Private instances for git and gerrit are becoming an important aspect for Linaro. The following document explains the steps taken to implement these private services.
Authentication & Authorization
The server are run and configured in suexec mode in order to provide better security. All servers are configured only for HTTPS connections.
Since the nature of these services is private, authentication needs to happen before the web services are shown to the user: the user needs to be authenticated and authorized to see the content.
For the web UI part, we rely on Apache LDAP and Google mod-auth-external via basic HTTP authentication mechanisms:
- Apache LDAP is used to require a valid user (a user with a valid Linaro email and password)
- mod-auth-external is used to grant access based on external factors, in our case a group based authorization (multiple groups can be used)
Users need to be authenticated an authorized as well for repositories access.
When accessing the repositories using Gerrit, authentication and authorization happen directly within Gerrit. For increased security, only the SSH protocol should be enabled (it is also possible to use authenticated HTTP protocol via Gerrit).
For normal git access, not via Gerrit, we rely on gitolite: it is possible to configure gitolite to grant access only to groups or some users, in the same way as it is done on https://git.linaro.org. Push operations are restricted as well.
Authenticated HTTP access via gitolite/git is a little bit trickier: it is possible to implement it, but it will not have the same ACLs as via SSH access: it will rely only on the basic HTTP authentication provided by the web server, without a granular authorization. It might be possible to tweak the web server with a more granular ACL via the Location directive, but any changes will require an update to Apache configuration and reload/restart. If the private instance is used only by a single group or group of users, the HTTP protocol can be enable since there is no need for a fine grained ACL.
It goes without saying that the git:// protocol is not an option, and that the HTTP protocol should be used only for clone operations. Push = should be done either via gerrit or normal SSH access (or a mix of both).
Gerrit Authentication & Authorization
Gerrit authentication is performed using HTTP_LDAP: the web server will handle the authentication process and will provide gerrit with values taken out from LDAP.
Users still have to import their own SSH keys.
As an admin in Gerrit, since we are relying on LDAP, all the LDAP Linaro groups are available. Please refer to gerrit docs on how to access those.
Since the servers are configured to use Apache suexec module, implementing the git HTTP authentication is hard: there are also differences between Ubuntu 12.04 and 14.04 (and Apache 2.2 and 2.4) on how the suexec wrap scripts behave.
It is a trial and error process: put output statements in the wrapper scripts, iterate and check the output. A big difference is in the exported variables from Apache into the CGI scripts.
There is no easy solution, it is necessary to test directly on the server.
Gitolite and Gitweb
Based on how gitolite and gitweb are configured, it is also possible to hide repositories from the UI. A deeper integration might be obtained between gitolite and gitweb (using gitolite ACL), but more work is needed on that front. Gitolite documentation has information about this.
Linaro private code hosting services:
Platform/Systems/PrivateGitGerrit (last modified 2017-02-16 15:16:24)