This topic describes how to configure the security for GitCentric.
As touched upon in Mapping multiple repositories to a single stream, one of the advantages of using GitCentric in a Git environment is that you can use both GitCentric and AccuRev security features to control access to files, a feature not natively provided by Git.
GitCentric makes use of two kinds of Access Control Lists (ACLs):
- GitCentric “group-based” ACLs, which define access to Git repositories.
- AccuRev Element ACLs, which define permissions on the AccuRev Server down to the individual element level.
Using these two types of ACLs, you can approach GitCentric security in two ways:
- Using GitCentric group-based ACLs to specify allow and deny privileges on a repository (“project”) basis.
- Mapping multiple repos as different “views” on AccuRev-controlled elements. The AccuRev-controlled elements may optionally be secured with AccuRev Element ACLs (EACLs).
On the Git side, you define group-based ACLs and apply them to repositories, to control what kind of access group members have to GitCentric-controlled Git repos and branches. (GitCentric group-based ACLs are different than, and should not be confused with, AccuRev Element ACLs or EACLs, which control access to files on the AccuRev Server.)
GitCentric provides five system or pre-defined internal or groups:
- Administrators (internal)
- Anonymous Users (system)
- Non-interactive Users (internal)
- Repository (“Project”) Owners (system)
- Registered users (system)
You can define more groups as necessary.
GitCentric is installed with a basic set of ACLs on a special, system-defined project named “All-Projects”, from which all repos inherit their base set of ACLs. These basic ACLs are set to be highly secure, so you will need to customize them for your site before your users can use GitCentric.
The general topic of group-based ACLs is beyond the scope of this document, so you will need to learn about them from the Gerrit Code Review documentation referenced below, but at a very high level:
- Every user account is a member of one or more groups, and access and privileges are granted to those groups. You cannot grant access rights to individual users.
- Access rights are then assigned to these groups per repo (or project). Access rights granted to parent repos are inherited by child repos. Access rights defined for the All-Projects project are inherited by all other projects.
For information about creating and configuring GitCentric group ACLs from the GitCentric GUI, see Repository Access Rights (ACLs).
Configuring multiple Git repos with AccuRev and EACLs
In AccuRev, it is a common practice to configure depots and files with ACLs so that only certain users can access them. For example, assume that you hire a remote contract company to develop code for an optional feature to your main product line. You might want to give staff in corporate headquarters access to all files and directories, while restricting access of the remote team to just those files and directories that they need to get the job done.
By setting up ACLs in the AccuRev environment, and then mapping Git repositories and branches to these AccuRev depots and streams, you can give the remote team access to just the repo containing their files, while giving your local teams access to the repo that contains all your files. For details, see Mapping multiple repositories to a single stream.