Mercurial > hg
view hgext/acl.py @ 39506:b66ea3fc3a86
sparse-revlog: set max delta chain length to on thousand
The new snapshot system used in the sparse-revlog case gave us some small size
benefit so far. However its most important property is to gracefully handle
harder limit on delta chainlength.
Long delta chain has a very detrimental impact on read (and write) performance
in revlog. Being able to shorter them provide a great boost. However, shorting
delta used to result significantly lower compression ratio. The intermediate
snapshots effectively suppress most of this effect (even all in some case).
# Effect on the test repository
The repository we use for test is not "realistic" but can still show this in
action using an unreasonably low chain limit. Limiting the chain length show a
sizeable increase but stay under control: +6% for limit=15; +15% for limit=10.
Without the snapshot system the increase is significantly bigger: +45% for
limit=15; +80% for limit=10. Even slightly larger than without delta chain
limit, the resulting size is still smaller than before we started doing
snapshots.
Here is a table for comparison. *Since the repository is not branchy, the
initial sparse-revlog version does not bring much benefit compare to the
non-sparse one):
chain length limit | none | limit=15 | limit=10 |
without sparse-revlog | 62 818 987 | 112 664 615 | 131 222 574 |
without snapshot | 74 365 490 | 108 211 410 | 133 857 764 |
with snapshot | 59 230 936 | 63 002 924 | 68 415 329 |
# Effect On Real Life Repositories
The series provides significant benefits on all kind of repositories.
Using `hg debugupgraderepo -o redeltaparent --run`, we recomputed delta chain
for various repositories with different settings:
- delta chain length: unlimited or 1000 limit
- sparse-revlog: enabled or disabled
- this series: applied or not applied
We can observe multiple types of effect:
- On very branchy repositories:
* The delta chain limit as low impact on the repo size.
* Intermediate snapshot greatly reduces manifest size:
- pypy: -80%
- netbeans: -95%
* The delta chain limit is effective, without a size impact:
- netbeans average: 613 -> 282
- private #1 average: 1 068 -> 307
- On more linear repository:
* Intermediate snapshot limit the impact of delta chain limit:
- mozilla:
without the series: +360%
with the series: +25%
* The delta chain limit provides large improvement:
- mozilla's average chain length:
unlimited: 15 338
limited: 469
* Despite the chain length limit, the manifest size is reduced:
- mercurial: -25%
- mozilla: -30%
It is clear that the use of chains of intermediate snapshots provide large
benefits both in storage size and delta chains quality. We should now switch our
effort toward making sure the write performance are acceptable. Then,
`sparse-revlog` will be a suitable format for all new repository.
# Raw Statistic
* no-sparse: general delta repository not using sparse-revlog
* no-snapshot: sparse-revlog repository not using this series
* snapshot: sparse-revlog repository using this series
mercurial
Manifest Size:
limit | none | 1000
------------|-------------|------------
no-sparse | 8 021 373 | 8 199 366
no-snapshot | 8 103 561 | 8 259 719
snapshot | 6 137 116 | 6 126 433
Manifest Chain length data
limit || none || 1000 ||
