Re: [egit-dev] Pushing to Gerrit using http

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [egit-dev] Pushing to Gerrit using http

From: Shawn Pearce <spearce@xxxxxxxxxxx>
Date: Sat, 11 Dec 2010 17:49:56 -0800
Delivered-to: egit-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/private/egit-dev>
List-help: <mailto:egit-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/egit-dev>, <mailto:egit-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/options/egit-dev>, <mailto:egit-dev-request@eclipse.org?subject=unsubscribe>

On Sat, Dec 11, 2010 at 5:28 PM, Matthias Sohn
<matthias.sohn@xxxxxxxxxxxxxx> wrote:
> 2010/12/11 Shawn Pearce <spearce@xxxxxxxxxxx>
>>
>> On Thu, Dec 9, 2010 at 8:50 AM, Matthias Sohn
>> <matthias.sohn@xxxxxxxxxxxxxx> wrote:
>> > 2010/12/9 Shawn Pearce <spearce@xxxxxxxxxxx>
>> >>
>> >> On Thu, Dec 9, 2010 at 4:25 AM, Baumgart, Jens <jens.baumgart@xxxxxxx>
>> >> wrote:
>> >> > EGit supports http authentication.
>> >
>> > Is there a way to configure Gerrit so that we can use the same
>> > credentials
>> > for pushing
>> > like those we use to logon to Gerrit Web UI ?
>>
>> Rather than just saying "no", I should try to elaborate why so maybe
>> someone can help me improve on it.
>>
>> Gerrit supports multiple methods of authentication.  LDAP, SSL client
>> certificate, OpenID.  We also support this "HTTP" mode, where the
>> reverse proxy web server performs authentication of the user using any
>> method it supports (which might be a commercial single sign-on product
>> like CA NetMinder) and Gerrit trusts the HTTP header containing the
>> username.
>>
>>
>> The C Git client can do username/password authentication, or SSL
>> client certificate, but nothing else.  Critically, OpenID and the
>> generic "HTTP" modes above rely upon browser cookies to present and
>> verify the user identity.  Since the C client doesn't use cookies, its
>> pretty difficult to support these.
>>
>> I know SAP added the SSL client certificate support to Gerrit for web
>> UI login.  We could also support that for HTTP push, but JGit will
>> need to get support for SSL client certificates over HTTP.
>
> Yeah, that's what I am aiming for for our internal use. We already started
> working on that  :-)
>
>>
>> For the LDAP case where Gerrit itself does the authentication against
>> the LDAP directory, we probably could use the same username/password
>> combination... but in the egit.eclipse.org server case the LDAP
>> directory doesn't have the plaintext password, it has the SHA-1 hash
>> of the password, which rules out using digest authentication, unless
>> we save the hashed digest string alongside the directory password.  Of
>> course all of this was setup to try and reuse the foundation's
>> Bugzilla logins, but they won't give us access to those, so it doesn't
>> really help us anyway.
>
> would basic authentication over https improve the situation ?

Yup.  :-)

-- 
Shawn.

References:
- [egit-dev] Pushing to Gerrit using http
  - From: Baumgart, Jens
- Re: [egit-dev] Pushing to Gerrit using http
  - From: Shawn Pearce
- Re: [egit-dev] Pushing to Gerrit using http
  - From: Matthias Sohn
- Re: [egit-dev] Pushing to Gerrit using http
  - From: Shawn Pearce
- Re: [egit-dev] Pushing to Gerrit using http
  - From: Matthias Sohn

Prev by Date: Re: [egit-dev] Pushing to Gerrit using http
Next by Date: [egit-dev] closing 0.10
Previous by thread: Re: [egit-dev] Pushing to Gerrit using http
Next by thread: [egit-dev] galileo build broken
Index(es):
- Date
- Thread

Breadcrumbs