Hi,

I think this is a bit on the advanced side of things we usually answer on 
this list, so you could try asking on the git development list (described 
here <http://git-scm.com/community>).

On Friday, July 6, 2012 2:11:17 PM UTC+2, Ilya wrote:
>
> Hi all,
>
> following enviroment:
>
> stock debian squeeze + apache2 + gitweb.
> Apache handles user authentication over ldap.
>
>
> the apache git-related config is:
>
>
> ---
> (taken from the
> http://www.kernel.org/pub/software/scm/git/docs/git-http-backend.html)
>
> [...]
> SetEnv GIT_PROJECT_ROOT /mnt/system/git
>
> AliasMatch ^/git/(.*/objects/[0-9a-f]{2}/
> [0-9a-f]{38})$
> /mnt/system/git/$1
> AliasMatch ^/git/(.*/objects/pack/pack-[0-9a-f]{40}.(pack|idx))$
> /mnt/system/git/$1
> ScriptAliasMatch \
>         "(?x)^/git/(.*/(HEAD | \
>                         info/refs | \
>                         objects/info/[^/]+ | \
>                         git-(upload|receive)-pack))$" \
>         /usr/lib/git-core/git-http-backend/$1
> ScriptAlias /git/ /usr/lib/cgi-bin/gitweb.cgi/
>
> [...]
>         <Location "/git/repo1.git">
>                 # read access
>                 <Limit GET>
>                         require ldap-group repo.writers
>                         require ldap-group repo.readers
>                 </Limit>
>
>                 # write access
>                 <Limit GET PUT POST DELETE PROPPATCH MKCOL COPY MOVE
> LOCK UNLOCK>
>                         require ldap-group repo.writers
>                 </Limit>
>
>         </Location>
> ----------
>
> The ldap group "repo.writers" has "repo.writer" user in it.
> The ldap group "repo.readers" has "repo.reader" user in it.
>
> Using the "repo.writer" User, i can successfully clone the repo / push
> into the repo.
> The appropriate apache-log entries are:
>
> ----------------------------------------------------
> 10.13.99.59 - - [06/Jul/2012:13:28:57 +0200] "GET
> /git/repo1.git/info/refs?service=git-receive-pack HTTP/1.1" 401 2427
> "-" "git/1.7.2.5"
> 10.13.99.59 - repo.writer [06/Jul/2012:13:28:57 +0200] "GET
> /git/repo1.git/info/refs?service=git-receive-pack HTTP/1.1" 200 728
> "-" "git/1.7.2.5"
> 10.13.99.59 - repo.writer [06/Jul/2012:13:28:57 +0200] "POST
> /git/repo1.git/git-receive-pack HTTP/1.1" 200 754 "-" "git/1.7.2.5"
> ----------------------------------------------------
>
> But if i try to use the "repo.reader" account to CLONE the repo, then it 
> fails:
>
> output@shell:
> ----------------------------------------------------
> ilya@brick:/tmp $ git clone https://repo.reader@git-host/git/repo1.git
> Cloning into repo1...
> Password:
> error: RPC failed; result=22, HTTP code = 401
> fatal: The remote end hung up unexpectedly
> ilya@brick:
> ----------------------------------------------------
>
>
> output@apache-logs
> ----------------------------------------------------
> 10.13.99.59 - - [06/Jul/2012:13:28:13 +0200] "GET
> /git/repo1.git/info/refs?service=git-upload-pack HTTP/1.1" 401 2427
> "-" "git/1.7.2.5"
> 10.13.99.59 - repo.reader [06/Jul/2012:13:28:13 +0200] "GET
> /git/repo1.git/info/refs?service=git-upload-pack HTTP/1.1" 200 935 "-"
> "git/1.7.2.5"
> 10.13.99.59 - repo.reader [06/Jul/2012:13:28:13 +0200] "POST
> /git/repo1.git/git-upload-pack HTTP/1.1" 401 894 "-" "git/1.7.2.5"
> ----------------------------------------------------
>
> The reason why the cloning fails is pretty clear
>
> 1. the repo.reader is trying to "POST /git/repo1.git/git-upload-pack",
> 2. accordingly the rule "<Limit POST>" for "writers" is matching,
> 3. apache makes a lookup into LDAP and OF COURSE cannot fint the
> "repo.reader"-User in the group "repo.writers"
> 4. as a result the 401 is replied by apache.
>
> When i put the "repo.reader" user into the "repo.writers"-group, then,
> of course, he can clone the repo.
> But then he also can push into the repo...
>
>
> The question is now - why, damn, the git client is trying to post
> something on CLONE!??!
>
> And the second question - how do i solve it?
>
>
> I need the authenticated read / authenticated writes separation.
>
>
> Thanks in advance!
>

-- 
You received this message because you are subscribed to the Google Groups "Git 
for human beings" group.
To view this discussion on the web visit 
https://groups.google.com/d/msg/git-users/-/Bp0ELv_93j4J.
To post to this group, send email to git-users@googlegroups.com.
To unsubscribe from this group, send email to 
git-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/git-users?hl=en.

Reply via email to