building git ; need suggestion

building git ; need suggestion

[Joydeep Bakshi]

Hello list,

Greetings !!!

I'm building a git repo on a dedicated server; hence need some kind guidelines from you.

[1] the server will have different git repo with branches
[2] there will be a web-based GUI which must be flexible to show just a specific branch of a repo based on user authentication
[3] the web-based GUI should also have the flexibility to show a single repo based on the authentication
[4] the web-based GUI should have an admin account to supervise and configure all repos along with their branches
[3] there must be a control mechanism in the repo/web based GUI which have ACL on branches i.e.
some specific users should see some specific/ or just a branch and able to commit there only.

based on the above scenario could anyone suggest the best available solution ?
There are many like gitolike/github etc…. but don't know whig one has much finer granular
control/ACL/web-based GUI…

Thanks in advanced for your kind response.

Re: building git ; need suggestion

[Joydeep Bakshi]

forgot to mention:
------------------------

a code review system like gerrit is also helpful, but don't know if gerrit
has such fine control mechanism.




On 15-Mar-2013, at 5:54 PM, Joydeep Bakshi <joydeep.bakshi@infoservices.in> wrote:

> Hello list,
> 
> Greetings !!!
> 
> I'm building a git repo on a dedicated server; hence need some kind guidelines from you.
> 
> [1] the server will have different git repo with branches
> [2] there will be a web-based GUI which must be flexible to show just a specific branch of a repo based on user authentication
> [3] the web-based GUI should also have the flexibility to show a single repo based on the authentication
> [4] the web-based GUI should have an admin account to supervise and configure all repos along with their branches
> [3] there must be a control mechanism in the repo/web based GUI which have ACL on branches i.e.
> some specific users should see some specific/ or just a branch and able to commit there only.
> 
> based on the above scenario could anyone suggest the best available solution ?
> There are many like gitolike/github etc…. but don't know whig one has much finer granular
> control/ACL/web-based GUI…
> 
> Thanks in advanced for your kind response.
> 
> --
> To unsubscribe from this list: send the line "unsubscribe git" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: building git ; need suggestion

[Fredrik Gustafsson]

On Fri, Mar 15, 2013 at 05:54:05PM +0530, Joydeep Bakshi wrote:
> [1] the server will have different git repo with branches
> [2] there will be a web-based GUI which must be flexible to show just a specific branch of a repo based on user authentication
> [3] the web-based GUI should also have the flexibility to show a single repo based on the authentication
> [4] the web-based GUI should have an admin account to supervise and configure all repos along with their branches
> [3] there must be a control mechanism in the repo/web based GUI which have ACL on branches i.e.
> some specific users should see some specific/ or just a branch and able to commit there only.
> 
> based on the above scenario could anyone suggest the best available solution ?
> There are many like gitolike/github etc…. but don't know whig one has much finer granular
> control/ACL/web-based GUI…

gitolite have a more fine ACL. Check it out. However it doesn't really
meet your needs with web-interface (and I'm not even sure about the ACL
thing is fine enough for you). You can read more about ACL in the git
book: http://git-scm.com/book/ch7-4.html

The webgui that's most populair is cgit and git-web. They don't do ACL
afaik.

Why would you need ACL? Why not don't share the branches that are going
to be secret? Or are you looking for some branches to be read only?

When we did this, we did a simple gitolite implementation ourself and
integrated cgit on our website wich already had ACL. It works well.
Howerver we do ACL on repo-level, not on branch level.

You can also look into git-submodules which will make it possible for
you to do repo-wide ACL.

However I'm not sure you will be using git in the way git is designed
too and even if it will work, maybe an other solution is better for you.

-- 
Med vänliga hälsningar
Fredrik Gustafsson

tel: 0733-608274
e-post: iveqy@iveqy.com

Re: building git ; need suggestion

[Joydeep Bakshi]

On 15-Mar-2013, at 6:14 PM, Fredrik Gustafsson <iveqy@iveqy.com> wrote:

> On Fri, Mar 15, 2013 at 05:54:05PM +0530, Joydeep Bakshi wrote:
>> [1] the server will have different git repo with branches
>> [2] there will be a web-based GUI which must be flexible to show just a specific branch of a repo based on user authentication
>> [3] the web-based GUI should also have the flexibility to show a single repo based on the authentication
>> [4] the web-based GUI should have an admin account to supervise and configure all repos along with their branches
>> [3] there must be a control mechanism in the repo/web based GUI which have ACL on branches i.e.
>> some specific users should see some specific/ or just a branch and able to commit there only.
>> 
>> based on the above scenario could anyone suggest the best available solution ?
>> There are many like gitolike/github etc…. but don't know whig one has much finer granular
>> control/ACL/web-based GUI…
> 
> gitolite have a more fine ACL. Check it out. However it doesn't really
> meet your needs with web-interface (and I'm not even sure about the ACL
> thing is fine enough for you). You can read more about ACL in the git
> book: http://git-scm.com/book/ch7-4.html
> 
> The webgui that's most populair is cgit and git-web. They don't do ACL
> afaik.
> 
> Why would you need ACL? Why not don't share the branches that are going
> to be secret? Or are you looking for some branches to be read only?

