Devpi's docs for the --restrict-modify param specify that in addition to specifying access rights for a user, access rights can also be modified for a group:
specify which users/groups may create other users and their indices. Multiple users and groups are separated by commas. Groups need to be prefixed with a colon like this: ':group'. [...]
There's no documentation about how to actually create a group, though; is this integrated directly with the Unix groups available on the host machine?
The devpi server does not do any group management itself. Instead, it delegates it to the auth plugins. Take a look at the devpiserver_auth_user hookspec:
return dict containing authentication validation results. A dict must be returned with a key "status" with one of the following values:
- "ok" - authentication succeeded
- "unknown" - no matching user, other plugins are tried
- "reject" - invalid password, authentication stops
Optionally the plugin can return a list of group names the user is member of using the "groups" key of the result dict.
AFAIK currently there is only plugin using groups: devpi-ldap, check out its code for usage example.
As for binding the access rights to unix groups, you could easily write such an auth plugin yourself. Here is a dumb example of a plugin that does not do any real auth, only returning the unix groups the user requesting access belongs to:
# myplugin.py
import grp
from pluggy import HookimplMarker
@hookimpl(tryfirst=True)
def devpiserver_auth_user(userdict, username, password):
# get all groups for the user
groups = [group.gr_name for group in grp.getgrall() if username in group.gr_mem]
return {'status': 'ok', 'groups': groups}
Now add devpi's entry point in the plugin's setup script and you're good to go:
from setuptools import setup
setup(
name='devpi-unix-group-auth',
py_modules=['myplugin'],
entry_points={
'console_scripts': {
'devpi_server': ['devpi-unix-group-auth = myplugin']
},
...
)