Sylvain Beucler - Inria, 2014-04-09 16:17:11 +0200 : > Hi, > > Le 09/04/2014 15:28, Roland Mas a écrit : >> In order to allow concurrent SSH + HTTP(S) access to Git repositories, >> I implemented a prototype using the MPM-ITK Apache2 module. > Great! >> It basically runs git-http-backend as a CGI when inside a specific vhost, >> under the identity of the user performing the request. > If it's just a CGI, we don't have to use mpm-itk. > Using something like mirabilos' gitweb for private projects, > sudo-based, also works : > http://lists.fusionforge.org/pipermail/fusionforge-general/2014-February/002572.html > (or a suPHP wrapper, or...)
Yes, it would also work. This is a prototype, not meant to be the final implementation :-) > However the mpm-itk lead is interesting to investigate for dav_svn, or > other non-CGI needs. >> So that means that hooks and so on don't grant access to anything beyond >> what the user >> would have through SSH, yet they can clone and push even from >> restrictive networks. The authentication/authorization part is managed >> by Apache with basic auth (userfile/groupfile) and a set of macros. > How about mod_auth_pgsql2 plugged on nss_usergroups? (in use at Inria) > No need to write the userfile/groupfile, no cron :) Excellent idea. For some reason I thought that this module was somewhat exotic, but since it's been available for years I guess I was mistaken. Let's push that to round 2 of the implementation. [...] > First, let's note that this approach requires Apache 2.4 > (http://mpm-itk.sesse.net/ says : |AssignUserIDExpr|, > |AssignGroupIDExpr| (/Apache 2.4 or newer only/)). > The patch configuration doesn't use IfVersion around these directives, > but they require 2.4. And of course, mpm-itk. Yes. It's rough and unfinished. > Depending on the next FF release's Apache target, we may need to make > this feature optionnal, hence write the packaging accordingly > (e.g. "a2enmod macro" optional or in a separate package). That's a question we need to raise anyway: what do we target as dependencies for 6.0? I'd be in favour of upgrading the versions for a few components (including Apache). I'll try polishing the patch and pushing it to a branch in my personal repo early next week (actually, two branches, one without the Debian packaging). Roland. -- Roland Mas M-x execute-extended-command _______________________________________________ Fusionforge-general mailing list Fusionforge-general@lists.fusionforge.org http://lists.fusionforge.org/cgi-bin/mailman/listinfo/fusionforge-general
