Set up SSH keys access for public repositories on git staging server

Registered by Stevan Radaković

We need to have the same read/write rules applied for public repositories in Rhodecode web authentication and for SSH authentication. To manage this, all the groups and users from the Rhodecode database must be mirrored and synced with system users and groups. Since we're using the LDAP syncronization in Rhodecode, this will basically mean that the system users/groups match those on our LDAP server.

Blueprint information

Данило Шеган
Milo Casagrande
Stevan Radaković
Series goal:
Accepted for trunk
Milestone target:
milestone icon 2013.03
Started by
Stevan Radaković
Completed by
Stevan Radaković

Related branches



Headline: Set up a SSH key authentication and correct access to public repositories on new GIT staging server.
Acceptance: SSH key authentication provides read/write access rules for all public repositories to exactly match those rules the way they are set up in the Rhodecode web administration interface.
Roadmap id: CARD-148

[stevanr 2013-02-07] Defined work items.
[danilo 2013-02-07] Please make sure sysadmins can still log in to the machine using SSH (iow, please reword just a little bit those WIs which deal with "disable shell access" :)
[stevanr, 2013-03-05] We want to have all the groups in the system as we have them in Rhodecode because user with lower level permisions might still not have membership in the parent group and therefore belong only to lower level group.
[stevanr, 2013-03-05] After some more discussion it's decided that each repository group/repository in Rhodecode will have it's own system group which will contain all the users which have permissions to access it (either by group or by user membership). All the users will belong to the default 'rhodecode' group and if ACL is not specified they will have access to the specific repo.
[stevanr, 2013-03-05] Keep in mind to test the described solution with private repositories access over SSH.
[stevanr, 2013-03-21] Working with Philip on deploying the sync script on staging.git.l.o.
[stevanr, 2013-03-25] LDAP sync script deployed on staging.git.l.o;a=blob;f=scripts/ldap-sync;h=117b10554493901549992ea18adbfc77e9d25e22;hb=a561ed2cc10b1fd8242da6250b22286dda554acb
[stevanr, 2013-04-02] Deployment delayed a bit due to Philip being ill.
[stevanr, 2013-04-02] Adding new work item for migration of existing repository groups and repositories.
[stevanr, 2013-04-02] Filed a bug for the last missing work item
[stevanr, 2013-05-21] Explaining how flattening nested groups from LDAP and how ACL works on system level to support ACL over git+ssh:


Work Items

Work items:
Investigate rhodecode system user and privileges over repositories: DONE
Decide on whether to reflect all Rhodecode groups on the system ones: DONE
Write group synchronization script to implement nested groups: DONE
Write user and membership synchronization script to implement repository ACL over SSH: DONE
Change Rhodecode base so it updates system directory ownership during Rhodecode ACL update: DONE
Make sure existing repositories and repository groups have appropriate groups assigned to them by creating a migration script: POSTPONED
Disable shell access to SSH users (save for sysadmins) system wide: DONE
Disable shell access to SSH users (save for sysadmins) with SSH keys: DONE

Dependency tree

* Blueprints in grey have been implemented.

This blueprint contains Public information 
Everyone can see this information.


No subscribers.