Reputation: 313
mercurial ssl access allow pull BUT require authentication for push
I have set up a mercurial server through SSL. In the apache config file I have set up an authentication using a mysql database.
I would like everyone to be able to pull from the repository without credentials, but restrict the push right to authenticated users. The way it is done now either everyone is authenticated both for pull and push, or nobody is.
My apache configuration is this:
<Location /hg/repo>
AuthType Basic
AuthName "Repository Access"
AuthBasicAuthoritative Off
AuthUserFile /dev/null
AuthMySQL On
AuthMySQL_Authoritative On
AuthMySQL_Host localhost
AuthMySQL_DB repo
AuthMySQL_User repo
AuthMySQL_Password_Table users_auth_external
AuthMySQL_Group_Table users_auth_external
AuthMySQL_Username_Field username
AuthMySQL_Password_Field passwd
AuthMySQL_Group_Field groups
AuthMySQL_Encryption_Types SHA1Sum
Require group pink-image
<LimitExcept GET>
Require valid-user
</LimitExcept>
</Location>
hg also requires authentication for the ssl pull, Regardless on the LimitExcept switch.
Is there a way to limit the authentication only for pushing to the repository?
A simple http access would not be sufficient because if somebody is a developer she checks out the code through https.
SSH access is not possible because some of the developers have the ssh port forbidden by the firewall.
One of the solutions would be if hg would remember the https credentials.
Thank You for reading the question.
Upvotes: 1
Views: 556
Answers (3)
Reputation: 31
The authentication should be wrapped into the exception rule.
<Location /hg/repo>
<LimitExcept GET>
AuthType Basic
AuthName "Repository Access"
AuthBasicAuthoritative Off
AuthUserFile /dev/null
AuthMySQL On
AuthMySQL_Authoritative On
AuthMySQL_Host localhost
AuthMySQL_DB repo
AuthMySQL_User repo
AuthMySQL_Password_Table users_auth_external
AuthMySQL_Group_Table users_auth_external
AuthMySQL_Username_Field username
AuthMySQL_Password_Field passwd
AuthMySQL_Group_Field groups
AuthMySQL_Encryption_Types SHA1Sum
Require group pink-image
</LimitExcept>
</Location>
Upvotes: 3
Reputation: 31
It turns out automatic credentials are not enough. The repository aught to be accessible through the web interface. However the same config file pops up an authentication dialog in the browser which makes the web interface unusable.
Upvotes: 0
Reputation: 6262
One of the solutions would be if hg would remember the https credentials.
It can remember the credentials for push and pull. Look under the auth section of hg help config if you don't mind adding the details to one of the config files (either user's config or the repository clone's hgrc)
This would mean putting the password in the config file which you might not like so you could use the Mercurial Keyring Extension instead which stores the password more securely.
Upvotes: 2
Related Questions
- Mercurial: "remote: ssl required" even when pushing to HTTPS repository
- Mercurial push, abort: authorization failed
- hg push with credentials for HTTP server
- How to setup a Mercurial "server" that allows for authenticated push without apache?
- hg push abort: http authorization required. i am pushing to my local bitbucket repository
- How to config mercurial to push without asking my password through ssh?
- Pushing my Mercurial Repository through HTTP with Apache and Windows
- Allow pull in repository but block cloning for Apache served repository
- Can I allow_push on individual repositories using hgweb.config
- Is it possible to enable mercurial push over http and keep using SSL keys for authentication?