Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [egit-dev] Pushing to Gerrit using http

On Sat, Dec 11, 2010 at 5:28 PM, Matthias Sohn
<matthias.sohn@xxxxxxxxxxxxxx> wrote:
> 2010/12/11 Shawn Pearce <spearce@xxxxxxxxxxx>
>>
>> On Thu, Dec 9, 2010 at 8:50 AM, Matthias Sohn
>> <matthias.sohn@xxxxxxxxxxxxxx> wrote:
>> > 2010/12/9 Shawn Pearce <spearce@xxxxxxxxxxx>
>> >>
>> >> On Thu, Dec 9, 2010 at 4:25 AM, Baumgart, Jens <jens.baumgart@xxxxxxx>
>> >> wrote:
>> >> > EGit supports http authentication.
>> >
>> > Is there a way to configure Gerrit so that we can use the same
>> > credentials
>> > for pushing
>> > like those we use to logon to Gerrit Web UI ?
>>
>> Rather than just saying "no", I should try to elaborate why so maybe
>> someone can help me improve on it.
>>
>> Gerrit supports multiple methods of authentication.  LDAP, SSL client
>> certificate, OpenID.  We also support this "HTTP" mode, where the
>> reverse proxy web server performs authentication of the user using any
>> method it supports (which might be a commercial single sign-on product
>> like CA NetMinder) and Gerrit trusts the HTTP header containing the
>> username.
>>
>>
>> The C Git client can do username/password authentication, or SSL
>> client certificate, but nothing else.  Critically, OpenID and the
>> generic "HTTP" modes above rely upon browser cookies to present and
>> verify the user identity.  Since the C client doesn't use cookies, its
>> pretty difficult to support these.
>>
>> I know SAP added the SSL client certificate support to Gerrit for web
>> UI login.  We could also support that for HTTP push, but JGit will
>> need to get support for SSL client certificates over HTTP.
>
> Yeah, that's what I am aiming for for our internal use. We already started
> working on that  :-)
>
>>
>> For the LDAP case where Gerrit itself does the authentication against
>> the LDAP directory, we probably could use the same username/password
>> combination... but in the egit.eclipse.org server case the LDAP
>> directory doesn't have the plaintext password, it has the SHA-1 hash
>> of the password, which rules out using digest authentication, unless
>> we save the hashed digest string alongside the directory password.  Of
>> course all of this was setup to try and reuse the foundation's
>> Bugzilla logins, but they won't give us access to those, so it doesn't
>> really help us anyway.
>
> would basic authentication over https improve the situation ?

Yup.  :-)

-- 
Shawn.


Back to the top