/usr/share/doc/monotone/html/Netsync-Permission-Hooks.html is in monotone-doc 1.1-9.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 | <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<!-- Created by GNU Texinfo 6.1, http://www.gnu.org/software/texinfo/ -->
<head>
<title>monotone documentation: Netsync Permission Hooks</title>
<meta name="description" content="monotone documentation: Netsync Permission Hooks">
<meta name="keywords" content="monotone documentation: Netsync Permission Hooks">
<meta name="resource-type" content="document">
<meta name="distribution" content="global">
<meta name="Generator" content="makeinfo">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<link href="index.html#Top" rel="start" title="Top">
<link href="General-Index.html#General-Index" rel="index" title="General Index">
<link href="index.html#SEC_Contents" rel="contents" title="Table of Contents">
<link href="Hooks.html#Hooks" rel="up" title="Hooks">
<link href="Netsync-Transport-Hooks.html#Netsync-Transport-Hooks" rel="next" title="Netsync Transport Hooks">
<link href="User-Defaults.html#User-Defaults" rel="prev" title="User Defaults">
<style type="text/css">
<!--
a.summary-letter {text-decoration: none}
blockquote.indentedblock {margin-right: 0em}
blockquote.smallindentedblock {margin-right: 0em; font-size: smaller}
blockquote.smallquotation {font-size: smaller}
div.display {margin-left: 3.2em}
div.example {margin-left: 3.2em}
div.lisp {margin-left: 3.2em}
div.smalldisplay {margin-left: 3.2em}
div.smallexample {margin-left: 3.2em}
div.smalllisp {margin-left: 3.2em}
kbd {font-style: oblique}
pre.display {font-family: inherit}
pre.format {font-family: inherit}
pre.menu-comment {font-family: serif}
pre.menu-preformatted {font-family: serif}
pre.smalldisplay {font-family: inherit; font-size: smaller}
pre.smallexample {font-size: smaller}
pre.smallformat {font-family: inherit; font-size: smaller}
pre.smalllisp {font-size: smaller}
span.nolinebreak {white-space: nowrap}
span.roman {font-family: initial; font-weight: normal}
span.sansserif {font-family: sans-serif; font-weight: normal}
ul.no-bullet {list-style: none}
-->
</style>
<link rel="stylesheet" type="text/css" href="texinfo.css">
</head>
<body lang="en">
<a name="Netsync-Permission-Hooks"></a>
<div class="header">
<p>
Next: <a href="Netsync-Transport-Hooks.html#Netsync-Transport-Hooks" accesskey="n" rel="next">Netsync Transport Hooks</a>, Previous: <a href="User-Defaults.html#User-Defaults" accesskey="p" rel="prev">User Defaults</a>, Up: <a href="Hooks.html#Hooks" accesskey="u" rel="up">Hooks</a> [<a href="index.html#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="General-Index.html#General-Index" title="Index" rel="index">Index</a>]</p>
</div>
<hr>
<a name="Netsync-Permission-Hooks-1"></a>
<h4 class="subsection">6.1.4 Netsync Permission Hooks</h4>
<p>These hooks are used when running a netsync server, via
<code>mtn serve</code>. They are evaluated by the server for each new
connection, based on the certificate used for authentication by the
client. Note that a long-running server will need to be restarted in
order to reload the hook definitions if the <samp>montonerc</samp> file is
changed.
</p>
<dl compact="compact">
<dd><a name="get_005fnetsync_005fread_005fpermitted"></a></dd>
<dt><code>get_netsync_read_permitted (<var>branch</var>, <var>key_identity</var>)</code>
<a name="index-get_005fnetsync_005fread_005fpermitted-_0028branch_002c-key_005fidentity_0029"></a>
</dt>
<dd>
<p>Returns <code>true</code> if a peer authenticated as key <var>key_identity</var>
should be allowed to read from your database certs, revisions,
manifests, and files associated with <var>branch</var>; otherwise <code>false</code>.
