Im currently working on a big project with more then one team.
Lets say in the project there are some modules that each team working on.
In addition we are using gerrit for sometime now and there is something i couldn't find out.
My question is the following:
Is there a way to tell Gerrit that only specific people/group(on Gerrit) will have permission to review code (+2) on specific path/module on the project?
This is possible, and can be achieved by using the Gerrit OWNERS Plugin. I haven't configured this plugin myself, but we use this in our codebase to protect certain areas of code.
Every folder that needs protection contains a file named OWNERS that has the following structure.
inherited: true
owners:
- user-a#example.com
- user-b#example.com
Here is the link to a readme for the plugin. Hope you can figure out how to configure it.
https://gerrit.googlesource.com/plugins/owners/+/refs/heads/master/README.md
I think you can do this by making two separate commits. You can later add the group that you want to review the code on that specific path using gerrit interface.
Related
We have multiple projects in svn repo.And for each project there are many users.As number of users is large so its troublesome to manage their commit rights using "Auth file".
I have read somewhere that we can delegate user's rights to their managers by creating a text file.But i am not sure how to achieve this and perhaps hOOKS need to be configured for this .As i am new to SVN so need your expert advice.Please guide me how to achieve this and if you have hook already confgiured p,kindly provide.
How to setup access control in SVN?
I have seen this link and answer by VonC is great and perfect for me.But i dont know how to start .. can anybody help me out here as i am not pro in svn and unix .
Thanks in advance
Preface
Using single repository for multiple projects is Bad Idea (tm): one repo - one project
Forget immediately about old as mammoth's shit SVN 1.5 - use at least 1.6 on client and server (1.8 may be best choice)
Face
Simplified user-management for SVN-users can be reached using LDAP-based authentication instead of ordinary file (in case of "repository per project" <location> from answer will be location of each repo with SVNPath, in case of old structure <location> must be linked to every root of project) and having different groups for different repositories in Require ldap-group directive - read also Apache 2.2 docs in Apache Module mod_authnz_ldap part. From management POV, LDAP-auth and permissions means: each developer must be in LDAP-tree, included in one or more related to repositories groups
In case of additional requirement for Path-Based Authorization within repositories and using groups inside authz-file, you may find useful LDAP Groups to Subversion Authz Groups Bridge, which allow you to regenerate authz-groups from LDAP-data
As result, most (if not all) SVN-related ACLs can be managed in LDAP-side only
Sorry for the strange title, I can't find better description to my question.
I'm building some websites with a team of 4 persons - 2 developers and 2 testers. The developers build the page on a local apache/mysql server. Every now and then they upload a snapshot of what they have done to a dedicated server, that serves the files with htaccess basic authentification to the testers.
Are there better solutions for this workflow? I would like to have more security for this whole thing. The snapshots of the website often show debug-/development info, that shouldn't be seen by public eyes.
Something like a different port of the apache server... ? Any suggestions?
I think other way is to use Git or some other versioning system for deployment, so only new code will be added and you can disable showing of these debug informations permanently in some file which will not be overwritten.
OR
You can use some cloud service like getpantheon.com (for Drupal). It could provide you good environment for testing.
I was wondering if it is possible to use groups specified in e.g., an apache authgroup file in allow_read and/or allow_push etc.
So basically what I do is I am using apache with an authfile and authgroup file to authenticate users.
Now I want to restrict some repositories using allow_read from being shown to users in a specific group specified in the authgroup file.
Let's say I have sam, frodo and sauron in my auth file and I have a group hobbits containing sam and frodo in the authgroup file.
So instead of writing:
allow_read = frodo, sam
I tried
allow_read = #hobbits
but that does not seem to work. Does anybody know whether this is actually supported? The idea is if I have say 10 Repositories only readable for hobbits and I add a hobbit I only have to change the authgroup and auth file and not each repository hgrc file.
Thanks in advance
Mercurial does not have any builtin support for groups. There is a patch from a user that adds group support, but the coders seemed hesitant to include it by default, they want the contributor to make a plugin out of it instead. As of April 2013 they seem to have accepted it, but I still see no trace of it in the version currently shipped with Ubuntu (2.7).
Controlling groups in Apache, as suggested by Joel, doesn't give you any fine granular control when you have more than one repository, so it's no use (at least not for me).
I ended up using the open source tool SCM-Manager for it. SCM-Manager acts as a frontend for SVN, Git and Mercurial and has support for various user directories (including LDAP and Crowd) as well as its own user directory.
I'm using mod_proxy to integrate it in my Apache configuration and it works quite well.
It appears you'll need to do your group controlling in Apache rather than in hgrc files, as the documentation for hgrc mentions only user names.
You'll want to have a read of Configuring Apache on the Publishing Repositories page. Section 7.4 seems to contain the information you'll need to set up what you want.
I'm using subversion to develop a website with a designer and I'm using a remote server to the Subversion database storage.
Now I need to make visible on the Apache(same machine that Subversion server) all the changes/commits that we make to the repository.
This is possible to do?
I have searched inside the repository files but nothing looks like the name of the files of the project(PHP Project).
Can someone give me a clue on how can I make visible the changes to the repository in a website? Is there a way to connect the changes that I do the the repository to the website?
Best Regards,
Assuming you can already browse the repository using HTTP, simply add something like Repos Style for a nice layout and folder/file history features.
You could shell out to svnadmin.
I have various projects being built and tested periodically on a Hudson server, but I don't want every employee in the company to see published artifacts for every project.
Project-based matrix security seemed at first the key, but after many tests I find that granting overall read permissions is mandatory if you want users to be able to read anything in the hudson server.
So, in the end read permissions are binary: either you grant global read permission or you block everything, am I right?
Haven't it tested with the newest release, but I use the matrix setup. I gave Anonymous the overall read. This way they can see the login screen when they type {{http://servername:port/}} but does not give them access to the jobs. In the jobs themselves I configured the users that should actually see the job. Works like a charm.
UPDATE:
Meanwhile I found out that you can use authenticated instead of Anonymous. This enabled access to Hudson/Jenkins through the links in the Build failed messages. Now everyone gets the logon dialog and after signing in, they are right away at the job run of interest.
After trying to do something similar to you with Hudson's authorization settings, I came to the same conclusion you did.