Actually the branches have to be dedicated to a group of users.
 developer branch ---> developers
bug fixed branch --- > bug fixer 

and specific group don't need to RW permission on other branch.
Obviously the admin must have the full permission on all these branches
and merge as per requirement.

The web-interface is required for checking the history by the users themselves
and for code review. I don't know any web interface which can show repo/branch 
based on authentication. I have tried gitweb but it can handle a single repo or multiple
repo with single authentication. NO ACL
 

Re: building git ; need suggestion

[Magnus Bäck]

On Friday, March 15, 2013 at 08:52 EDT,
     Joydeep Bakshi <joydeep.bakshi@infoservices.in> wrote:

> On 15-Mar-2013, at 6:14 PM, Fredrik Gustafsson <iveqy@iveqy.com> wrote:
> 
> > gitolite have a more fine ACL. Check it out. However it doesn't
> > really meet your needs with web-interface (and I'm not even sure
> > about the ACL thing is fine enough for you). You can read more about
> > ACL in the git book: http://git-scm.com/book/ch7-4.html
> > 
> > The webgui that's most populair is cgit and git-web. They don't do
> > ACL afaik.
> > 
> > Why would you need ACL? Why not don't share the branches that are
> > going to be secret? Or are you looking for some branches to be read
> > only?
> 
> Actually the branches have to be dedicated to a group of users.
>  developer branch ---> developers
> bug fixed branch --- > bug fixer
> 
> and specific group don't need to RW permission on other branch.
> Obviously the admin must have the full permission on all these branches
> and merge as per requirement.

Right, but that's R/W permissions. Almost any piece of Git hosting
software supports restriction of pushes. Discriminating *read* access
between developers and maintenance people sounds like a disaster if it's
the same organization. Well, it sounds like a disaster even if there are
two different organizations working on development and maintenance, but
at least it's a reason.

Anyway, Gerrit supports per-branch read ACLs. As long as all changes go
through code review, perhaps Gerrit web interface works sufficiently
well as a repository viewer? Pushes that bypass code review won't show
up there.

http://gerrit-documentation.googlecode.com/svn/Documentation/2.5/access-control.html#category_read

> The web-interface is required for checking the history by the users
> themselves and for code review. I don't know any web interface which
> can show repo/branch based on authentication. I have tried gitweb but
> it can handle a single repo or multiple repo with single
> authentication. NO ACL

If you just have two levels of access you could have two separate
Gitweb sites and use Gerrit to replicate a subset of the branches
to each site. You could e.g. have gitweb-dev.example.com and
gitweb-maint.example.com and grant access to those sites accordingly.

-- 
Magnus Bäck
baeck@google.com

Re: building git ; need suggestion

[Konstantin Khomoutov]

On Fri, 15 Mar 2013 13:44:15 +0100
Fredrik Gustafsson <iveqy@iveqy.com> wrote:

[...]
> The webgui that's most populair is cgit and git-web. They don't do ACL
> afaik.

gitweb passes around branch names using a specific parameter in the
GET queries it operates on, like
http://gitweb.domain.local/?p=repo.git;a=shortlog;h=refs/heads/master

So I think it should be possible to somehow implement different
access rules in the front-end web server based on the qieries.

Re: building git ; need suggestion

[Paul Campbell]

On Fri, Mar 15, 2013 at 12:52 PM, Joydeep Bakshi
<joydeep.bakshi@infoservices.in> wrote:
>
> On 15-Mar-2013, at 6:14 PM, Fredrik Gustafsson <iveqy@iveqy.com> wrote:
>
>> On Fri, Mar 15, 2013 at 05:54:05PM +0530, Joydeep Bakshi wrote:
>>> [1] the server will have different git repo with branches
>>> [2] there will be a web-based GUI which must be flexible to show just a specific branch of a repo based on user authentication
>>> [3] the web-based GUI should also have the flexibility to show a single repo based on the authentication
>>> [4] the web-based GUI should have an admin account to supervise and configure all repos along with their branches
>>> [3] there must be a control mechanism in the repo/web based GUI which have ACL on branches i.e.
>>> some specific users should see some specific/ or just a branch and able to commit there only.
>>>
>>> based on the above scenario could anyone suggest the best available solution ?
>>> There are many like gitolike/github etc…. but don't know whig one has much finer granular
>>> control/ACL/web-based GUI…
>>
>> gitolite have a more fine ACL. Check it out. However it doesn't really
>> meet your needs with web-interface (and I'm not even sure about the ACL
>> thing is fine enough for you). You can read more about ACL in the git
>> book: http://git-scm.com/book/ch7-4.html
>>
>> The webgui that's most populair is cgit and git-web. They don't do ACL
>> afaik.
>>
>> Why would you need ACL? Why not don't share the branches that are going
>> to be secret? Or are you looking for some branches to be read only?
>
> Actually the branches have to be dedicated to a group of users.
>  developer branch ---> developers
> bug fixed branch --- > bug fixer
>
> and specific group don't need to RW permission on other branch.
> Obviously the admin must have the full permission on all these branches
> and merge as per requirement.
>
> The web-interface is required for checking the history by the users themselves
> and for code review. I don't know any web interface which can show repo/branch
> based on authentication. I have tried gitweb but it can handle a single repo or multiple
> repo with single authentication. NO ACL

I think you would need to have a separate repo for each group. Then
only push the appropriate branches to each repo.

