please help me understand gitolite users [closed]

Question

For some reason my gitolite didn't come with a sample config file and i can't seem to find one anywhere, im sure this question is answered in that file if someone can find me a copy, please!!

Anyways, the format of the gitolite config file is simple enough, here's a snip from mine

gitolite conf
# please see doc/gitolite.conf.mkd for details on syntax and features

@nmscDevs = dev1@compaid.com dev2@compaid.com dev3@compaid.com
@buildMgr = william_slepecki@compaid.com dev4@compaid.com

repo    gitolite-admin
    RW+     =   gitadmin william_slepecki@compaid.com

repo    grindstone
    RW+ = gitadmin
    RW+ prod$ = @buildMgr
    - prod$ = @nmscDevs
    RW = @nmscDevs

I have several public keys in my keydir folder:

keydir/
gitadmin.pub
william_slepecki@compaid.com.pub

My problem is gitolite seems to be ignoring the permissions set to the individual users. nothing works on a repository (reads, writes, etc) unless i give the gitadmin user full control. Then it seems that everyone uses the permissions of the gitadmin user. I clone the repos like this

git clone git@server:grindstone.git

but when i try to clone with something like this

git clone 'dev1@compaid.com'@server:grindstone.git

Im prompted with a password. does each individual user need to have an account on the server so they can ssh into it?

How exactly do the permissions work in gitolite? I was lead to understand that the git user needs an account to ssh into the server, then once gitolite takes over it uses the email that is passed along with the git request to determine permissions, am I wrong here? what am i missing?

BTW, here's my .ssh/config

host server
     user git
     hostname server
     identityfile ~/.ssh/gitadmin

host server
     user william_slepecki@compaid.com
     hostname server
     identityfile ~/.ssh/id_rsa

Update: I have upgraded to the latest version of gitolite, when i try to do a clone i get this

$ git clone git@server:testing.git
Cloning into 'testing'...
FATAL: R any testing gitadmin DENIED by fallthru
(or you mis-spelled the reponame)
fatal: The remote end hung up unexpectedly

my config file now looks like this:

repo testing
    RW+ = william_slepecki 

and my .ssh config is unchanged. in addition, i have this in my log

2012-05-08.13:01:13     19027   ssh     ARGV=gitadmin   SOC=git-upload-pack 'testing.git'       FROM=10.99.5.146
2012-05-08.13:01:13     19027           access(testing, gitadmin, R, 'any'),-> R any testing gitadmin DENIED by fallthru
2012-05-08.13:01:13     19027           trigger,Writable,access_1,ACCESS_1,testing,gitadmin,R,any,R any testing gitadmin DENIED by fallthru

and here is the top snip of my global git config

[user]
    name = Willie Slepecki
    email = william_slepecki@compaid.com

why in the world is this still insisting that gitadmin be on the repo and why is it not using william_slepecki? where exactly does this get the name to use?

Answer 1

I'll just point your 2 main errors:

1st error: Gitolite uses only the user part (the one previous to '@') of the keys found in the keydir.
For example: gitolite recognize only one user, william_slepecki, for the keys william_slepecki@compaid.com.pub and william_slepecki@anothercompaid.org.pub, the only point here is that this user can authenticate with 2 different keys, you can't give permissions to keys, only to users.

2nd error: Your gitolite service is provided only by one normal system user, probably git, so the connections should be made to git@server.com:repo.git, gitolite users don't need or have a system account, just a ssh key, so connecting to william_slepecki@server.com:repo.git would never work

Answer 2

Well, my problem was several fold.

First, i misunderstood the role of the gitadmin key. i thought that since that is the only user that has an actual account on the server that it needed to be on all the developers workstations. Turns out that was wrong. gitolite takes the keys in the keydir directory and adds them to the git/.ssh/authenticated_keys file on a push. This allows all the keys in the keydir to login as the user git on the machine. Since the git user does not have a console associated with it, there is no security hole.

Second, my ~/.ssh/conf file. Since i didn't understand how #1 worked, I thought git was passing the email address somehow as the username as part of the git commands. Once I figured out #1, i was able to clean the config file to map the git@server user and use my normal for everything else.

Once those two issues were understood and worked out, all permissions started working correctly. I have now replaced the gitadmin user key on the server to invalidate the ones on developers stations and updated all my developers configs. Management is happy again.

thanks everyone.