From 0360dc9f3fac66446eba314fc8a5471784840031 Mon Sep 17 00:00:00 2001 From: Sitaram Chamarty Date: Mon, 17 Jan 2011 19:36:26 +0530 Subject: [PATCH] test smart http mode, update docs (including mob mode) - allow a mob username to be defined; all unauthenticated access will look to gitolite like this user (if you setup apache also properly) - update doc with more details (some repeat stuff from `man git-http-backend` but it's probably worth having everything in one place --- conf/example.gitolite.rc | 1 + doc/developer-notes.mkd | 2 +- doc/gitolite.rc.mkd | 10 ++++ doc/http-backend.mkd | 111 +++++++++++++++++++++++++++------------ src/gitolite_rc.pm | 2 + src/gl-auth-command | 1 + 6 files changed, 92 insertions(+), 35 deletions(-) diff --git a/conf/example.gitolite.rc b/conf/example.gitolite.rc index e99efc0..c13f132 100644 --- a/conf/example.gitolite.rc +++ b/conf/example.gitolite.rc @@ -53,6 +53,7 @@ $SVNSERVE = ""; # $ADMIN_POST_UPDATE_CHAINS_TO = "hooks/post-update.secondary"; # $GL_ADC_PATH = ""; # $GL_GET_MEMBERSHIPS_PGM = "/usr/local/bin/expand-ldap-user-to-groups" +# $GL_HTTP_ANON_USER = "mob"; # ------------------------------------------------------------------------------ # less used/changed variables diff --git a/doc/developer-notes.mkd b/doc/developer-notes.mkd index b59850f..0e204b7 100644 --- a/doc/developer-notes.mkd +++ b/doc/developer-notes.mkd @@ -40,8 +40,8 @@ suite. The following exceptions exist: * basic, manual, testing only * most admin defined commands - * not yet tested * smart http + * not yet tested * mirroring * mob branches * things which I have no easy way to test diff --git a/doc/gitolite.rc.mkd b/doc/gitolite.rc.mkd index 83e86d7..8010fb6 100644 --- a/doc/gitolite.rc.mkd +++ b/doc/gitolite.rc.mkd @@ -250,6 +250,14 @@ on feedback from my users to find or fix issues. Example: `$GL_GET_MEMBERSHIPS_PGM = "/usr/local/bin/expand-ldap-user-to-groups"` + * `$GL_HTTP_ANON_USER`, string, default undef + + Analogous to running mob branches over ssh (as described in + [doc/mob-branches.mkd][mob], this variable -- combined with appropriate + setup described in [doc/http-backend.mkd][smart] -- lets you pretend to + gitolite that unauthenticated HTTP users are actually authenticated as + this user. + ### less used/changed variables @@ -336,3 +344,5 @@ on feedback from my users to find or fix issues. [faq]: http://github.com/sitaramc/gitolite/blob/pu/doc/3-faq-tips-etc.mkd [adc]: http://github.com/sitaramc/gitolite/blob/pu/doc/admin-defined-commands.mkd [mirr]: http://github.com/sitaramc/gitolite/blob/pu/doc/mirroring.mkd +[mob]: http://github.com/sitaramc/gitolite/blob/pu/doc/mob-branches.mkd +[smart]: http://github.com/sitaramc/gitolite/blob/pu/doc/http-backend.mkd diff --git a/doc/http-backend.mkd b/doc/http-backend.mkd index b1d7266..105cf9a 100644 --- a/doc/http-backend.mkd +++ b/doc/http-backend.mkd @@ -12,8 +12,9 @@ In this document: * additional requirements * detailed instructions * install gitolite under "apache" - * setup the http-backend + * setup apache * usage + * allowing anonymous access ---- @@ -34,7 +35,7 @@ In this document: `HOME=$GITOLITE_HTTP_HOME` and hope for the best. Luckily most of them have to do with sshkeys so this may not matter. YMMV. - * tested on stock Fedora 13; if you test on other environments please let me + * tested on stock Fedora 14; if you test on other environments please let me know how it worked out and if we need to adjust this document * tested https with dummy certs and `GIT_SSL_NO_VERIFY`; no reason why it @@ -66,56 +67,74 @@ if it does not. Similarly for "/var/www" and other file names/locations. #### install gitolite under "apache" - * follow the "non-root" method, but since you can't even "su - apache", make - the following variations when doing this as root: +Follow the "non-root" method, but since you can't even "su - apache", make the +following variations when doing this as root: - * `cd ~apache` first; this is `/var/www` on Fedora 13 + * `cd ~apache` first; this is `/var/www` on Fedora 14 - * do this in the shell + * do this in the shell - mkdir gitolite-home - export GITOLITE_HTTP_HOME - GITOLITE_HTTP_HOME=/var/www/gitolite-home - PATH=$PATH:$GITOLITE_HTTP_HOME/bin + mkdir gitolite-home + export GITOLITE_HTTP_HOME + GITOLITE_HTTP_HOME=/var/www/gitolite-home + PATH=$PATH:$GITOLITE_HTTP_HOME/bin - * now run the first 3 install steps for "non-root" method (clone, mkdir, - and gl-system-install), but **substitute `GITOLITE_HTTP_HOME` in place of - `HOME`** in the mkdir and gl-system-install steps. + * now run the first 3 install steps for "non-root" method (clone, mkdir, and + gl-system-install), but **substitute** `GITOLITE_HTTP_HOME` in place of + `HOME` in the mkdir and gl-system-install steps. - **Do NOT run the gl-setup step yet**. + **Do NOT run the gl-setup step yet**. - * after the gl-system-install step, add these to the **top** of - /var/www/gitolite-home/share/gitolite/conf/example.gitolite.rc + cd gitolite-home + git clone /tmp/gitolite.git gitolite-source - $ENV{GIT_HTTP_BACKEND} = "/usr/libexec/git-core/git-http-backend"; - # or wherever you have that file; not NO trailing slash - $ENV{PATH} .