-- 
Paul [W] Campbell

Re: building git ; need suggestion

[Joydeep Bakshi]

On 15-Mar-2013, at 6:44 PM, Magnus Bäck <baeck@google.com> wrote:
>> 
> 
> Right, but that's R/W permissions. Almost any piece of Git hosting
> software supports restriction of pushes. Discriminating *read* access
> between developers and maintenance people sounds like a disaster if it's
> the same organisation. 

Just restriction on push access is what required.

Re: building git ; need suggestion

[Joydeep Bakshi]

I'm closer to my requirement. I have found gitweb simply provide a GUI  for history check
and code comparison. And the git itself is good enough to do the ACL stuff with hooks.

I already have the following code to deploy the push into its work-tree

===========================
#!/bin/bash

while read oldrev newrev ref
do
  branch=`echo $ref | cut -d/ -f3`

  if [ "master" == "$branch" ]; then
    git --work-tree=/path/under/root/dir/live-site/ checkout -f $branch
    echo 'Changes pushed live.'
  fi

  if [ "dev" == "$branch" ]; then
    git --work-tree=/path/under/root/dir/dev-site/ checkout -f $branch
    echo 'Changes pushed to dev.'
  fi
done
=========================

This code can be extended for as many branches as you have.

I now need a mechanism to restrict the user to it's own branch so that user can't push into
any other branch in mistake.

Say I have

master branch -> only admin user can push here.
dev branch -> only user dev1 , dev2  and master can push here. 
testing branch -> only user test1 and test2 can push here.

I think this can also be done with pre-receive hook. Any suggestion on the hook design is
welcome. Also this can be implemented on the above hook or in a separate hook.
A separate hook is better due to maintainability and then I need to call multiple
pre-receive hook. Please suggest.

Thanks



On 18-Mar-2013, at 11:14 AM, Joydeep Bakshi <joydeep.bakshi@infoservices.in> wrote:

> 
> On 15-Mar-2013, at 6:44 PM, Magnus Bäck <baeck@google.com> wrote:
>>> 
>> 
>> Right, but that's R/W permissions. Almost any piece of Git hosting
>> software supports restriction of pushes. Discriminating *read* access
>> between developers and maintenance people sounds like a disaster if it's
>> the same organisation. 
> 
> Just restriction on push access is what required.
> 
> --
> To unsubscribe from this list: send the line "unsubscribe git" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: building git ; need suggestion

[David Aguilar]

On Mon, Mar 18, 2013 at 5:24 AM, Joydeep Bakshi
<joydeep.bakshi@infoservices.in> wrote:
> I'm closer to my requirement. I have found gitweb simply provide a GUI  for history check
> and code comparison. And the git itself is good enough to do the ACL stuff with hooks.
>
> I already have the following code to deploy the push into its work-tree

You should try gitolite.  It has very flexible rules,
and it's already been implemented for you ;-)

https://github.com/sitaramc/gitolite



> ===========================
> #!/bin/bash
>
> while read oldrev newrev ref
> do
>   branch=`echo $ref | cut -d/ -f3`
>
>   if [ "master" == "$branch" ]; then
>     git --work-tree=/path/under/root/dir/live-site/ checkout -f $branch
>     echo 'Changes pushed live.'
>   fi
>
>   if [ "dev" == "$branch" ]; then
>     git --work-tree=/path/under/root/dir/dev-site/ checkout -f $branch
>     echo 'Changes pushed to dev.'
>   fi
> done
> =========================
>
> This code can be extended for as many branches as you have.
>
> I now need a mechanism to restrict the user to it's own branch so that user can't push into
> any other branch in mistake.
>
> Say I have
>
> master branch -> only admin user can push here.
> dev branch -> only user dev1 , dev2  and master can push here.
> testing branch -> only user test1 and test2 can push here.
>
> I think this can also be done with pre-receive hook. Any suggestion on the hook design is
> welcome. Also this can be implemented on the above hook or in a separate hook.
> A separate hook is better due to maintainability and then I need to call multiple
> pre-receive hook. Please suggest.
>
> Thanks
>
>
>
> On 18-Mar-2013, at 11:14 AM, Joydeep Bakshi <joydeep.bakshi@infoservices.in> wrote:
>
>>
>> On 15-Mar-2013, at 6:44 PM, Magnus Bäck <baeck@google.com> wrote:
>>>>
>>>
>>> Right, but that's R/W permissions. Almost any piece of Git hosting
>>> software supports restriction of pushes. Discriminating *read* access
>>> between developers and maintenance people sounds like a disaster if it's
>>> the same organisation.
>>
>> Just restriction on push access is what required.
>>
>> --
>> To unsubscribe from this list: send the line "unsubscribe git" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
> --
> To unsubscribe from this list: send the line "unsubscribe git" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html



-- 
David