On Jun 30, 2017, at 00:32 , Matthias Sohn wrote:
Right, REST authentication was the reason.
I took a look at the Gerrit code in GitOverHttpModule and related classes. If we wanted /a to not request authentication for fetching (& cloning), I think there's two options only:
1. Change the filter setup there such that GET & POST requests to the git-upload-pack endpoint are not routed through Gerrit's authentication filter, or 2. rewrite the requests in the Apache front-end (I presume there _is_ one...) via modrewrite or some such so that GET & POST requests to "/a/....?service=git-upload-pack" have the /a stripped before they even get to Gerrit.
(1) would require a change in Gerrit; (2) would require a change in the Eclipse Foundation's web setup for Gerrit.
In either case more URLs might need to be excluded from requesting authentication. For instance, one probably would also want to allow a "git ls-remote" to pass without authentication.
Caveat: I don't know how the Eclipse Gerrit is run; if it's using container-based authentication, something else might need to be done, and perhaps there are reasons why all this would not be feasible at all. |