New issue
Advanced search Search tips
Starred by 10 users

Issue metadata

Status: Released
Owner: ----
Closed: Jun 2015



Sign in to add a comment

Issues when using HTTP Authentication on root

Project Member Reported by u.wol...@gmail.com, Oct 20 2013

Issue description

I have noticed two problems (?) with HTTP auth used together with a reverse proxy. I think it would not be an issue if you use the documented method to only protect /login/ with HTTP auth, but I have got some feedback from some users of the plugin which told me that their instance is protected on root (/; i.e. every request). I know there is a way to configure Gerrit to show changes / projects only to registered users, but I can understand the statement that it *may* be more secure to just protect the whole instance with HTTP auth done by reverse proxy (which works fine, except for the following two points).

#1: HTTP Clone
Clone HTTP is not possible at all. Both reverse proxy password and Gerrit HTTP password are not accepted at password prompt (using the addresses shown in the project detail page). I have not found a workaround for this issue.

#2: REST API
A direct access to authenticated REST API (a/) is not directly possible. As a workaround, I first do a login with the /login/ url with a following to the rest API. This way I can use the reverse proxy authentication information (but not the HTTP Password displayed in Gerrit settings).

Is this the expected behavior? IMHO it would just be easier for everyone to just leave authentication of every request to the reverse proxy when using "auth.type = HTTP".

(I have posted this issue already on gerrit discussion list, but got no reply so far: https://groups.google.com/forum/#!topic/repo-discuss/UnQd3HsL820 )
 
Project Member

Comment 1 by u.wol...@gmail.com, Feb 22 2015

This is related to issue #1473. See also my comment here: https://gerrit-review.googlesource.com/43320
Status: ChangeUnderReview
https://gerrit-review.googlesource.com/#/c/65541/
Labels: FixedIn-2.12
Status: Submitted

Comment 4 by geek...@gmail.com, Jul 28 2015

Can this get merged into stable-2.11? This patch applies cleanly and it provides a way to fix  issue #3208  for people (i.e., me). I rolled my own local gerrit.war for the time being, but it would be good if there was an official build. If 2.12 is due out sooner than a 2.11.3 would be out, then nevermind!
Project Member

Comment 5 by edwin.ke...@gmail.com, Aug 4 2015

Change for 2.11:
  https://gerrit-review.googlesource.com/70070
Project Member

Comment 6 by edwin.ke...@gmail.com, Aug 4 2015

 Issue 3208  has been merged into this issue.
Project Member

Comment 7 by u.wol...@gmail.com, Aug 6 2015

@geek...: The change is in review for 2.11 (backport). It would be great if your could verify that it fixes things for your as well (I do not have time to test it right now). Please post test-results here.

Comment 8 by geek...@gmail.com, Aug 18 2015

Sorry for the delay in responding, I can confirm that the backport in 70070 works for me.
Labels: -FixedIn-2.12 FixedIn-2.11.3
Status: Released

Sign in to add a comment