7

I am setting up a development environment on a shared server for multiple developers. I will have one repository that houses all code used in production, and many others used for development by different members of the team. What I would like is for the production repo to be 'pull only'. Users can pull from it and get production changes locally whenever they want, but pushes need to be handled by a production admin, or at least require a password. Something like:

[user@machine /devroot/myrepo]$ git pull $PRODUCTION master
From <location>
*branch             master       ->  FETCH_HEAD
Already up-to-date 

[user@machine /devroot/myrepo]$ git push $PRODUCTION master
error: user `user` is not authorized for this action

Or

[user@machine /devroot/myrepo]$ git push $PRODUCTION master
HEAD @ `$PRODUCTION`-Please enter password:

I believe I could do this with file permissions, but that doesn't strike me as an elegant solution. Does git have something like this built in?

zachd1_618
  • 4,210
  • 6
  • 34
  • 47

7 Answers7

3

If you want complex repository access controls, you may want to look into Gerrit. Its primary focus is code review (which is totally worth having as well!), but it also does access control as a side effect.

Otherwise, if you just want something really simple, file permissions are a perfectly good way of handling this on a single machine. So long as a user can't write to the files in the directory containing the repository, they can't push to it. I see nothing inelegant about that at all!

3

Would a more 'consenting adults' kind of solution work fine?

For example, in git you set up only the remote fetch, and leave the remote push to a dummy non-existing URL, so that a user can't accidentally git push to it.

Edit: this is similar to what is accepted in this question.

Community
  • 1
  • 1
Raf
  • 1,628
  • 3
  • 21
  • 40
2

You can use gitolite or gitosis. Then you can create lists of users who can pull, push each branch, who can create tags etc.

I know gitolite better than gitosis. The configuration is only a git repository with simple syntax for the files.

Jean Waghetti
  • 4,711
  • 1
  • 18
  • 28
1

I agree with @duskwuff ..Take a look at this branching model. This will help you achieve pull only without Gerrit

Vikram
  • 4,162
  • 8
  • 43
  • 65
1

git itself does not include any rights management.

you can achieve this one level higher in the software that manages your git repositories (if you go for a somewhat centralized approach, but i guess most companies want this). so gitolite ( http://gitolite.com/gitolite/ ) or gitlab can do this ( http://gitlab.org/ ).

mnagel
  • 6,729
  • 4
  • 31
  • 66
0

A simple solution for this is a users profile /etc/profile.d/git_restrictions.sh :

function git() {
    if [[ "$@" == 'pull' ]] || [[ "$@" == 'status' ]] || [[ "$@" == 'help' ]]; then
        echo "git $@"
        command git $@
    else
        echo " Allowed GIT commands on this server are:"
        echo " - git pull"
        echo " - git help"
        echo " - git status"
    fi
}

Then when you run anything else except listed above, this happens:

 Allowed GIT commands on this server are:
 - git pull
 - git help
 - git status
Hristo
  • 31
  • 2
0

You can use separate pull and push repository URLs. Please refer to the documentation for the rules, and this Q&A for details and discussion.

TFuto
  • 1,361
  • 15
  • 33