value || average | max || average | max ||
------------||---------|---------||---------|---------||
no-sparse || 307 | 1456 || 279 | 1000 ||
no-snapshot || 312 | 1456 || 283 | 1000 ||
snapshot || 248 | 1208 || 241 | 1000 ||
Full Store Size
limit | none | 1000
------------|-------------|------------
no-sparse | 51 013 198 | 51 201 574
no-snapshot | 50 930 795 | 51 141 006
snapshot | 48 072 037 | 48 093 572
pypy
Manifest Size:
limit | none | 1000
------------|-------------|------------
no-sparse | 193 987 784 | 193 987 784
no-snapshot | 163 171 745 | 163 312 229
snapshot | 34 605 900 | 34 600 750
Manifest Chain length data
limit || none || 1000 ||
value || average | max || average | max ||
------------||---------|---------||---------|---------||
no-sparse || 101 | 692 || 101 | 692 ||
no-snapshot || 151 | 1307 || 148 | 1000 ||
snapshot || 128 | 1309 || 125 | 1000 ||
Full Store Size
limit | none | 1000
------------|-------------|------------
no-sparse | 495 931 473 | 495 931 473
no-snapshot | 465 441 017 | 465 581 501
snapshot | 355 467 301 | 355 472 451
Mozilla
Manifest Size:
limit | none | 1000
------------|----------------|---------------
no-sparse | 416 757 148 | 1 869 009 668
no-snapshot | 401 592 370 | 1 843 493 795
snapshot | 224 359 521 | 284 615 500
Manifest Chain length data
limit || none || 1000 ||
value || average | max || average | max ||
------------||---------|---------||---------|---------||
no-sparse || 15 333 | 58 980 || 468 | 1 000 ||
no-snapshot || 15 336 | 58 980 || 469 | 1 000 ||
snapshot || 15 338 | 58 983 || 469 | 1 000 ||
Full Store Size
limit | none | 1000
------------|----------------|---------------
no-sparse | 2 712 477 887 | 4 164 995 451
no-snapshot | 2 698 887 835 | 4 141 054 304
snapshot | 2 518 130 385 | 2 578 587 596
Netbeans
Manifest Size:
limit | none | 1000
------------|----------------|---------------
no-sparse | 4 766 794 101 | 4 870 642 687
no-snapshot | 4 334 806 082 | 4 428 681 309
snapshot | 232 659 666 | 240 330 665
Manifest Chain length data
limit || none || 1000 ||
value || average | max || average | max ||
------------||---------|---------||---------|---------||
no-sparse || 597 | 6802 || 254 | 1 000 ||
no-snapshot || 648 | 6 802 || 305 | 1 000 ||
snapshot || 613 | 6 804 || 282 | 1 000 ||
Full Store Size
limit | none | 1000
------------|----------------|---------------
no-sparse | 5 807 347 998 | 5 911 196 584
no-snapshot | 5 375 398 602 | 5 469 273 829
snapshot | 1 282 519 928 | 1 290 190 927
Private repo #1
Manifest Size:
limit | none | 1000
------------|-----------------|---------------
no-sparse | 41 389 010 840 | 41 398 162 091
no-snapshot | 9 737 319 435 | 10 223 773 150
snapshot | 744 215 807 | 747 961 822
Manifest Chain length data
limit || none || 1000 ||
value || average | max || average | max ||
------------||---------|---------||---------|---------||
no-sparse || 245 | 8 885 || 81 | 1 000 ||
no-snapshot || 1 225 | 8 885 || 336 | 1 000 ||
snapshot || 1 068 | 7 909 || 307 | 1 000 ||
Full Store Size
limit | none | 1000
------------|----------------|---------------
no-sparse | 49 646 065 126 | 49 655 216 377
no-snapshot | 17 924 862 856 | 18 411 316 571
snapshot | 9 009 024 710 | 9 012 770 725
Private repo #2
We currently have less data available for that repository.
