git GitHub OAuth2 令牌:如何限制读取单个私有存储库的访问权限
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/26372417/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
GitHub OAuth2 Token: How to restrict access to read a single private repo
提问by Bounce2thaOunce
Use-case:
用例:
Command-line application (which is deployed to a 3rd party machine) needs to be able to download a tarball copy of a private repo that belongs to an organization via the GitHub API (v3)
Application should only be able to access this one private repo and no other repos with read-only permission.
命令行应用程序(部署到第 3 方机器)需要能够通过 GitHub API (v3) 下载属于组织的私有存储库的 tarball 副本
应用程序应该只能访问这个私有存储库,而不能访问其他具有只读权限的存储库。
I have been able to accomplish (1) by creating an authorization for the application after registering a client_id/secret on my github account. However, it does not seem that the tokens returned by the authorization allow read-only access to the repo nor are they restricted to one repo (e.g. one could potentially use the token to modify this repo along with others belonging to the organization).
在我的 github 帐户上注册 client_id/secret 后,我已经能够通过为应用程序创建授权来完成 (1)。然而,授权返回的令牌似乎并不允许对 repo 的只读访问,也不限于一个 repo(例如,一个人可能会使用令牌与属于组织的其他人一起修改这个 repo)。
Is it possible to restrict access via the proper scope? I don't see anything relevant in the API docs (https://developer.github.com/v3/oauth/#scopes).
是否可以通过适当的范围限制访问?我在 API 文档 ( https://developer.github.com/v3/oauth/#scopes) 中没有看到任何相关内容。
回答by starwed
I don't believe you can restrict github OAuth tokens in that way. The github docs for OAuthsay that
我不相信您可以以这种方式限制 github OAuth 令牌。OAuth的github 文档说
While Git over HTTP with OAuth reduces friction for some types of applications, keep in mind that unlike deploy keys, OAuth tokens work for any repository for which the user has access.
虽然使用 OAuth 的基于 HTTP 的 Git 减少了某些类型应用程序的摩擦,但请记住,与部署密钥不同,OAuth 令牌适用于用户有权访问的任何存储库。
So while you can limit the scope of the token in terms of the typesof activities, you can't limit it to a subset of repos.
因此,虽然您可以根据活动类型限制令牌的范围,但不能将其限制为回购的子集。
Deploy keyscan be restricted to a single repo, but allow write access.
部署密钥可以限制为单个存储库,但允许写入访问。
The obvious tactic (as mentioned by Thomas) is to create a dummy account that represents the application. Given the goals of OAuth, this might be a better workflow in any case -- it'll let you easily change the permissions the app has as if it were in fact a user.
显而易见的策略(如 Thomas 所述)是创建一个代表应用程序的虚拟帐户。鉴于 OAuth 的目标,这在任何情况下都可能是一个更好的工作流程——它可以让您轻松更改应用程序拥有的权限,就好像它实际上是用户一样。
Github even mentions/endorses this strategy explicitly, calling them machine users.
Github 甚至明确提到/认可这个策略,称他们为机器用户。
