test smart http mode, update docs (including mob mode)

- allow a mob username to be defined; all unauthenticated access will
    look to gitolite like this user (if you setup apache also properly)

  - update doc with more details (some repeat stuff from `man
    git-http-backend` but it's probably worth having everything in one
    place
This commit is contained in:
Sitaram Chamarty 2011-01-17 19:36:26 +05:30
parent c8b1d8cc5b
commit 0360dc9f3f
6 changed files with 92 additions and 35 deletions

View file

@ -53,6 +53,7 @@ $SVNSERVE = "";
# $ADMIN_POST_UPDATE_CHAINS_TO = "hooks/post-update.secondary"; # $ADMIN_POST_UPDATE_CHAINS_TO = "hooks/post-update.secondary";
# $GL_ADC_PATH = ""; # $GL_ADC_PATH = "";
# $GL_GET_MEMBERSHIPS_PGM = "/usr/local/bin/expand-ldap-user-to-groups" # $GL_GET_MEMBERSHIPS_PGM = "/usr/local/bin/expand-ldap-user-to-groups"
# $GL_HTTP_ANON_USER = "mob";
# ------------------------------------------------------------------------------ # ------------------------------------------------------------------------------
# less used/changed variables # less used/changed variables

View file

@ -40,8 +40,8 @@ suite. The following exceptions exist:
* basic, manual, testing only * basic, manual, testing only
* most admin defined commands * most admin defined commands
* not yet tested
* smart http * smart http
* not yet tested
* mirroring * mirroring
* mob branches * mob branches
* things which I have no easy way to test * things which I have no easy way to test

View file

@ -250,6 +250,14 @@ on feedback from my users to find or fix issues.
Example: `$GL_GET_MEMBERSHIPS_PGM = "/usr/local/bin/expand-ldap-user-to-groups"` Example: `$GL_GET_MEMBERSHIPS_PGM = "/usr/local/bin/expand-ldap-user-to-groups"`
* `$GL_HTTP_ANON_USER`, string, default undef
Analogous to running mob branches over ssh (as described in
[doc/mob-branches.mkd][mob], this variable -- combined with appropriate
setup described in [doc/http-backend.mkd][smart] -- lets you pretend to
gitolite that unauthenticated HTTP users are actually authenticated as
this user.
<a name="_less_used_changed_variables"></a> <a name="_less_used_changed_variables"></a>
### less used/changed variables ### less used/changed variables
@ -336,3 +344,5 @@ on feedback from my users to find or fix issues.
[faq]: http://github.com/sitaramc/gitolite/blob/pu/doc/3-faq-tips-etc.mkd [faq]: http://github.com/sitaramc/gitolite/blob/pu/doc/3-faq-tips-etc.mkd
[adc]: http://github.com/sitaramc/gitolite/blob/pu/doc/admin-defined-commands.mkd [adc]: http://github.com/sitaramc/gitolite/blob/pu/doc/admin-defined-commands.mkd
[mirr]: http://github.com/sitaramc/gitolite/blob/pu/doc/mirroring.mkd [mirr]: http://github.com/sitaramc/gitolite/blob/pu/doc/mirroring.mkd
[mob]: http://github.com/sitaramc/gitolite/blob/pu/doc/mob-branches.mkd
[smart]: http://github.com/sitaramc/gitolite/blob/pu/doc/http-backend.mkd