= ":$ENV{GITOLITE_HTTP_HOME}/bin"; - # note the ".=" here, not "=" + cd gitolite-source + GHH=$GITOLITE_HTTP_HOME # just for convenience in next 2 commands + mkdir -p $GHH/bin $GHH/share/gitolite/conf $GHH/share/gitolite/hooks + src/gl-system-install $GHH/bin $GHH/share/gitolite/conf $GHH/share/gitolite/hooks - * run gl-setup with the name of your admin user + * after the gl-system-install step, add these to the **top** of + /var/www/gitolite-home/share/gitolite/conf/example.gitolite.rc - gl-setup sitaram + $ENV{GIT_HTTP_BACKEND} = "/usr/libexec/git-core/git-http-backend"; + # or wherever you have that file; not NO trailing slash + $ENV{PATH} .= ":$ENV{GITOLITE_HTTP_HOME}/bin"; + # note the ".=" here, not "=" - * IMPORTANT: fix up ownerships + * run gl-setup with the name of your admin user - chown -R apache.apache $GITOLITE_HTTP_HOME + gl-setup sitaram - + * IMPORTANT: fix up ownerships -#### setup the http-backend + chown -R apache.apache $GITOLITE_HTTP_HOME - * when you setup the apache config according to "man git-http-backend", - change these two as below (please note the trailing slash on the - ScriptAlias line): + - SetEnv GIT_PROJECT_ROOT /var/www/gitolite-home/repositories - ScriptAlias /git/ /var/www/gitolite-home/bin/gl-auth-command/ +#### setup apache - You also need this new variable: +You will need to setup certain values in the httpd conf, as given in `man +git-http-backend`. You can put all them into, for instance, +`/etc/httpd/conf.d/gitolite.conf` and apache [at least on Fedora 14] will pick +it up. These are the values to use; note that these are somewhat different +from those in the manpage cited above, plus we have one extra variable: - SetEnv GITOLITE_HTTP_HOME /var/www/gitolite-home + SetEnv GIT_PROJECT_ROOT /var/www/gitolite-home/repositories + SetEnv GIT_HTTP_EXPORT_ALL + ScriptAlias /git/ /var/www/gitolite-home/bin/gl-auth-command/ + # note trailing slash -And that's it... you're done for the setup! + SetEnv GITOLITE_HTTP_HOME /var/www/gitolite-home + + + AuthType Basic + AuthName "Private Git Access" + Require valid-user + AuthUserFile /path/to/some/passwdfile + + +Now create/update the password file in `/path/to/some/passwdfile` using the +`htpasswd` command, and you're all done for the setup! @@ -144,4 +163,28 @@ following works and I'm leaving it at that: With a few nice shell aliases, you won't even notice the horrible convolutions here ;-) + + +### allowing anonymous access + +Like [mob branches][mob] with ssh, you can allow completely +**un**-authenticated users to still have some rights specified in gitolite. +Briefly, here's how: + + * specify a ScriptAlias in apache config for unauthenticated access also. I + prefer something like + + ScriptAlias /gitmob/ /var/www/gitolite-home/bin/gl-auth-command/ + + * set `$GL_HTTP_ANON_USER` to some name, like 'mob' or 'anon' in the rc file + + * give rights to this user ('mob' or 'anon' or whatever you used) in the + gitolite config file and push the change + +URLs (in this example) will then look like `http://server/gitmob/reponame.git` +-- we lose the userid:passwd part and change 'git' to 'gitmob'. + Enjoy! + +[mob]: http://github.com/sitaramc/gitolite/blob/pu/doc/mob-branches.mkd + diff --git a/src/gitolite_rc.pm b/src/gitolite_rc.pm index 90fbe50..f3ebade 100644 --- a/src/gitolite_rc.pm +++ b/src/gitolite_rc.pm @@ -22,6 +22,8 @@ use Exporter 'import'; $GL_SLAVE_MODE $GL_WILDREPOS $GL_WILDREPOS_DEFPERMS $GL_WILDREPOS_PERM_CATS $HTPASSWD_FILE $PROJECTS_LIST $REPO_BASE $REPO_UMASK $RSYNC_BASE $SVNSERVE $UPDATE_CHAINS_TO + + $GL_HTTP_ANON_USER ); # ------------------------------------------------------------------------------ diff --git a/src/gl-auth-command b/src/gl-auth-command index 55091d6..ee036ae 100755 --- a/src/gl-auth-command +++ b/src/gl-auth-command @@ -74,6 +74,7 @@ if ($ENV{REQUEST_URI}) { # so the rest of the code stays the same (except the exec at the end). simulate_ssh_connection(); + $ENV{REMOTE_USER} ||= $GL_HTTP_ANON_USER; # see doc/http-backend.mkd $user = $ENV{GL_USER} = $ENV{REMOTE_USER}; } else { # no (more) arguments given in ssh mode? default user is $USER