Re: git-http-backend: anonymous read, authenticated write

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Apr 09, 2013 at 02:24:26PM +0200, Jakub Narębski wrote:
> On 09.04.2013, Magnus Therning wrote:
> 
> > I've been trying to set up git-http-backend+lighttpd.  I've managed to
> > set up anonymous read-only access, and I then successfully configured
> > authentication for both read and write.  Then I get stuck.  The
> > man-page for git-http-backend says that the following snippet can be
> > used for Apache 2.x:
> > 
> >     <LocationMatch "^/git/.*/git-receive-pack$">
> >         AuthType Basic
> >         AuthName "Git Access"
> >         Require group committers
> >         ...
> >     </LocationMatch>
> > 
> > However, when I put in this match on location in my lighty config and
> > try to push I'm not asked for a password, instead I'm greeted with
> > 
> >     % git push 
> >     error: The requested URL returned error: 403 Forbidden while 
> >      accessing
> http://magnus@tracsrv.local/git/foo.git/info/refs?service=git-receive-pack
> > 
> > AFAICS this means the man-page is wrong, and that I instead ought to
> > match on the "service=git-receive-pack" part.  Is that a correct
> > conclusion?
> 
> Yes, it is.
> 
> I have tried to do the same anonymous read and authenticated write
> in "smart HTTP" access in Apache.  There are some proposals[1],
> all I think which use mod_rewrite (as LocationMatch doesn't take
> query string into account, unfortunately), but I haven't been able
> to make it work.
> 
> The problem is that both POST *and GET* (to get refs) must be authethicated.
> 
> Nb. I thought that it was corrected... which git version do you use?

1.8.2 on the server, though 1.8.2.1 is available for the distro I'm
using.  The discussion you refer to took place in 2010, I doubt any
improvement has been made to this in that point release, or am I
wrong?

> [1]: http://paperlined.org/apps/git/SmartHTTP_Ubuntu.html
> 
> 
> In the end I have worked around this by allowing all registered users to
> read with "require valid-user" (which in my situation might be even more
> correct solution; the case being repositories for Computer Science class
> lab work), and restricting write via pre-receive hook which checks
> REMOTE_USER.

I *really* want anonymous RO access so the CI server doesn't need any
credentials.  I could of course set up git-http-backend to be served
on two different URLs, but that's just ugly ;)

Luckily I did find a working configuration, which I posted in another
email in this thread.

/M

-- 
Magnus Therning                      OpenPGP: 0xAB4DFBA4 
email: magnus@xxxxxxxxxxxx   jabber: magnus@xxxxxxxxxxxx
twitter: magthe               http://therning.org/magnus


Perl is another example of filling a tiny, short-term need, and then
being a real problem in the longer term.
     -- Alan Kay

Attachment: pgpzSUZyo7lSp.pgp
Description: PGP signature


[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]