View file

@ -12,8 +12,9 @@ In this document:
* <a href="#_additional_requirements">additional requirements</a> * <a href="#_additional_requirements">additional requirements</a>
* <a href="#_detailed_instructions">detailed instructions</a> * <a href="#_detailed_instructions">detailed instructions</a>
* <a href="#_install_gitolite_under_apache_">install gitolite under "apache"</a> * <a href="#_install_gitolite_under_apache_">install gitolite under "apache"</a>
* <a href="#_setup_the_http_backend">setup the http-backend</a> * <a href="#_setup_apache">setup apache</a>
* <a href="#_usage">usage</a> * <a href="#_usage">usage</a>
* <a href="#_allowing_anonymous_access">allowing anonymous access</a>
---- ----
@ -34,7 +35,7 @@ In this document:
`HOME=$GITOLITE_HTTP_HOME` and hope for the best. Luckily most of them `HOME=$GITOLITE_HTTP_HOME` and hope for the best. Luckily most of them
have to do with sshkeys so this may not matter. YMMV. have to do with sshkeys so this may not matter. YMMV.
* tested on stock Fedora 13; if you test on other environments please let me * tested on stock Fedora 14; if you test on other environments please let me
know how it worked out and if we need to adjust this document know how it worked out and if we need to adjust this document
* tested https with dummy certs and `GIT_SSL_NO_VERIFY`; no reason why it * tested https with dummy certs and `GIT_SSL_NO_VERIFY`; no reason why it
@ -66,56 +67,74 @@ if it does not. Similarly for "/var/www" and other file names/locations.
#### install gitolite under "apache" #### install gitolite under "apache"
* follow the "non-root" method, but since you can't even "su - apache", make Follow the "non-root" method, but since you can't even "su - apache", make the
the following variations when doing this as root: following variations when doing this as root:
* `cd ~apache` first; this is `/var/www` on Fedora 13 * `cd ~apache` first; this is `/var/www` on Fedora 14
* do this in the shell * do this in the shell
mkdir gitolite-home mkdir gitolite-home
export GITOLITE_HTTP_HOME export GITOLITE_HTTP_HOME
GITOLITE_HTTP_HOME=/var/www/gitolite-home GITOLITE_HTTP_HOME=/var/www/gitolite-home
PATH=$PATH:$GITOLITE_HTTP_HOME/bin PATH=$PATH:$GITOLITE_HTTP_HOME/bin
* now run the first 3 install steps for "non-root" method (clone, mkdir, * now run the first 3 install steps for "non-root" method (clone, mkdir, and
and gl-system-install), but **substitute `GITOLITE_HTTP_HOME` in place of gl-system-install), but **substitute** `GITOLITE_HTTP_HOME` in place of
`HOME`** in the mkdir and gl-system-install steps. `HOME` in the mkdir and gl-system-install steps.
**Do NOT run the gl-setup step yet**. **Do NOT run the gl-setup step yet**.
* after the gl-system-install step, add these to the **top** of cd gitolite-home
/var/www/gitolite-home/share/gitolite/conf/example.gitolite.rc git clone /tmp/gitolite.git gitolite-source
$ENV{GIT_HTTP_BACKEND} = "/usr/libexec/git-core/git-http-backend"; cd gitolite-source
# or wherever you have that file; not NO trailing slash GHH=$GITOLITE_HTTP_HOME # just for convenience in next 2 commands
$ENV{PATH} .= ":$ENV{GITOLITE_HTTP_HOME}/bin"; mkdir -p $GHH/bin $GHH/share/gitolite/conf $GHH/share/gitolite/hooks
# note the ".=" here, not "=" src/gl-system-install $GHH/bin $GHH/share/gitolite/conf $GHH/share/gitolite/hooks
* run gl-setup with the name of your admin user * after the gl-system-install step, add these to the **top** of
/var/www/gitolite-home/share/gitolite/conf/example.gitolite.rc
gl-setup sitaram $ENV{GIT_HTTP_BACKEND} = "/usr/libexec/git-core/git-http-backend";
# or wherever you have that file; not NO trailing slash
$ENV{PATH} .= ":$ENV{GITOLITE_HTTP_HOME}/bin";
# note the ".=" here, not "="
* IMPORTANT: fix up ownerships * run gl-setup with the name of your admin user
chown -R apache.apache $GITOLITE_HTTP_HOME gl-setup sitaram
<a name="_setup_the_http_backend"></a> * IMPORTANT: fix up ownerships
#### setup the http-backend chown -R apache.apache $GITOLITE_HTTP_HOME
* when you setup the apache config according to "man git-http-backend", <a name="_setup_apache"></a>
change these two as below (please note the trailing slash on the
ScriptAlias line):
SetEnv GIT_PROJECT_ROOT /var/www/gitolite-home/repositories #### setup apache
ScriptAlias /git/ /var/www/gitolite-home/bin/gl-auth-command/
You also need this new variable: You will need to setup certain values in the httpd conf, as given in `man
git-http-backend`. You can put all them into, for instance,
`/etc/httpd/conf.d/gitolite.conf` and apache [at least on Fedora 14] will pick
it up. These are the values to use; note that these are somewhat different
from those in the manpage cited above, plus we have one extra variable:
SetEnv GITOLITE_HTTP_HOME /var/www/gitolite-home SetEnv GIT_PROJECT_ROOT /var/www/gitolite-home/repositories
SetEnv GIT_HTTP_EXPORT_ALL
ScriptAlias /git/ /var/www/gitolite-home/bin/gl-auth-command/
# note trailing slash
And that's it... you're done for the setup! SetEnv GITOLITE_HTTP_HOME /var/www/gitolite-home
<Location /git>
AuthType Basic
AuthName "Private Git Access"
Require valid-user
AuthUserFile /path/to/some/passwdfile
</Location>
Now create/update the password file in `/path/to/some/passwdfile` using the
`htpasswd` command, and you're all done for the setup!
<a name="_usage"></a> <a name="_usage"></a>
@ -144,4 +163,28 @@ following works and I'm leaving it at that:
With a few nice shell aliases, you won't even notice the horrible convolutions With a few nice shell aliases, you won't even notice the horrible convolutions
here ;-) here ;-)
<a name="_allowing_anonymous_access"></a>
### allowing anonymous access
Like [mob branches][mob] with ssh, you can allow completely
**un**-authenticated users to still have some rights specified in gitolite.
Briefly, here's how:
* specify a ScriptAlias in apache config for unauthenticated access also. I
prefer something like
ScriptAlias /gitmob/ /var/www/gitolite-home/bin/gl-auth-command/
* set `$GL_HTTP_ANON_USER` to some name, like 'mob' or 'anon' in the rc file
* give rights to this user ('mob' or 'anon' or whatever you used) in the
gitolite config file and push the change
URLs (in this example) will then look like `http://server/gitmob/reponame.git`
-- we lose the userid:passwd part and change 'git' to 'gitmob'.
Enjoy! Enjoy!
[mob]: http://github.com/sitaramc/gitolite/blob/pu/doc/mob-branches.mkd

