[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [egit-dev] Cloning with EGit from Gerrit via http now ask for the PW
|
Thanks for the discussion. Possible solutions sound like they would
cause too much effort. While this makes the entry for new
contributors a little bit higher, I think it is not worth the effort.
On Mon, Jul 3, 2017 at 8:29 AM, Thomas Wolf <thomas.wolf@xxxxxxxxxx> wrote:
>
> On Jun 30, 2017, at 00:32 , Matthias Sohn wrote:
>
> https://git.eclipse.org/r allows read access by anonymous users, see
> permissions settings in [1].
> URL suffix /a enforces (digest or basic) authentication and is typically
> used for access to the REST API [2] where
> a logon screen is not suitable since the REST API is usually accessed
> programmatically.
> If a user logs on to the WebUI via logon screen a session cookie is
> representing the security session.
>
> [1] https://git.eclipse.org/r/#/admin/projects/All-Projects,access
> [2] https://git.eclipse.org/r/Documentation/rest-api.html#authentication
>
>
> Right, REST authentication was the reason.
>
> I took a look at the Gerrit code in GitOverHttpModule and related classes.
> If we wanted
> /a to not request authentication for fetching (& cloning), I think there's
> two options only:
>
> 1. Change the filter setup there such that GET & POST requests to the
> git-upload-pack
> endpoint are not routed through Gerrit's authentication filter, or
> 2. rewrite the requests in the Apache front-end (I presume there _is_
> one...) via modrewrite
> or some such so that GET & POST requests to
> "/a/....?service=git-upload-pack" have
> the /a stripped before they even get to Gerrit.
>
> (1) would require a change in Gerrit; (2) would require a change in the
> Eclipse Foundation's
> web setup for Gerrit.
>
> In either case more URLs might need to be excluded from requesting
> authentication. For instance,
> one probably would also want to allow a "git ls-remote" to pass without
> authentication.
>
> Caveat: I don't know how the Eclipse Gerrit is run; if it's using
> container-based authentication,
> something else might need to be done, and perhaps there are reasons why all
> this would not be
> feasible at all.
>
> _______________________________________________
> egit-dev mailing list
> egit-dev@xxxxxxxxxxx
> To change your delivery options, retrieve your password, or unsubscribe from
> this list, visit
> https://dev.eclipse.org/mailman/listinfo/egit-dev
--
Eclipse Platform UI and e4 project co-lead
CEO vogella GmbH
Haindaalwisch 17a, 22395 Hamburg
Amtsgericht Hamburg: HRB 127058
Geschäftsführer: Lars Vogel, Jennifer Nerlich de Vogel
USt-IdNr.: DE284122352
Fax (040) 5247 6322, Email: lars.vogel@xxxxxxxxxxx, Web: http://www.vogella.com