英文:
git - controlling user access to specific git repositories
问题
我是新手,正在实施Git,并且有一个需求,需要控制用户对特定Git存储库的访问。
例如:我有3个不同的项目,为每个项目创建了3个不同的Git存储库,并根据他们所工作的项目为特定用户授予访问权限。我已尝试以下方法,但在Linux服务器上创建的所有用户都能访问每个用户创建的所有存储库。它没有限制在特定的Linux用户上。
- 为每个存储库创建三个Linux用户:Project1、Project2和Project3。
- 登录每个用户并创建Git裸仓库。
- 为每个用户创建~/.ssh/authorized_keys文件(/home/Project1/.ssh/authorized_keys)并添加应具有访问权限的每个用户的公共SSH密钥。
我不确定应该采取哪些步骤,以便仅允许创建它的用户访问Git存储库,并防止其他用户访问Git存储库。
请建议我需要实施哪些步骤来控制对特定Git存储库的访问?
英文:
I am new to the implementation of git and i had a requirement where i need to control user access to specific git repositories.
For ex: I have 3 different projects for which i create 3 different git repositories and grant access permissions to specific users based on the projects they are working. I have tried the following way but all the users created on Linux server are able to access all the repositories created under each user. It is not getting restricted to specific Linux User.
- Create three Linux users, one for each repository: Proejct1, Project2, and Project 3
- Login into each user and create the bare Git repository
- For each user, create ~/.ssh/authorized_keys (/home/Project1/.ssh/authorized_keys) and add the public SSH key for each user that should have access
I am not sure what needs to be done to provide access to the git repository only to the user who has created it and do not allow other users to access the Git repository.
Please suggest me the list of steps that needs to be implement to control access to specific Git repositories?
答案1
得分: 1
您的问题更多涉及UNIX文件权限,而不是Git。我可以想到两种方法来实现这个目标:
对于您在顶部帖子中提到的解决方案,使用repoA
作为存储库名称:
- 创建存储库特定的帐户(
useradd -m repoA
) - 作为root用户,确保存储库帐户的主目录只能被存储库帐户读取或写入(
chmod 0700 /home/repoA
) - 在
/home/repoA
中创建存储库 - 确保正确的用户拥有存储库(
chown -R repoA /home/repoA/repoA
) - 将用户的公钥添加到
/home/repoA/.ssh/authorized_keys
- 管理这些文件将是一个持续的任务 - 让您的用户使用
git clone repoA@server:repoA
来克隆存储库,或者使用git remote set-url origin repoA@server:repoA
来更新他们现有的副本
对于另一种解决方案,同样以repoA
作为存储库名称:
- 为存储库创建一个组(
groupadd repoA
) - 将适当的用户添加到组中(
usermod -aG repoA alice
将alice
添加到组中) - 管理组成员将是一个持续的任务 - 使用
mkdir -p /opt/repoA
(例如)创建存储库文件夹 chgrp repoA /opt/repoA
(更改组所有权)chmod ug+rwx,g+s,o-rwx /opt/repoA
(用户和组可以读取/写入/执行,其他人不能,而且组位会持久存在,无论哪个具体用户更改内容)- 让用户将他们自己的密钥添加到自己的
~/.ssh/authorized_keys
中 - 让用户使用
git clone alice@server:/opt/repoA
或git clone bob@server:/opt/repoA
等方式克隆存储库,或者使用git remote set-url
来修改现有的副本
还有另一个选项,您可以使用GitLab Community Edition或Gitea等托管包,这些包将为用户和管理员提供良好的界面。
英文:
Your question is more about UNIX file permissions than about Git. I can think of two ways to achieve this:
For the solution you mentioned in the top post, with repoA
as the repo name:
- Create the repo-specific account (
useradd -m repoA
) - As root, make sure that the repo account's home is only readable or writable by the repo account (
chmod 0700 /home/repoA
) - Create the repo in
/home/repoA
- Make sure that the right user owns the repo (
chown -R repoA /home/repoA/repoA
) - Add user public keys to
/home/repoA/.ssh/authorized_keys
- managing these files will be an ongoing task - Have your users clone the repo with
git clone repoA@server:repoA
, or have them update their existing copies withgit remote set-url origin repoA@server:repoA
For another solution, also with repoA
as the repo name:
- Create a group for the repo (
groupadd repoA
) - Add the appropriate users to the group (
usermod -aG repoA alice
will addalice
to the group) - managing group memberships will be an ongoing task - Create the repo folder with
mkdir -p /opt/repoA
(for example) chgrp repoA /opt/repoA
(change group ownership)chmod ug+rwx,g+s,o-rwx /opt/repoA
(user and group can read/write/execute, others cannot, and the group bits are persisted no matter which specific user alters the contents)- Have users add their own keys to their own
~/.ssh/authorized_keys
- Have users clone the repo with
git clone alice@server:/opt/repoA
orgit clone bob@server:/opt/repoA
etc., or usegit remote set-url
to modify existing copies
And for yet another option, use a hosting package such as GitLab Community Edition or Gitea, which will give a nice interface for users as well as for admins.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论