View file

@ -22,6 +22,8 @@ use Exporter 'import';
$GL_SLAVE_MODE $GL_WILDREPOS $GL_WILDREPOS_DEFPERMS $GL_SLAVE_MODE $GL_WILDREPOS $GL_WILDREPOS_DEFPERMS
$GL_WILDREPOS_PERM_CATS $HTPASSWD_FILE $PROJECTS_LIST $REPO_BASE $GL_WILDREPOS_PERM_CATS $HTPASSWD_FILE $PROJECTS_LIST $REPO_BASE
$REPO_UMASK $RSYNC_BASE $SVNSERVE $UPDATE_CHAINS_TO $REPO_UMASK $RSYNC_BASE $SVNSERVE $UPDATE_CHAINS_TO
$GL_HTTP_ANON_USER
); );
# ------------------------------------------------------------------------------ # ------------------------------------------------------------------------------

View file

@ -74,6 +74,7 @@ if ($ENV{REQUEST_URI}) {
# so the rest of the code stays the same (except the exec at the end). # so the rest of the code stays the same (except the exec at the end).
simulate_ssh_connection(); simulate_ssh_connection();
$ENV{REMOTE_USER} ||= $GL_HTTP_ANON_USER; # see doc/http-backend.mkd
$user = $ENV{GL_USER} = $ENV{REMOTE_USER}; $user = $ENV{GL_USER} = $ENV{REMOTE_USER};
} else { } else {
# no (more) arguments given in ssh mode? default user is $USER # no (more) arguments given in ssh mode? default user is $USER