| Issue 1473: | GitOverHttp does not honor auth.httpHeader | |
| 15 people starred this issue and may be notified of changes. | Back to list |
Affected Version: 2.4.2 - HEAD
What steps will reproduce the problem?
1. Setup a gerrit instance with internal jetty (auth.type HTTP, auth.trustContainerAuth true, auth.httpHeader = X-Forwarded-User)
2. Setup up an apache reverse proxy using basic authentication and setting "X-Forwarded-User" Header (see below)
3. Access a repository on gerrit instance with git commandline using http/https, provide basic auth credentials
What is the expected output? What do you see instead?
Git replies with authentication failed.
Please provide any additional information below.
Debugging shows that ConfigAuthFilter calls Request.getRemoteUser() which returns null.
Goal is to use an external sso system (for example Siteminder) and use this for gitOverHttp as well.
Example apache configuration:
ProxyPass /gerrit/ http://gerritserver:8090/gerrit/
ProxyPassReverse /gerrit/ http://gerritserver:8090/gerrit/
<Location /gerrit/>
RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1]
RequestHeader add X-Forwarded-User %{RU}e
AuthType Basic
AuthName "Gerrit"
Require valid-user
Order deny,allow
Allow from all
</Location>
The fix for this is simple, I will upload it
Sep 4, 2012
#1
lawpo...@gmail.com
Mar 4, 2013
I am also encountering this problem and would like to test the fix. Is it available?
Mar 11, 2013
I have pushed a fix to https://gerrit-review.googlesource.com/43320 It is based of 2.5.2, and I tested by running in my installation which is behind an SSO.
Mar 18, 2013
I pushed a for the UI (in the case that externalID != gerritId) to https://gerrit-review.googlesource.com/43600
Oct 27, 2013
@Clint Morgan: Will you update the patchset again with the suggested changes? It would be nice if this fix could be merged soon.
Oct 28, 2013
Yes: I should have some time to work on this at the end of this week or early next week.
Nov 11, 2013
Maybe I'm missing something, but the request seems to be about using a reverse proxy for auth, *not* the container. It explicitly mentions the proxy using "AuthType Basic" which appears to *not* be the default for Gerrit (specify "gitBasicAuth=true" in the "auth" section of the Gerrit config). That config change alone in 2.8-rc2 *almost* makes it work for me, but ProjectBasicFilter.java's verify() doesn't handle lookup of external account names (and the header provided usernames I have to work with have '@' preceding a kerberos realm name).
Jan 6 (4 days ago)
I think this is fixed with the fix from issue 2209 . Can somebody please confirm? |
|
| ► Sign in to add a comment |