Gitolite permissions only to one branch

Question

I'm a bit confused about the gitolite permissions.

Which is the best way to allow only 1 branch and deny all other branches to a specific user or group?

Answer 1

See "partial-copy: selective read control for branches"

The main point is:

Git (and therefore gitolite) cannot do selective read control -- allowing someone to read branch A but not branch B.
It's the entire repo or nothing.

Gerrit Code Review can do that, but that is because they have their own git (as well as their own sshd, and so on). If code review is part of your access control decision, you really should consider Gerrit anyway.

The standard answer you get when you ask is "use separate repos" (where one contains all the branches, and one contains a subset of the branches).
This is nice in theory but in practice, when people are potentially pushing to both repos, you need to figure out how to keep them in sync.

Gitolite can now help you do this. Note that this is only for branches; you can't do this for files and directories.

Here's how:

• enable 'partial-copy' in the ENABLE list in the rc file.

• for each repo "foo" which has secret branches that a certain set of developers (we'll use a group called @temp-emp as an example) are not supposed to see, do this:

   repo foo
       # rules should allow @temp-emp NO ACCESS
  
   repo foo-partialcopy-1
       -   secret-branch               =   @temp-emp
  
       # other rules; see notes below
  
       -   VREF/partial-copy           =   @all
       config gitolite.partialCopyOf   =   foo
  

IMPORTANT NOTES:

• if you're using other VREFs, make sure this one is placed at the end, after all the others.
• remember that any change allowed to be made to the partial-copy repo will propagate to the main repo so make sure you use other rules to restrict pushes to other branches and tags as needed.