doc/3: add section on unexpected gitwebauth good-ness!

2009-10-27 09:47:06 +05:30 · 2009-10-27 09:47:06 +05:30 · a23622a31b
parent 593ed765a7
commit a23622a31b
1 changed files with 61 additions and 0 deletions
--- a/doc/3-faq-tips-etc.mkd
+++ b/doc/3-faq-tips-etc.mkd
@ -12,6 +12,7 @@ In this document:
      * error checking the config file
      * delegating parts of the config file
      * easier to specify gitweb/daemon access
+      * easier to link gitweb authorisation with gitolite
      * better logging
      * one user, many keys
      * support for git installed outside default PATH
@ -92,6 +93,8 @@ plain "git archive", because the Makefile adds a file called
    make master.tar
    # or maybe "make rebel.tar" or "make pu.tar"

+<a name="diff"></a>
+
 ### differences from gitosis

 Apart from the big ones listed in the top level README, and subjective ones
@ -191,6 +194,9 @@ for details.

 #### easier to specify gitweb/daemon access

+Which of your repos should be accessible via plain HTTP or the `git://`
+protocols (gitweb and git daemon, respectively)?
+
 Specifying gitweb and/or daemon access for a repo is simple: give "read"
 permissions to two special usernames: `gitweb` and `daemon`.

@ -221,6 +227,61 @@ bits and pieces.  Here's an example, using short repo names for convenience:
    repo r2
    # ...and so on...

+<a name="gitwebauth"></a>
+
+#### easier to link gitweb authorisation with gitolite
+
+Over and above whether a repo is even *shown* by gitweb, you may want to
+further restrict people, allowing them to view *only* those repos for which
+they have been given read access by gitolite.
+
+This requires that:
+
+  * you have to have some sort of HTTP auth on your web server (out of my
+    scope, sorry!)
+  * the HTTP auth should use the same username (like "sitaram") as used in the
+    gitolite config (for the corresponding user)
+
+Once that is done, it's easy.  Gitweb allows you to specify a subroutine to
+decide on access.  We use that feature and tie it to gitolite.  Sample code
+(untested, munged from something I saw [here][leho]) is given below.
+
+Note the **utter simplicity** of the actual check (just 1 line!).  This is an
+unexpected piece of luck coming from the decision to keep the config parse
+separate from the actual access control.  The config parser puts a pure perl
+hash in that file named below as `$gl_conf_compiled`, so all the parsing is
+already done and we just use it!
+
+    # completely untested... but the basic idea should work fine
+
+    # change these as needed
+    $repo_base = '/home/git/repositories/';
+    $gl_conf_compiled = '/home/git/.gitolite/conf/gitolite.conf-compiled.pm';
+
+    # I assume this gives us the HTTP auth username
+    $username = $cgi->remote_user;
+
+    # ----------
+
+    # parse the config file; updates %repos hash
+    our %repos;
+    die "parse $gl_conf_compiled failed: " . ($! or $@) unless do $gl_conf_compiled;
+
+    # this is gitweb's mechanism; it calls whatever sub is pointed at by this
+    # variable to decide access yes/no
+    $export_auth_hook = sub {
+        my $reponame = shift;
+        # gitweb passes us the full repo path; so we strip the beginning...
+        $reponame =~ s/\Q$repo_base//;
+        # ...and the end, to get the repo name as it is specified in gitolite conf
+        $reponame =~ s/\.git$//;
+
+        return exists $repos{$reponame}{R}{$username};
+    }
+
+
+[leho]: http://leho.kraav.com/news/2009/10/27/using-apache-authentication-with-gitweb-gitosis-repository-access-control/
+
 #### better logging

 If you have been too liberal with the permission to rewind, it has built-in