Good Morning, I need to pitch an Enterprise level code management system. This system needs to have some fairly strict read-only vs. read/write requirements based on environment.
I first asked this question in Stack Overflow <http://stackoverflow.com/questions/34404372/git-push-pull-restrict-by-subdomain>, but I need to flesh out additional details... Posit three environments identified by their subdomains: DEV.example.com, TEST.example.com, and PROD.example.com. - The three subdomains have firewalls between them, and cross-domain access is the exception, not the rule. - DEV is the only subdomain that is allowed to push code to a central git repository. - TEST and PROD MUST <https://www.ietf.org/rfc/rfc2119.txt> be pull only. Repositories MUST NOT be modifiable from these subdomains. - Include the possibility that developers and testers may be the same people, so user-based access control to a single git repository won't work. The solution that I came up with use two repository servers: git.DEV.example.com and git.PROD.example.com. - Projects in git.DEV.example.com include - Project directories owned by git:<group>. - Group-based access control via "git init --shared=group /path/to/project". - Push control set with "git remote add -t master -m master --mirror=push gitPROD ssh://[email protected]/path/to/project.git " - The "git push gitPROD" command in hooks/post-update. - git-web installed, but push access via SSH only. (WebDAV probably wouldn't be approved by security.) - Matching projects in git.PROD.example.com would include - Project directories owned by git:git. - Access control via "git init --bare --shared=0644 /path/to/project.git". - git-web installed, and read access available via http. Firewall modifications would be made to allow http GET access from anywhere in TEST or PROD. So, a developer has a git repository in their local workspace. When they're happy with their code, in whatever branch they're on, they push to git.DEV.example.com as their central repository in DEV. When that push happens, git.DEV.example.com automagically pushes the MASTER branch ONLY up to git.PROD.example.com. (If MASTER isn't changed, existing "no changes to push" results are fine.) Here are my questions: - Am I missing a substantially easier solution? - For "--shared=group" is the group membership of the .git directory the relevant group? I think so, but I would appreciate verification. - When the post-update script fires, who is the initiating user? - Is it the developer pushing to the repository? - Is it the user associated with the .git directory? - I need to know what user is launching the "git push gitPROD" in order to allow/limit access on git.PROD.example.com. Thanks! David -- You received this message because you are subscribed to the Google Groups "Git for human beings" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
