Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

gitolite: allow to change only selelected files

Tags:

git

gitolite

How to configure git and gitolite to allow specific user to change just files that are inside specific directory?

e.g. files in origin master branch:

/dir1/
/dir2/file1
/dir2/file2
/dir3/file1

User kathrine, allow to change only /dir2/file1 and /dir2/file2

$kathrine: git clone [email protected]:test.git

results in:

/dir2/file1
/dir2/file2

Are there any per-dir directives in gitolite.conf or shall I configure git with new branch for this user?

I just don't want graphics designer to have access to the source code files.

like image 501
takeshin Avatar asked Jul 08 '10 14:07

takeshin


1 Answers

2010: For Gitolite 2 (might have changed for gitolite 3)

No (meaning a dedicated branch with the right content needs to be created).

As the author of gitolite himself put it:

I am the author of a project called gitolite that does an excellent job of branch-level access control for multiple git repositories on a central server. My target "market" is precisely corporate users of git.

So far, I have not seen a situation where read-access needs to be restricted to ortions of a repo (git can't do that anyway).

[well sparse checkout might help, but it is not easy anyway)

Write-access does often need to be restricted, and gitolite can let you restrict:

  • both by branch name (e.g. only the QA lead can push a commit series into the "QA-done" branch)
  • or by filename (e.g., only the team lead can make changes to the Makefile and files in src/very-important-and-critical-module).

See the section "security, access control, and auditing", and here is an example of write access:

The conf/example.conf file has all the detailed syntax:

repo foo
        RW+ = lead_dev # rule 1
        RW = dev1 dev2 dev3 dev4 # rule 2

        RW NAME/ = lead_dev # rule 3
        RW NAME/doc/ = dev1 dev2 # rule 4
        RW NAME/src/ = dev1 dev2 dev3 dev4 # rule 5

each file touched by the commits being pushed is checked against those rules.

  • lead_dev can push changes to any files,
  • dev1/2 can push changes to files in "doc/" and "src/" (but not the top level README),
  • and dev3/4 can only push changes to files in "src/".

That being said, the tough question remains, as the OP puts it:

how do I create new branch witch some selected files only, and delete the previous commits, so the graphic designer could not access them, and see only the selected ones after the clone?

General principle:

create 'graph_designer' branch at a point in history where those files weren't present.

From there, two choices:

  • either reorganize your current commits (git rebase --interactive) in order to have first the one with only dir2 files (and then commits impacting any other directory)
  • or, if the first choice represents too much work (or isn't possible because those commits have already been pushed and pulled in other repos), simply copy and add the relevant files in that new branch.
    That means, no past history for those files, but they might not need that history right from the beginning.

That 'graph_designer' will be the only branch allowed to be cloned, and won't contain any history with non-authorized files.

like image 139
VonC Avatar answered Nov 01 '22 18:11

VonC