diff options
| author | Milo Casagrande <milo@ubuntu.com> | 2013-02-01 13:15:52 +0100 |
|---|---|---|
| committer | Milo Casagrande <milo@ubuntu.com> | 2013-02-01 13:15:52 +0100 |
| commit | f9be2f0002a69e5b62bc0d807037003ced475783 (patch) | |
| tree | e6a19c513ab6e60c1c15ffe85ae819e0127dda95 | |
| parent | 461481e86af589b01a298de4615c092e33b5d3d5 (diff) | |
| parent | ea423e75618689ad0d9e811fd599bd293fc5cf8a (diff) | |
Merge branch 'master' of ssh://git.linaro.org/srv/git.linaro.org/git/infrastructure/rhodecode-config
| -rw-r--r-- | SETUP | 65 |
1 files changed, 65 insertions, 0 deletions
@@ -0,0 +1,65 @@ +Rhodecode Setup +=============== + + +SSH Keys and access to public repos +=================================== + +The main goal is to have the same ACL when connecting to our git server +via SSH protocol as the one over the Rhodecode web interface. +All the user/group restrictions must apply as well for both read/write +access. + +To manage this, all the groups and users from the Rhodecode database must +be mirrored and synced with system users and groups. +Couple of potential problems were observed and discussed. + + +Rhodecode system user +--------------------- + +The Rhodecode app uses the 'rhodecode' system user for all git and mercurial +interactions so this user must have read/write access over all repositories. +Easiest way to do this and not intefere with other permissions is to have +all repository directories user ownership given to this user. +Group ownerships will be used to control SSH user/group ACL. + +The question is does having a user which can access all repositories +present a security threat? +For one, we can disable shell access after installation for this user as well. +See section on "Disabling shell access for git SSH users". + + +Nested groups +------------- + +Since Rhodecode supports nested groups and the need for them will most +likely be present, there are couple of ways to mimic this feature with the +system groups. Both ways include some form of synchronization between +Rhodecode users/groups with the systems' one. + +First solution assume that all users and groups on Rhodecode reflects those on +the system. It includes having the sync script assign particular system user +not only to the group which he is assigned to in Rhodecode, but to all +*parent* groups of this particular group. + +Second solution includes having all the users from the Rhodecode synced in the +system as well, but not all of the groups. Group will exist in the system only +and only if it is the *mother* group (meaning it has no parent) and it has at +least one user belonging to either that group or any child group. + + +Disabling shell access for git SSH users +---------------------------------------- + +In order for users to have access to git using SSH keys for public repositories +the idea provide them with limited access to git+ssh protocol. +SSH keys will be picked up by Rhodecode from LDAP service. + +Users will be deprived of shell access to the system by enabling git-shell for +each user via the .ssh/authorized_keys file. + + command="git-shell -c $SSH_ORIGINAL_COMMAND" ssh-rsa AAAAB3NzaC***...*** + +For more info on git-shell and what commands it supports please refer to the +manual.
\ No newline at end of file |