My favorites | Sign in
Project Home Downloads Wiki Issues Source
New issue   Search
for
  Advanced search   Search tips   Subscriptions
Issue 1473: GitOverHttp does not honor auth.httpHeader
15 people starred this issue and may be notified of changes. Back to list
Status:  New
Owner:  ----


Sign in to add a comment
 
Reported by lord.of.java, Jul 16, 2012
Affected Version: 2.4.2 - HEAD

What steps will reproduce the problem?
1. Setup a gerrit instance with internal jetty (auth.type HTTP, auth.trustContainerAuth true, auth.httpHeader = X-Forwarded-User)
2. Setup up an apache reverse proxy using basic authentication and setting "X-Forwarded-User" Header (see below)
3. Access a repository on gerrit instance with git commandline using http/https, provide basic auth credentials

What is the expected output? What do you see instead?
Git replies with authentication failed.


Please provide any additional information below.
Debugging shows that ConfigAuthFilter calls Request.getRemoteUser() which returns null.

Goal is to use an external sso system (for example Siteminder) and use this for gitOverHttp as well.

Example apache configuration:
ProxyPass /gerrit/ http://gerritserver:8090/gerrit/
ProxyPassReverse /gerrit/ http://gerritserver:8090/gerrit/

<Location /gerrit/>
   RewriteEngine On
   RewriteCond %{LA-U:REMOTE_USER} (.+)
   RewriteRule . - [E=RU:%1]
   RequestHeader add X-Forwarded-User %{RU}e

   AuthType Basic
   AuthName "Gerrit"
   Require valid-user

   Order deny,allow
   Allow from all
</Location>

The fix for this is simple, I will upload it


Sep 4, 2012
#1 lawpo...@gmail.com
May I have your update on the fix? I encounter such problem too.
Mar 4, 2013
#3 clint....@gmail.com
I am also encountering this problem and would like to test the fix. Is it available?
Mar 11, 2013
#4 clint....@gmail.com
I have pushed a fix to https://gerrit-review.googlesource.com/43320

It is based of 2.5.2, and I tested by running in my installation which is behind an SSO.
Mar 18, 2013
#5 clint....@gmail.com
I pushed a for the UI (in the case that externalID != gerritId) to https://gerrit-review.googlesource.com/43600
Oct 27, 2013
Project Member #6 u.wol...@gmail.com
@Clint Morgan: Will you update the patchset again with the suggested changes? It would be nice if this fix could be merged soon.
Oct 28, 2013
#7 clint....@gmail.com
Yes: I should have some time to work on this at the end of this week or early next week. 
Nov 11, 2013
#8 thwalk...@gmail.com
Maybe I'm missing something, but the request seems to be about using a reverse proxy for auth, *not* the container.  It explicitly mentions the proxy using "AuthType Basic" which appears to *not* be the default for Gerrit (specify "gitBasicAuth=true" in the "auth" section of the Gerrit config).

That config change alone in 2.8-rc2 *almost* makes it work for me, but ProjectBasicFilter.java's verify() doesn't handle lookup of external account names (and the header provided usernames I have to work with have '@' preceding a kerberos realm name).

Jan 6 (4 days ago)
Project Member #9 u.wol...@gmail.com
I think this is fixed with the fix from  issue 2209 . Can somebody please confirm?
Sign in to add a comment

Powered by Google Project Hosting