I'm really at a loss here. I've read through quite a few examples, and tried all of them. The most basic ones work fine, but anytime I try to move to something a bit more complicated everything falls apart (even when I'm directly copying the example). Also, for the record I am on gitolite version 3 as shown by the server spam:
this is gitolite@ubuntuserver running gitolite3 v3.1-2-g3eefc06 on git 1.7.9.5
All this said what I am TRYING to accomplish is (I THINK) relatively simple. I have a group of junior developers [@scrubs], and I only want them to create and commit to new branches, and be able to read/pull master. That way I can review their code before it gets merged in.
I have a group of senior developers [@vets] that I want to have free reign.
My config file is as follows:
@scrubs = al ted matthew
@vets = kevin will guy
@offlimitbranches = master$
repo gitolite-admin
RW+ = @vets matthew
repo dawebsite
RW+ = @vets
- @offlimitbranches = @scrubs
RW+ = @scrubs
R @offlimitbranches = @scrubs
R = daemon
option deny-rules = 1
dawebsite "Owner" = "This is THE site"
I noticed nothing worked at all for denying till I added :
option deny-rules = 1
of which I think I found in maybe one out of 20 examples (a touch of a rant forgive the frustration.
With this current set up vets can do anything as expected.
scrubs can neither pull or push to master (and I think that's because it grabs the first rule it can possible match?) Scrubs also can not pull or push to any non master branch, nor push newly created branches. Each attempt returns the same message "FATAL: [R/W] any dawebsite matthew DENIED by refs/heads/master$"
I've tried using master, master$, @offlimitbranches and even refs/heads/master to no avail for the branch ref.
If anyone can help shed some light on this for me I'd be quite appreciative.
Update**
Playing around with things I've noticed that if i remove matthew from the scrubs group and try to manipulate him directly with
- master$ = matthew
RW+ = matthew
if he moves to a new branch and tried the following: (thanks VonC for the heads up on the logs)
git pull origin newBranch
git push origin newBranch
each returns an error
PULL:
ARGV=matthew SOC=git-upload-pack 'dawebsite.git' FROM=172.24.1.198
access(dawebsite, matthew, R, 'any'),-> R any dawebsite matthew DENIED by refs/heads/master$
trigger,Writable,access_1,ACCESS_1,dawebsite,matthew,R,any,R any dawebsite,matthew DENIED by refs/heads/master$
R any dawebsite matthew DENIED by refs/heads/master$<<newline>>(or you mis-spelled the reponame)
PUSH:
ARGV=matthew SOC=git-receive-pack 'dawebsite.git' FROM=172.24.1.198
access(dawebsite, matthew, W, 'any'),-> W any medehrdev matthew DENIED by refs/heads/master$
trigger,Writable,access_1,ACCESS_1,dawebsite,matthew,W,any,W any dawebsite matthew DENIED by refs/heads/master$
W any dawebsite matthew DENIED by refs/heads/master$<<newline>>(or you mis-spelled the reponame)
It seems all my branches match against the ref master$ is that because they are all spawned off of master?
My config, that is working now:
@gatekeepers = ustimenko
@developers = ustimenko user1 user2
@deployers = puppet
@project = repo1
@project = cakephp
repo @project
RW+ = @gatekeepers
R master develop = @developers
- master develop = @developers
RW+ = @developers
R = @deployers
- Gatekeepers have full access.
- Developers can read master and develop branches, then they denied other actions there.
- Developers can do all other things.
- Deployers can read all.
Hmm i have looked in the documentation. And tried it here.
@anything is for a group of users or other groups. What you try there is not correct. You can't use the "@" operator as variable sign. Documentation of Groups
repo dawebsite
RW+ = @vets
- branch1 = @scrubs
RW+ = @scrubs
R branch1 = @scrubs
R = daemon
option deny-rules = 1
来源:https://stackoverflow.com/questions/12980750/gitolite-permissions-on-branches