Re: [egit-dev] Cloning with EGit from Gerrit via http now ask for the PW

[Thomas Wolf <thomas.wolf@xxxxxxxxxx>]

On Jun 30, 2017, at 00:32 , Matthias Sohn wrote:

https://git.eclipse.org/r allows read access by anonymous users, see permissions settings in [1].

URL suffix /a enforces (digest or basic) authentication and is typically used for access to the REST API [2] where

a logon screen is not suitable since the REST API is usually accessed programmatically.

If a user logs on to the WebUI via logon screen a session cookie is representing the security session.

[1] https://git.eclipse.org/r/#/admin/projects/All-Projects,access

[2] https://git.eclipse.org/r/Documentation/rest-api.html#authentication

Right, REST authentication was the reason.

I took a look at the Gerrit code in GitOverHttpModule and related classes. If we wanted

/a to not request authentication for fetching (& cloning), I think there's two options only:

1. Change the filter setup there such that GET & POST requests to the git-upload-pack

   endpoint are not routed through Gerrit's authentication filter, or

2. rewrite the requests in the Apache front-end (I presume there _is_ one...) via modrewrite

   or some such so that GET & POST requests to "/a/....?service=git-upload-pack" have

   the /a stripped before they even get to Gerrit.

(1) would require a change in Gerrit; (2) would require a change in the Eclipse Foundation's

web setup for Gerrit.

In either case more URLs might need to be excluded from requesting authentication. For instance,

one probably would also want to allow a "git ls-remote" to pass without authentication.

Caveat: I don't know how the Eclipse Gerrit is run; if it's using container-based authentication,

something else might need to be done, and perhaps there are reasons why all this would not be

feasible at all.