* Before is a sparse-revlog repository without this series
* After is a sparse-revlog repository with this series + 1000 chain limit
Manifest Size:
Before: 1 531 485 040 bytes
After: 1 091 422 451 bytes
Manifest Chain:
Before: 2 218 avg; 6 575 Max
After: 442 avg; 1 000 Max
Full Store Size
Before: 15 203 955 615
after: 8 207 180 693
| author | Boris Feld <boris.feld@octobus.net> |
|---|---|
| date | Fri, 07 Sep 2018 11:18:45 -0400 |
| parents | 3694c9aaf5e4 |
| children | aaad36b88298 |
line wrap: on
line source
# acl.py - changeset access control for mercurial # # Copyright 2006 Vadim Gelfer <vadim.gelfer@gmail.com> # # This software may be used and distributed according to the terms of the # GNU General Public License version 2 or any later version. '''hooks for controlling repository access This hook makes it possible to allow or deny write access to given branches and paths of a repository when receiving incoming changesets via pretxnchangegroup and pretxncommit. The authorization is matched based on the local user name on the system where the hook runs, and not the committer of the original changeset (since the latter is merely informative). The acl hook is best used along with a restricted shell like hgsh, preventing authenticating users from doing anything other than pushing or pulling. The hook is not safe to use if users have interactive shell access, as they can then disable the hook. Nor is it safe if remote users share an account, because then there is no way to distinguish them. The order in which access checks are performed is: 1) Deny list for branches (section ``acl.deny.branches``) 2) Allow list for branches (section ``acl.allow.branches``) 3) Deny list for paths (section ``acl.deny``) 4) Allow list for paths (section ``acl.allow``) The allow and deny sections take key-value pairs. Branch-based Access Control --------------------------- Use the ``acl.deny.branches`` and ``acl.allow.branches`` sections to have branch-based access control. Keys in these sections can be either: - a branch name, or - an asterisk, to match any branch; The corresponding values can be either: - a comma-separated list containing users and groups, or - an asterisk, to match anyone; You can add the "!" prefix to a user or group name to invert the sense of the match. Path-based Access Control ------------------------- Use the ``acl.deny`` and ``acl.allow`` sections to have path-based access control. Keys in these sections accept a subtree pattern (with a glob syntax by default). The corresponding values follow the same syntax as the other sections above. Bookmark-based Access Control ----------------------------- Use the ``acl.deny.bookmarks`` and ``acl.allow.bookmarks`` sections to have bookmark-based access control. Keys in these sections can be either: - a bookmark name, or - an asterisk, to match any bookmark; The corresponding values can be either: - a comma-separated list containing users and groups, or - an asterisk, to match anyone; You can add the "!" prefix to a user or group name to invert the sense of the match. Note: for interactions between clients and servers using Mercurial 3.6+ a rejection will generally reject the entire push, for interactions involving older clients, the commit transactions will already be accepted, and only the bookmark movement will be rejected. Groups ------ Group names must be prefixed with an ``@`` symbol. Specifying a group name has the same effect as specifying all the users in that group. You can define group members in the ``acl.groups`` section. If a group name is not defined there, and Mercurial is running under a Unix-like system, the list of users will be taken from the OS. Otherwise, an exception will be raised. Example Configuration --------------------- :: [hooks] # Use this if you want to check access restrictions at commit time pretxncommit.acl = python:hgext.acl.hook # Use this if you want to check access restrictions for pull, push, # bundle and serve. pretxnchangegroup.acl = python:hgext.acl.hook [acl] # Allow or deny access for incoming changes only if their source is # listed here, let them pass otherwise. Source is "serve" for all # remote access (http or ssh), "push", "pull" or "bundle" when the # related commands are run locally. # Default: serve sources = serve [acl.deny.branches] # Everyone is denied to the frozen branch: frozen-branch = * # A bad user is denied on all branches: * = bad-user [acl.allow.branches] # A few users are allowed on branch-a: branch-a = user-1, user-2, user-3 # Only one user is allowed on branch-b: branch-b = user-1 # The super user is allowed on any branch: * = super-user # Everyone is allowed on branch-for-tests: branch-for-tests = * [acl.deny] # This list is checked first. If a match is found, acl.allow is not # checked. All users are granted access if acl.deny is not present. # Format for both lists: glob pattern = user, ..., @group, ... # To match everyone, use an asterisk for the user: # my/glob/pattern = * # user6 will not have write access to any file: ** = user6 # Group "hg-denied" will not have write access to any file: ** = @hg-denied # Nobody will be able to change "DONT-TOUCH-THIS.txt", despite # everyone being able to change all other files. See below. src/main/resources/DONT-TOUCH-THIS.txt = * [acl.allow] # if acl.allow is not present, all users are allowed by default # empty acl.allow = no users allowed # User "doc_writer" has write access to any file under the "docs" # folder: docs/** = doc_writer # User "jack" and group "designers" have write access to any file # under the "images" folder: images/** = jack, @designers # Everyone (except for "user6" and "@hg-denied" - see acl.deny above) # will have write access to any file under the "resources" folder # (except for 1 file. See acl.deny): src/main/resources/** = * .hgtags = release_engineer Examples using the "!" prefix ............................. Suppose there's a branch that only a given user (or group) should be able to push to, and you don't want to restrict access to any other branch that may be created. The "!" prefix allows you to prevent anyone except a given user or group to push changesets in a given branch or path. In the examples below, we will: 1) Deny access to branch "ring" to anyone but user "gollum" 2) Deny access to branch "lake" to anyone but members of the group "hobbit" 3) Deny access to a file to anyone but user "gollum" :: [acl.allow.branches] # Empty [acl.deny.branches] # 1) only 'gollum' can commit to branch 'ring'; # 'gollum' and anyone else can still commit to any other branch. ring = !gollum # 2) only members of the group 'hobbit' can commit to branch 'lake'; # 'hobbit' members and anyone else can still commit to any other branch. lake = !@hobbit # You can also deny access based on file paths: [acl.allow] # Empty [acl.deny] # 3) only 'gollum' can change the file below; # 'gollum' and anyone else can still change any other file. /misty/mountains/cave/ring = !gollum ''' from __future__ import absolute_import from mercurial.i18n import _ from mercurial import ( error, extensions, match, pycompat, registrar, util, ) from mercurial.utils import ( procutil, ) urlreq = util.urlreq # Note for extension authors: ONLY specify testedwith = 'ships-with-hg-core' for # extensions which SHIP WITH MERCURIAL. Non-mainline extensions should # be specifying the version(s) of Mercurial they are tested with, or # leave the attribute unspecified. testedwith = 'ships-with-hg-core' configtable = {} configitem = registrar.configitem(configtable) # deprecated config: acl.config configitem('acl', 'config', default=None, ) configitem('acl.groups', '.*', default=None, generic=True, ) configitem('acl.deny.branches', '.*', default=None, generic=True, ) configitem('acl.allow.branches', '.*', default=None, generic=True, ) configitem('acl.deny', '.*', default=None, generic=True, ) configitem('acl.allow', '.*', default=None, generic=True, ) configitem('acl', 'sources', default=lambda: ['serve'], ) def _getusers(ui, group): # First, try to use group definition from section [acl.groups] hgrcusers = ui.configlist('acl.groups', group) if hgrcusers: return hgrcusers ui.debug('acl: "%s" not defined in [acl.groups]\n' % group) # If no users found in group definition, get users from OS-level group try: return util.groupmembers(group) except KeyError: raise error.Abort(_("group '%s' is undefined") % group) def _usermatch(ui, user, usersorgroups): if usersorgroups == '*': return True for ug in usersorgroups.replace(',', ' ').split(): if ug.startswith('!'): # Test for excluded user or group. Format: # if ug is a user name: !username # if ug is a group name: !