Opened 11 years ago
Last modified 11 years ago
#11533 new enhancement
show permissions for specific repos only
| Reported by: | patrick | Owned by: | ejucovy |
|---|---|---|---|
| Priority: | normal | Component: | GitolitePlugin |
| Severity: | normal | Keywords: | |
| Cc: | Trac Release: | 1.0 |
Description
Hi,
I have a trac setup which consists of multiple trac environments. The goal for me as TRAC_ADMIN is basically to turn each environment over to a project_manager (which is something I defined as being a little less than TRAC_ADMIN) and then they can take care of their own users and permissions etc.
So I have integrated trac-gitolite, and I have one gitolite-admin repo that is serving the multiple trac environments. Out of the box, the project_manager for project A could see and manage the repository permissions for a repo in project B which may have a different project_manager. So this isn't ideal.
Basically I added a trac_gitolite option called show_repos. This is just a list of the repos whose permissions can be managed through the web interface. It can be set on a per environment basis in trac.ini
I have attached the diffs needed to do this.
Is this useful, or did I miss the boat entirely and there was a much easier way to do this?
Thanks,
Patrick
Attachments (4)
Change History (8)
Changed 11 years ago by
| Attachment: | perm_manager.diff added |
|---|
Changed 11 years ago by
| Attachment: | perm_policy.diff added |
|---|
Changed 11 years ago by
| Attachment: | repo_manager.diff added |
|---|
Changed 11 years ago by
| Attachment: | utils.diff added |
|---|
comment:1 Changed 11 years ago by
comment:2 follow-up: 4 Changed 11 years ago by
Thanks for the patch, patrick!
At first glance patrick's approach makes more sense to me than fine-grained permission checks. It sounds like the goal here is to define which Gitolite repositories are known per Trac environment, not per user. This is necessary because Gitolite manages all repositories' configuration in a single place on the trac/git server (the gitolite.conf file) so the Trac environment is reading configuration for all repositories, whether or not it wants to.
rjollos, would you mind outlining what this would look like using fine-grained permissions? (The environment configuration, not the diff to the plugin's code.) I've never managed to understand TracFineGrainedPermissions well enough to actually implement them in an environment. I guess you would need to remove VERSIONCONTROL_ADMIN from the entire realm, and then re-grant it to the project_manager(s) for individual repositories?
comment:3 Changed 11 years ago by
Actually, would you mind describing your use case a bit more?
Will each Trac environment's project_manager be administering their own Trac users and permissions, or will those be shared across environments?
Do project_managers have access to create new Gitolite repositories, or just to manage permissions of (some) existing repositories?
Will project_managers be creating new Gitolite users? (i.e. by uploading SSH public keys through Trac via GitolitePlugin's /admin/versioncontrol/permissions/ panel)
How often will project_managers be managing the Gitolite users and permissions?
Depending on your setup and usage patterns, some additional GitolitePlugin enhancements might be needed, including:
- more distinct permissions -- right now there's just REPOSITORY_CREATE (create new gitolite repos) and VERSIONCONTROL_ADMIN
- filtering out some users from the Gitolite Users panel and Gitolite Permissions panel
- mapping gitolite users to trac users explicitly instead of implicitly
- supporting the use of multiple files and subdirectories to manage gitolite ssh keys and repository permissions
I'm not familiar with the plugin, but it sounds like you may want to implement TracFineGrainedPermissions checks, and maybe check for
VERSIONCONTROL_ADMINpermission rather thanTRAC_ADMINpermission.Also, usually it's preferable to submit patches in unified diff form, as described at trac:TracDev/SubmittingPatches.