git - Gitolite permissions on branches

Question

I'm really at a loss here. I've read through quite a few examples, and tried all of them. The most basic ones work fine, but anytime I try to move to something a bit more complicated everything falls apart (even when I'm directly copying the example). Also, for the record I am on gitolite version 3 as shown by the server spam:

    this is gitolite@ubuntuserver running gitolite3 v3.1-2-g3eefc06 on git 1.7.9.5         

All this said what I am TRYING to accomplish is (I THINK) relatively simple. I have a group of junior developers [@scrubs], and I only want them to create and commit to new branches, and be able to read/pull master. That way I can review their code before it gets merged in.

I have a group of senior developers [@vets] that I want to have free reign.

My config file is as follows:

     @scrubs         = al ted matthew
     @vets           = kevin will guy

     @offlimitbranches = master$

     repo    gitolite-admin
             RW+     =   @vets matthew

     repo    dawebsite
             RW+                     =   @vets
             -   @offlimitbranches   =   @scrubs
             RW+                     =   @scrubs
             R   @offlimitbranches   =   @scrubs
             R                       =   daemon
             option deny-rules = 1

     dawebsite "Owner"               = "This is THE site"

I noticed nothing worked at all for denying till I added :

    option deny-rules = 1

of which I think I found in maybe one out of 20 examples (a touch of a rant forgive the frustration.

With this current set up vets can do anything as expected.

scrubs can neither pull or push to master (and I think that's because it grabs the first rule it can possible match?) Scrubs also can not pull or push to any non master branch, nor push newly created branches. Each attempt returns the same message "FATAL: [R/W] any dawebsite matthew DENIED by refs/heads/master$"

I've tried using master, master$, @offlimitbranches and even refs/heads/master to no avail for the branch ref.

If anyone can help shed some light on this for me I'd be quite appreciative.

Update**

Playing around with things I've noticed that if i remove matthew from the scrubs group and try to manipulate him directly with

    -       master$         =   matthew
    RW+                     =   matthew

if he moves to a new branch and tried the following: (thanks VonC for the heads up on the logs)

git pull origin newBranch
git push origin newBranch

each returns an error

PULL:

ARGV=matthew    SOC=git-upload-pack 'dawebsite.git'     FROM=172.24.1.198
access(dawebsite, matthew, R, 'any'),-> R any dawebsite matthew DENIED by refs/heads/master$
trigger,Writable,access_1,ACCESS_1,dawebsite,matthew,R,any,R any dawebsite,matthew DENIED by refs/heads/master$
R any dawebsite matthew DENIED by refs/heads/master$<<newline>>(or you mis-spelled the reponame)

PUSH:

ARGV=matthew    SOC=git-receive-pack 'dawebsite.git'    FROM=172.24.1.198
access(dawebsite, matthew, W, 'any'),-> W any medehrdev matthew DENIED by refs/heads/master$
trigger,Writable,access_1,ACCESS_1,dawebsite,matthew,W,any,W any dawebsite matthew DENIED by refs/heads/master$
W any dawebsite matthew DENIED by refs/heads/master$<<newline>>(or you mis-spelled the reponame)

It seems all my branches match against the ref master$ is that because they are all spawned off of master?

Answer 1

My config, that is working now:

@gatekeepers = ustimenko
@developers  = ustimenko user1 user2
@deployers   = puppet

@project     = repo1
@project     = cakephp

repo @project
    RW+                 = @gatekeepers  
    R   master develop  = @developers
    -   master develop  = @developers
    RW+                 = @developers
    R                   = @deployers

---

1. Gatekeepers have full access.
2. Developers can read master and develop branches, then they denied other actions there.
3. Developers can do all other things.
4. Deployers can read all.