@groupname ug = ug[1:] if not ug.startswith('@') and user != ug \ or ug.startswith('@') and user not in _getusers(ui, ug[1:]): return True # Test for user or group. Format: # if ug is a user name: username # if ug is a group name: @groupname elif user == ug \ or ug.startswith('@') and user in _getusers(ui, ug[1:]): return True return False def buildmatch(ui, repo, user, key): '''return tuple of (match function, list enabled).''' if not ui.has_section(key): ui.debug('acl: %s not enabled\n' % key) return None pats = [pat for pat, users in ui.configitems(key) if _usermatch(ui, user, users)] ui.debug('acl: %s enabled, %d entries for user %s\n' % (key, len(pats), user)) # Branch-based ACL if not repo: if pats: # If there's an asterisk (meaning "any branch"), always return True; # Otherwise, test if b is in pats if '*' in pats: return util.always return lambda b: b in pats return util.never # Path-based ACL if pats: return match.match(repo.root, '', pats) return util.never def ensureenabled(ui): """make sure the extension is enabled when used as hook When acl is used through hooks, the extension is never formally loaded and enabled. This has some side effect, for example the config declaration is never loaded. This function ensure the extension is enabled when running hooks. """ if 'acl' in ui._knownconfig: return ui.setconfig('extensions', 'acl', '', source='internal') extensions.loadall(ui, ['acl']) def hook(ui, repo, hooktype, node=None, source=None, **kwargs): ensureenabled(ui) if hooktype not in ['pretxnchangegroup', 'pretxncommit', 'prepushkey']: raise error.Abort( _('config error - hook type "%s" cannot stop ' 'incoming changesets, commits, nor bookmarks') % hooktype) if (hooktype == 'pretxnchangegroup' and source not in ui.configlist('acl', 'sources')): ui.debug('acl: changes have source "%s" - skipping\n' % source) return user = None if source == 'serve' and r'url' in kwargs: url = kwargs[r'url'].split(':') if url[0] == 'remote' and url[1].startswith('http'): user = urlreq.unquote(url[3]) if user is None: user = procutil.getuser() ui.debug('acl: checking access for user "%s"\n' % user) if hooktype == 'prepushkey': _pkhook(ui, repo, hooktype, node, source, user, **kwargs) else: _txnhook(ui, repo, hooktype, node, source, user, **kwargs) def _pkhook(ui, repo, hooktype, node, source, user, **kwargs): if kwargs[r'namespace'] == 'bookmarks': bookmark = kwargs[r'key'] ctx = kwargs[r'new'] allowbookmarks = buildmatch(ui, None, user, 'acl.allow.bookmarks') denybookmarks = buildmatch(ui, None, user, 'acl.deny.bookmarks') if denybookmarks and denybookmarks(bookmark): raise error.Abort(_('acl: user "%s" denied on bookmark "%s"' ' (changeset "%s")') % (user, bookmark, ctx)) if allowbookmarks and not allowbookmarks(bookmark): raise error.Abort(_('acl: user "%s" not allowed on bookmark "%s"' ' (changeset "%s")') % (user, bookmark, ctx)) ui.debug('acl: bookmark access granted: "%s" on bookmark "%s"\n' % (ctx, bookmark)) def _txnhook(ui, repo, hooktype, node, source, user, **kwargs): # deprecated config: acl.config cfg = ui.config('acl', 'config') if cfg: ui.readconfig(cfg, sections=['acl.groups', 'acl.allow.branches', 'acl.deny.branches', 'acl.allow', 'acl.deny']) allowbranches = buildmatch(ui, None, user, 'acl.allow.branches') denybranches = buildmatch(ui, None, user, 'acl.deny.branches') allow = buildmatch(ui, repo, user, 'acl.allow') deny = buildmatch(ui, repo, user, 'acl.deny') for rev in pycompat.xrange(repo[node].rev(), len(repo)): ctx = repo[rev] branch = ctx.branch() if denybranches and denybranches(branch): raise error.Abort(_('acl: user "%s" denied on branch "%s"' ' (changeset "%s")') % (user, branch, ctx)) if allowbranches and not allowbranches(branch): raise error.Abort(_('acl: user "%s" not allowed on branch "%s"' ' (changeset "%s")') % (user, branch, ctx)) ui.debug('acl: branch access granted: "%s" on branch "%s"\n' % (ctx, branch)) for f in ctx.files(): if deny and deny(f): raise error.Abort(_('acl: user "%s" denied on "%s"' ' (changeset "%s")') % (user, f, ctx)) if allow and not allow(f): raise error.Abort(_('acl: user "%s" not allowed on "%s"' ' (changeset "%s")') % (user, f, ctx)) ui.debug('acl: path access granted: "%s"\n' % ctx)