From: ranger at risk.ee (The Ranger)
Subject: Limiting repo access
Date: Fri, 27 Nov 2015 22:45:57 +0200 [thread overview]
Message-ID: <5658C105.1040305@risk.ee> (raw)
Hi everybody,
I have been struggling here for some time to allow users access only to
certain repositories via cgit. As a quick workaround I implemented a
gitolite configuration file parser some time ago. This was not an
elegant solution because of tight coupling, but was enough for me at
that time.
Now, while migrating the server, I decided to try a cleaner approach.
I tested the auth-filter using a sample Lua script provided in filters
directory, but it turned out not to be exactly what I needed. The
problem is that auth-filter actually shows protected repositories in a
repo list. My requirement was that unauthorized repositories should be
excluded from repository list and completely hidden.
Therefore, I moved one step forward and implemented a quick
"project-filter" configuration option. This is similar to existing
auth-filter, with following differences:
- No authentication is done by the filter, rather a username from a
REMOTE_USER environment variable is read. Therefore, HTTP Basic Auth
with any existing authentication provider can be used to verify username
and password.
- In filter initialization phase, allowed repository list can be
preloaded into filter for authenticate user to avoid hammering and
flooding against any external DB or script.
- While building repo list, filter will be invoked and it will flag
whether the access is granted or denied. If access is denied, repo will
not be included in the list, therefore by effectively hiding it and
denying any access to it.
- I have created a sample filter script in Lua that invokes gitolite and
obtains a repo list from the response.
Although I'm no expert on cgit development, I will send my patches.
Maybe somebody has any further thoughts or they can be somewhat more
useful than rotten in my personal git repository (now being again
happily served with cgit).
--
rgrds,
Ranger
reply other threads:[~2015-11-27 20:45 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5658C105.1040305@risk.ee \
--to=cgit@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).