From: Magnus Therning <magnus@therning.org>
To: "Jakub Narębski" <jnareb@gmail.com>
Cc: git@vger.kernel.org
Subject: Re: git-http-backend: anonymous read, authenticated write
Date: Wed, 10 Apr 2013 22:53:59 +0200 [thread overview]
Message-ID: <20130410205359.GB2472@mteis.lan> (raw)
In-Reply-To: <5164087A.3030007@gmail.com>
[-- Attachment #1: Type: text/plain, Size: 2837 bytes --]
On Tue, Apr 09, 2013 at 02:24:26PM +0200, Jakub Narębski wrote:
> On 09.04.2013, Magnus Therning wrote:
>
> > I've been trying to set up git-http-backend+lighttpd. I've managed to
> > set up anonymous read-only access, and I then successfully configured
> > authentication for both read and write. Then I get stuck. The
> > man-page for git-http-backend says that the following snippet can be
> > used for Apache 2.x:
> >
> > <LocationMatch "^/git/.*/git-receive-pack$">
> > AuthType Basic
> > AuthName "Git Access"
> > Require group committers
> > ...
> > </LocationMatch>
> >
> > However, when I put in this match on location in my lighty config and
> > try to push I'm not asked for a password, instead I'm greeted with
> >
> > % git push
> > error: The requested URL returned error: 403 Forbidden while
> > accessing
> http://magnus@tracsrv.local/git/foo.git/info/refs?service=git-receive-pack
> >
> > AFAICS this means the man-page is wrong, and that I instead ought to
> > match on the "service=git-receive-pack" part. Is that a correct
> > conclusion?
>
> Yes, it is.
>
> I have tried to do the same anonymous read and authenticated write
> in "smart HTTP" access in Apache. There are some proposals[1],
> all I think which use mod_rewrite (as LocationMatch doesn't take
> query string into account, unfortunately), but I haven't been able
> to make it work.
>
> The problem is that both POST *and GET* (to get refs) must be authethicated.
>
> Nb. I thought that it was corrected... which git version do you use?
1.8.2 on the server, though 1.8.2.1 is available for the distro I'm
using. The discussion you refer to took place in 2010, I doubt any
improvement has been made to this in that point release, or am I
wrong?
> [1]: http://paperlined.org/apps/git/SmartHTTP_Ubuntu.html
>
>
> In the end I have worked around this by allowing all registered users to
> read with "require valid-user" (which in my situation might be even more
> correct solution; the case being repositories for Computer Science class
> lab work), and restricting write via pre-receive hook which checks
> REMOTE_USER.
I *really* want anonymous RO access so the CI server doesn't need any
credentials. I could of course set up git-http-backend to be served
on two different URLs, but that's just ugly ;)
Luckily I did find a working configuration, which I posted in another
email in this thread.
/M
--
Magnus Therning OpenPGP: 0xAB4DFBA4
email: magnus@therning.org jabber: magnus@therning.org
twitter: magthe http://therning.org/magnus
Perl is another example of filling a tiny, short-term need, and then
being a real problem in the longer term.
-- Alan Kay
[-- Attachment #2: Type: application/pgp-signature, Size: 230 bytes --]
next prev parent reply other threads:[~2013-04-10 20:54 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-04-09 5:45 git-http-backend: anonymous read, authenticated write Magnus Therning
2013-04-09 12:24 ` Jakub Narębski
2013-04-10 20:53 ` Magnus Therning [this message]
2013-04-09 17:12 ` Jeff King
2013-04-10 20:45 ` Magnus Therning
2013-04-10 21:53 ` Jeff King
2013-04-10 21:30 ` Jakub Narębski
2013-04-10 21:47 ` Jeff King
2013-04-10 23:19 ` Magnus Therning
2013-04-11 1:56 ` Jeff King
2013-04-11 3:30 ` [PATCH 0/2] http-backend documentation examples Jeff King
2013-04-11 3:32 ` [PATCH 1/2] doc/http-backend: clarify "half-auth" repo configuration Jeff King
2013-04-11 6:57 ` Magnus Therning
2013-04-11 3:36 ` [PATCH 2/2] doc/http-backend: give some lighttpd config examples Jeff King
2013-04-11 16:47 ` Jakub Narębski
2013-04-11 17:02 ` Jeff King
2013-04-11 18:27 ` Jakub Narębski
2013-04-13 3:33 ` [PATCH 3/2] doc/http-backend: match query-string in apache half-auth example Jeff King
2013-04-13 8:52 ` Jakub Narębski
2013-04-11 6:52 ` git-http-backend: anonymous read, authenticated write Magnus Therning
2013-04-11 19:34 ` Jeff King
2013-04-12 7:22 ` Magnus Therning
2013-04-11 16:43 ` Jakub Narębski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130410205359.GB2472@mteis.lan \
--to=magnus@therning.org \
--cc=git@vger.kernel.org \
--cc=jnareb@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).