git-annex/doc/todo/gitolite_and_gitosis_support.mdwn
2011-10-15 13:30:04 -04:00

50 lines
2 KiB
Markdown

gitosis and gitolite should support git-annex being used to send/receive
files from the repositories they manage. Users with read-only access
could only get files, while users with write access could also put and drop
files.
Doing this right requires modifying both programs, to add [[git-annex-shell]]
to the list of things they can run, and only allow through appropriate
git-annex-shell subcommands to read-only users.
I have posted an RFC for modifying gitolite to the
[gitolite mailing list](http://groups.google.com/group/gitolite?lnk=srg).
> I have not developed a patch yet, but all that git-annex needs is a way
> to ssh to the server and run the git-annex-shell command there.
> git-annex-shell is very similar to git-shell. So, one way to enable
> it is simply to set GL_ADC_PATH to a directory containing git-annex-shell.
>
> But, that's not optimal, since git-annex-shell will send off receive-pack
> commands to git, which would bypass gitolite's permissions checking.
> Also, it makes sense to limit readonly users to only download, not
> upload/delete files from git-annex. Instead, I suggest adding something
> like this to gitolite's config:
# If set, users with W access can write file contents into the git-annex,
# and users with R access can read file contents from the git-annex.
$GL_GIT_ANNEX = 0;
> If this makes sense, I'm sure I can put a patch together for your
> review. It would involve modifying gl-auth-command so it knows how
> to run git-annex-shell, and how to parse out the "verb" from a
> git-annex-shell command line, and modifying R_COMMANDS and W_COMMANDS.
As I don't write python, someone else is needed to work on gitosis.
--[[Joey]]
## readonly commands
* git-annex-shell configlist $directory
* git-annex-shell inannex $directory [$key ...]
* git-annex-shell sendkey $directory $key
## read-write commands
* git-annex-shell dropkey $directory [$key ...]
* git-annex-shell recvkey $directory $key
## other git-annex-shell parameters
All parameters like --uuid=foo and --force are safe and need to be allowed
through.