git clone fails "with error: RPC failed; result=22, HTTP code = 401

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi all,

following enviroment:

stock debian squeeze + apache2 + gitweb.
Apache handles user authentication over ldap.


the apache git-related config is:


---
(taken from the
http://www.kernel.org/pub/software/scm/git/docs/git-http-backend.html)

[...]
SetEnv GIT_PROJECT_ROOT /mnt/system/git

AliasMatch ^/git/(.*/objects/[0-9a-f]{2}/[0-9a-f]{38})$
/mnt/system/git/$1
AliasMatch ^/git/(.*/objects/pack/pack-[0-9a-f]{40}.(pack|idx))$
/mnt/system/git/$1
ScriptAliasMatch \
        "(?x)^/git/(.*/(HEAD | \
                        info/refs | \
                        objects/info/[^/]+ | \
                        git-(upload|receive)-pack))$" \
        /usr/lib/git-core/git-http-backend/$1
ScriptAlias /git/ /usr/lib/cgi-bin/gitweb.cgi/

[...]
        <Location "/git/repo1.git">
                # read access
                <Limit GET>
                        require ldap-group repo.writers
                        require ldap-group repo.readers
                </Limit>

                # write access
                <Limit GET PUT POST DELETE PROPPATCH MKCOL COPY MOVE
LOCK UNLOCK>
                        require ldap-group repo.writers
                </Limit>

        </Location>
----------

The ldap group "repo.writers" has "repo.writer" user in it.
The ldap group "repo.readers" has "repo.reader" user in it.

Using the "repo.writer" User, i can successfully clone the repo / push
into the repo.
The appropriate apache-log entries are:

----------------------------------------------------
10.13.99.59 - - [06/Jul/2012:13:28:57 +0200] "GET
/git/repo1.git/info/refs?service=git-receive-pack HTTP/1.1" 401 2427
"-" "git/1.7.2.5"
10.13.99.59 - repo.writer [06/Jul/2012:13:28:57 +0200] "GET
/git/repo1.git/info/refs?service=git-receive-pack HTTP/1.1" 200 728
"-" "git/1.7.2.5"
10.13.99.59 - repo.writer [06/Jul/2012:13:28:57 +0200] "POST
/git/repo1.git/git-receive-pack HTTP/1.1" 200 754 "-" "git/1.7.2.5"
----------------------------------------------------

But if i try to use the "repo.reader" account to CLONE the repo, then it fails:

output@shell:
----------------------------------------------------
ilya@brick:/tmp $ git clone https://repo.reader@git-host/git/repo1.git
Cloning into repo1...
Password:
error: RPC failed; result=22, HTTP code = 401
fatal: The remote end hung up unexpectedly
ilya@brick:
----------------------------------------------------


output@apache-logs
----------------------------------------------------
10.13.99.59 - - [06/Jul/2012:13:28:13 +0200] "GET
/git/repo1.git/info/refs?service=git-upload-pack HTTP/1.1" 401 2427
"-" "git/1.7.2.5"
10.13.99.59 - repo.reader [06/Jul/2012:13:28:13 +0200] "GET
/git/repo1.git/info/refs?service=git-upload-pack HTTP/1.1" 200 935 "-"
"git/1.7.2.5"
10.13.99.59 - repo.reader [06/Jul/2012:13:28:13 +0200] "POST
/git/repo1.git/git-upload-pack HTTP/1.1" 401 894 "-" "git/1.7.2.5"
----------------------------------------------------

The reason why the cloning fails is pretty clear

1. the repo.reader is trying to "POST /git/repo1.git/git-upload-pack",
2. accordingly the rule "<Limit POST>" for "writers" is matching,
3. apache makes a lookup into LDAP and OF COURSE cannot fint the
"repo.reader"-User in the group "repo.writers"
4. as a result the 401 is replied by apache.

When i put the "repo.reader" user into the "repo.writers"-group, then,
of course, he can clone the repo.
But then he also can push into the repo...


The question is now - why, damn, the git client is trying to post
something on CLONE!??!

And the second question - how do i solve it?


I need the authenticated read / authenticated writes separation.


Thanks in advance!


Ilya
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]