs/heads/master playground bert.van.dooren DENIED by refs/heads/master$
在另一个分支上推送访问
$ gitolite access -s playground bert.van.dooren W anyotherbranch
p gitolite.conf:14 R = @starters # allow read from protected
r gitolite.conf:15 - @protected = @starters # deny anything else
A gitolite.conf:16 RW+ = @starters # allow everything on other branches
refs/.*
正是我所期望的。
事实上,这是我在执行这些命令后在 ~/.gitolite/logs
中看到的(我在这里删除了日期):
32205 cli gitolite access -s playground auric W master
32205 system,/home/git/gitolite/src/commands/access,-s,playground,auric,W,master
32205 system() failed,/home/git/gitolite/src/commands/access,-s,playground,auric,W,master,-> 256
然而,当我真正开始使用 git 并通过 httpd 执行推送(甚至是倒带推送)时,所有命令都被允许,我在日志中看到了这一点
32196 http ARGV=auric SOC=git-receive-pack 'playground.git' FROM=10.0.13.105
32196 pre_git playground auric W any refs/.*
32196 system,git,http-backend
32196 END
好像只完成了检查 1,但检查 2 从未出现。
我在这里想念什么?
编辑 我正在使用 gitolite3。我知道一些关于添加规则 R master = @starters
的答案,但随后 gitolite 警告我该规则没有任何意义。它被忽略了。
The gitolite dev notes 提及 pre-git
步骤作为第一次访问检查成功时出现的日志行(即,在调用 git-upload-pack
或 git-receive-pack
之前)。
然而,update
步骤没有在日志中列出:它是在第二次访问检查成功时出现的步骤(即,当 update
挂钩决定允许推送时) .
这意味着该回购的 update hook 可能不正确(每个回购挂钩文件夹中的符号链接指向 gitolite 更新脚本)。
gitolite setup
应该负责这些链接。
实际上,OP Auric comments :
While the update
hook was in place and I actually did use gitolite setup
, I did this with another user.
Since I couldn't get fcgiwrap
configured to run under another user, I had to make sure gitolite
was installed under user git
, but was executable using user www-data
.
I used bindfs
for this purpose.
But since I ran gitolite setup
under user git
, the update
hook was symlinked to /home/git/.gitolite/...
in stead of /opt/gitolite/.gitolite/...
So now I re-ran setup with /opt/gitolite
as $HOME
so that the symlink is correct.
我说服办公室我们应该搬到 Git。因为我们刚刚开始,所以我使用普通 git 设置了一个 git 服务器,并使用 nginx 在它前面设置了 https。我们暂时不使用gitlab或类似的东西。
我收到的一个问题是是否可以限制新同事对特定分支(尤其是 master)的访问。这在过去会为我们省去很多麻烦:-)
在我寻找解决方案的过程中,我发现 gitolite 非常有前途,所以我尝试并设置了它。我通过 gitolite 获得了 git 和 运行,所以我开始深入研究规则。
但是,我不能把它们弄对。 gitolite 似乎忽略了 the second check
我的 gitlolite-admin/conf/gitolite.conf
看起来像这样(我有一个更复杂的,但在调试时我将它精简到最低限度)
@starters = auric
# project groups
@protected = master$
repo gitolite-admin
RW+ = admin
repo testing
RW+ = @all
repo playground
R = @starters # allow read from protected
- @protected = @starters # deny anything else
RW+ = @starters # allow everything on other branches
在文档中指定您可以 trace the access control decision。
gitolite access -s playground auric
的输出是这样的
拉取权限
$ gitolite access -s playground auric R master
legend:
d => skipped deny rule due to ref unknown or 'any',
r => skipped due to refex not matching,
p => skipped due to perm (W, +, etc) not matching,
D => explicitly denied,
A => explicitly allowed,
F => denied due to fallthru (no rules matched)
A gitolite.conf:14 R = @starters # allow read from protected
refs/.*
推送访问
$ gitolite access -s playground auric W master
p gitolite.conf:14 R = @starters # allow read from protected
D gitolite.conf:15 - @protected = @starters # deny anything else
W refs/heads/master playground auric DENIED by refs/heads/master$
倒带推送访问
$ gitolite access -s playground auric + master
p gitolite.conf:14 R = @starters # allow read from protected
D gitolite.conf:15 - @protected = @starters # deny anything else
+ refs/heads/master playground bert.van.dooren DENIED by refs/heads/master$
在另一个分支上推送访问
$ gitolite access -s playground bert.van.dooren W anyotherbranch
p gitolite.conf:14 R = @starters # allow read from protected
r gitolite.conf:15 - @protected = @starters # deny anything else
A gitolite.conf:16 RW+ = @starters # allow everything on other branches
refs/.*
正是我所期望的。
事实上,这是我在执行这些命令后在 ~/.gitolite/logs
中看到的(我在这里删除了日期):
32205 cli gitolite access -s playground auric W master
32205 system,/home/git/gitolite/src/commands/access,-s,playground,auric,W,master
32205 system() failed,/home/git/gitolite/src/commands/access,-s,playground,auric,W,master,-> 256
然而,当我真正开始使用 git 并通过 httpd 执行推送(甚至是倒带推送)时,所有命令都被允许,我在日志中看到了这一点
32196 http ARGV=auric SOC=git-receive-pack 'playground.git' FROM=10.0.13.105
32196 pre_git playground auric W any refs/.*
32196 system,git,http-backend
32196 END
好像只完成了检查 1,但检查 2 从未出现。
我在这里想念什么?
编辑 我正在使用 gitolite3。我知道一些关于添加规则 R master = @starters
的答案,但随后 gitolite 警告我该规则没有任何意义。它被忽略了。
The gitolite dev notes 提及 pre-git
步骤作为第一次访问检查成功时出现的日志行(即,在调用 git-upload-pack
或 git-receive-pack
之前)。
然而,update
步骤没有在日志中列出:它是在第二次访问检查成功时出现的步骤(即,当 update
挂钩决定允许推送时) .
这意味着该回购的 update hook 可能不正确(每个回购挂钩文件夹中的符号链接指向 gitolite 更新脚本)。
gitolite setup
应该负责这些链接。
实际上,OP Auric comments
While the
update
hook was in place and I actually did usegitolite setup
, I did this with another user.Since I couldn't get
fcgiwrap
configured to run under another user, I had to make suregitolite
was installed under usergit
, but was executable using userwww-data
.
I usedbindfs
for this purpose.
But since I rangitolite setup
under usergit
, theupdate
hook was symlinked to/home/git/.gitolite/...
in stead of/opt/gitolite/.gitolite/...
So now I re-ran setup with/opt/gitolite
as$HOME
so that the symlink is correct.