Re: [egit-dev] Pushing to Gerrit using http

[Shawn Pearce <spearce@xxxxxxxxxxx>]

On Thu, Dec 9, 2010 at 8:50 AM, Matthias Sohn
<matthias.sohn@xxxxxxxxxxxxxx> wrote:
> 2010/12/9 Shawn Pearce <spearce@xxxxxxxxxxx>
>>
>> On Thu, Dec 9, 2010 at 4:25 AM, Baumgart, Jens <jens.baumgart@xxxxxxx>
>> wrote:
>> > EGit supports http authentication.
>
> Is there a way to configure Gerrit so that we can use the same credentials
> for pushing
> like those we use to logon to Gerrit Web UI ?

Rather than just saying "no", I should try to elaborate why so maybe
someone can help me improve on it.

Gerrit supports multiple methods of authentication.  LDAP, SSL client
certificate, OpenID.  We also support this "HTTP" mode, where the
reverse proxy web server performs authentication of the user using any
method it supports (which might be a commercial single sign-on product
like CA NetMinder) and Gerrit trusts the HTTP header containing the
username.


The C Git client can do username/password authentication, or SSL
client certificate, but nothing else.  Critically, OpenID and the
generic "HTTP" modes above rely upon browser cookies to present and
verify the user identity.  Since the C client doesn't use cookies, its
pretty difficult to support these.

I know SAP added the SSL client certificate support to Gerrit for web
UI login.  We could also support that for HTTP push, but JGit will
need to get support for SSL client certificates over HTTP.

For the LDAP case where Gerrit itself does the authentication against
the LDAP directory, we probably could use the same username/password
combination... but in the egit.eclipse.org server case the LDAP
directory doesn't have the plaintext password, it has the SHA-1 hash
of the password, which rules out using digest authentication, unless
we save the hashed digest string alongside the directory password.  Of
course all of this was setup to try and reuse the foundation's
Bugzilla logins, but they won't give us access to those, so it doesn't
really help us anyway.

-- 
Shawn.