Have you looking into using a dedicated server package such as gitosis
or gitolite? I know github also has a version of there software
available as well.
Sounds like a solution similar to what is used on drupal.org might work
for your needs.
Any one can clone a project from drupal.org using git clone
http://git.drupal.org/project/"name or repo" however only users that
have ssh access and have been giving commit rights to a project can
commit to the repository since drupal.org using ssh access to push any
changes up to there project repos.
On 1/6/2016 10:31 AM, David Barr wrote:
Good Morning,
I need to pitch an Enterprise level code management system. This
system needs to have some fairly strict read-only vs. read/write
requirements based on environment.
I first asked this question in Stack Overflow
<http://stackoverflow.com/questions/34404372/git-push-pull-restrict-by-subdomain>,
but I need to flesh out additional details...
Posit three environments identified by their subdomains:
DEV.example.com, TEST.example.com, and PROD.example.com.
* The three subdomains have firewalls between them, and cross-domain
access is the exception, not the rule.
* DEV is the only subdomain that is allowed to push code to a
central git repository.
* TEST and PROD MUST <https://www.ietf.org/rfc/rfc2119.txt> be pull
only. Repositories MUST NOT be modifiable from these subdomains.
o Include the possibility that developers and testers may be the
same people, so user-based access control to a single git
repository won't work.
The solution that I came up with use two repository servers:
git.DEV.example.com and git.PROD.example.com.
* Projects in git.DEV.example.com include
o Project directories owned by git:<group>.
o Group-based access control via "git init --shared=group
/path/to/project".
o Push control set with "git remote add -t master -m master
--mirror=push gitPROD
ssh://[email protected]/path/to/project.git"
o The "git push gitPROD" command in hooks/post-update.
o git-web installed, but push access via SSH only. (WebDAV
probably wouldn't be approved by security.)
* Matching projects in git.PROD.example.com would include
o Project directories owned by git:git.
o Access control via "git init --bare --shared=0644
/path/to/project.git".
o git-web installed, and read access available via http.
Firewall modifications would be made to allow http GET access
from anywhere in TEST or PROD.
So, a developer has a git repository in their local workspace. When
they're happy with their code, in whatever branch they're on, they
push to git.DEV.example.com as their central repository in DEV. When
that push happens, git.DEV.example.com automagically pushes the MASTER
branch ONLY up to git.PROD.example.com. (If MASTER isn't changed,
existing "no changes to push" results are fine.)
Here are my questions:
* Am I missing a substantially easier solution?
* For "--shared=group" is the group membership of the .git directory
the relevant group? I think so, but I would appreciate verification.
* When the post-update script fires, who is the initiating user?
o Is it the developer pushing to the repository?
o Is it the user associated with the .git directory?
o I need to know what user is launching the "git push gitPROD"
in order to allow/limit access on git.PROD.example.com.
Thanks!
David
--
You received this message because you are subscribed to the Google
Groups "Git for human beings" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected]
<mailto:[email protected]>.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Git for
human beings" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
