git – 控制用户访问特定的git仓库

huangapple go评论64阅读模式
英文:

git - controlling user access to specific git repositories

问题

我是新手,正在实施Git,并且有一个需求,需要控制用户对特定Git存储库的访问。

例如:我有3个不同的项目,为每个项目创建了3个不同的Git存储库,并根据他们所工作的项目为特定用户授予访问权限。我已尝试以下方法,但在Linux服务器上创建的所有用户都能访问每个用户创建的所有存储库。它没有限制在特定的Linux用户上。

  1. 为每个存储库创建三个Linux用户:Project1、Project2和Project3。
  2. 登录每个用户并创建Git裸仓库。
  3. 为每个用户创建~/.ssh/authorized_keys文件(/home/Project1/.ssh/authorized_keys)并添加应具有访问权限的每个用户的公共SSH密钥。

我不确定应该采取哪些步骤,以便仅允许创建它的用户访问Git存储库,并防止其他用户访问Git存储库。

请建议我需要实施哪些步骤来控制对特定Git存储库的访问?

英文:

I am new to the implementation of git and i had a requirement where i need to control user access to specific git repositories.

For ex: I have 3 different projects for which i create 3 different git repositories and grant access permissions to specific users based on the projects they are working. I have tried the following way but all the users created on Linux server are able to access all the repositories created under each user. It is not getting restricted to specific Linux User.

  1. Create three Linux users, one for each repository: Proejct1, Project2, and Project 3
  2. Login into each user and create the bare Git repository
  3. For each user, create ~/.ssh/authorized_keys (/home/Project1/.ssh/authorized_keys) and add the public SSH key for each user that should have access

I am not sure what needs to be done to provide access to the git repository only to the user who has created it and do not allow other users to access the Git repository.

Please suggest me the list of steps that needs to be implement to control access to specific Git repositories?

答案1

得分: 1

您的问题更多涉及UNIX文件权限,而不是Git。我可以想到两种方法来实现这个目标:


对于您在顶部帖子中提到的解决方案,使用repoA作为存储库名称:

  1. 创建存储库特定的帐户(useradd -m repoA
  2. 作为root用户,确保存储库帐户的主目录只能被存储库帐户读取或写入(chmod 0700 /home/repoA
  3. /home/repoA中创建存储库
  4. 确保正确的用户拥有存储库(chown -R repoA /home/repoA/repoA
  5. 将用户的公钥添加到/home/repoA/.ssh/authorized_keys - 管理这些文件将是一个持续的任务
  6. 让您的用户使用git clone repoA@server:repoA来克隆存储库,或者使用git remote set-url origin repoA@server:repoA来更新他们现有的副本

对于另一种解决方案,同样以repoA作为存储库名称:

  1. 为存储库创建一个组(groupadd repoA
  2. 将适当的用户添加到组中(usermod -aG repoA alicealice添加到组中) - 管理组成员将是一个持续的任务
  3. 使用mkdir -p /opt/repoA(例如)创建存储库文件夹
  4. chgrp repoA /opt/repoA(更改组所有权)
  5. chmod ug+rwx,g+s,o-rwx /opt/repoA(用户和组可以读取/写入/执行,其他人不能,而且组位会持久存在,无论哪个具体用户更改内容)
  6. 让用户将他们自己的密钥添加到自己的~/.ssh/authorized_keys
  7. 让用户使用git clone alice@server:/opt/repoAgit clone bob@server:/opt/repoA等方式克隆存储库,或者使用git remote set-url来修改现有的副本

还有另一个选项,您可以使用GitLab Community Edition或Gitea等托管包,这些包将为用户和管理员提供良好的界面。

英文:

Your question is more about UNIX file permissions than about Git. I can think of two ways to achieve this:


For the solution you mentioned in the top post, with repoA as the repo name:

  1. Create the repo-specific account (useradd -m repoA)
  2. As root, make sure that the repo account's home is only readable or writable by the repo account (chmod 0700 /home/repoA)
  3. Create the repo in /home/repoA
  4. Make sure that the right user owns the repo (chown -R repoA /home/repoA/repoA)
  5. Add user public keys to /home/repoA/.ssh/authorized_keys - managing these files will be an ongoing task
  6. Have your users clone the repo with git clone repoA@server:repoA, or have them update their existing copies with git remote set-url origin repoA@server:repoA

For another solution, also with repoA as the repo name:

  1. Create a group for the repo (groupadd repoA)
  2. Add the appropriate users to the group (usermod -aG repoA alice will add alice to the group) - managing group memberships will be an ongoing task
  3. Create the repo folder with mkdir -p /opt/repoA (for example)
  4. chgrp repoA /opt/repoA (change group ownership)
  5. chmod ug+rwx,g+s,o-rwx /opt/repoA (user and group can read/write/execute, others cannot, and the group bits are persisted no matter which specific user alters the contents)
  6. Have users add their own keys to their own ~/.ssh/authorized_keys
  7. Have users clone the repo with git clone alice@server:/opt/repoA or git clone bob@server:/opt/repoA etc., or use git remote set-url to modify existing copies

And for yet another option, use a hosting package such as GitLab Community Edition or Gitea, which will give a nice interface for users as well as for admins.

huangapple
  • 本文由 发表于 2023年7月24日 18:03:10
  • 转载请务必保留本文链接:https://go.coder-hub.com/76753375.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定