The default definition of this hook reads a file <samp>read-permissions</samp>
and all files in the subdirectory <samp>read-permissions.d</samp> in the
configuration directory. All the files are treated as if they were one
file, with <samp>read-permissions</samp> first followed by the files in
<samp>read-permissions.d</samp> in alphanumerical order. The files look like
</p><div class="smallexample">
<pre class="smallexample">pattern "net.example.project.{private,security}*"
allow "joe@example.net"
allow "f3f62f86eba204a3ce15174083a53349201993d6"
comment "everyone can read these branches"
pattern "net.example.{public,project}*"
allow "*"
</pre></div>
<p>This example allows everyone access to branches <code>net.example.project</code> and
<code>net.example.public</code> and their sub-branches, except for the branches in
<code>net.example.project.security</code> and <code>net.example.project.private</code>,
which are only readable by Joe and Jim.
</p>
<p>The file is divided into stanzas of one <code>pattern</code> line followed by any
number of <code>allow</code> and <code>deny</code> lines, and possibly a <code>continue</code>
line. Anything from the unquoted word <code>comment</code> until the next unquoted
word is ignored. A stanza is processed if the argument to
<code>pattern</code> is a glob that matches <var>branch</var>. Any keys with a hash or
local_name that matches an
<code>allow</code> line are given access, and any keys which match a <code>deny</code> line
are denied access. If there is a <code>continue "true"</code> line, then if the key
is not granted or denied access in this stanza the next matching stanza will be
processed. If there is not a <code>continue "true"</code> line, then any key which
has not been given access will be denied access even if it doesn’t match any
<code>deny</code> lines. Thus, deny lines are redundant unless there is also a
<code>continue "true"</code> line.
</p>
<p>If a client connects anonymously, this hook will be called with a
<var>key_identity</var> of <code>nil</code>. An empty string value must be used
in <samp>read-permissions</samp> to represent clients connecting anonymously. e.g.
<code>allow ""</code>.
</p>
<a name="get_005fnetsync_005fwrite_005fpermitted"></a></dd>
<dt><code>get_netsync_write_permitted (<var>key_identity</var>)</code>
<a name="index-get_005fnetsync_005fwrite_005fpermitted-_0028key_005fidentity_0029"></a>
</dt>
<dd>
<p>Returns <code>true</code> if a peer authenticated as key <var>key_identity</var>
should be allowed to write into your database certs, revisions,
manifests, and files; otherwise <code>false</code>. The default definition of
this hook reads a file <samp>write-permissions</samp> and all files in the
subdirectory <samp>write-permissions.d</samp> in the configuration directory
which contains a list of key hashes or local key names, one per line,
which are allowed write access.
The special value
<code>*</code> means to allow access to anyone whose public key we already have.
</p>
<p>If a client connects anonymously, it will be unconditionally denied
write access; this hook will <em>not</em> be called with a <var>key_identity</var>
of <code>nil</code>.
</p>
<p>Note also that, unlike the equivalent read permission hook, the write
permission hook does not take a <var>branch</var> name as an argument. There
is presently no way to selectively grant write access to different
branches via netsync, for a number of reasons. Contributions in the
database from different authors can be selectively trusted using the
<a href="Trust-Evaluation-Hooks.html#Trust-Evaluation-Hooks">Trust Evaluation Hooks</a> instead.
</p>
</dd>
<dt><code>get_remote_automate_permitted(<var>key_identity</var>, <var>command</var>, <var>options</var>)</code>
<a name="index-get_005fremote_005fautomate_005fpermitted_0028key_005fidentity_002c-command_002c-options_0029"></a>
</dt>
<dd>
<p>Returns true if a peer authenticated as key <var>key_identity</var> should be
allowed to execute the given <var>command</var> with the given <var>options</var>, as
if through <code>automate stdio</code>.
</p>
</dd>
</dl>
<hr>
<div class="header">
<p>
Next: <a href="Netsync-Transport-Hooks.html#Netsync-Transport-Hooks" accesskey="n" rel="next">Netsync Transport Hooks</a>, Previous: <a href="User-Defaults.html#User-Defaults" accesskey="p" rel="prev">User Defaults</a>, Up: <a href="Hooks.html#Hooks" accesskey="u" rel="up">Hooks</a> [<a href="index.html#SEC_Contents" title="Table of contents" rel="contents">Contents</a>][<a href="General-Index.html#General-Index" title="Index" rel="index">Index</a>]</p>
</div>
</body>
</html>
|