Issues when using HTTP Authentication on root
Project Member Reported by u.wol...@gmail.com, Oct 20 2013
I have noticed two problems (?) with HTTP auth used together with a reverse proxy. I think it would not be an issue if you use the documented method to only protect /login/ with HTTP auth, but I have got some feedback from some users of the plugin which told me that their instance is protected on root (/; i.e. every request). I know there is a way to configure Gerrit to show changes / projects only to registered users, but I can understand the statement that it *may* be more secure to just protect the whole instance with HTTP auth done by reverse proxy (which works fine, except for the following two points). #1: HTTP Clone Clone HTTP is not possible at all. Both reverse proxy password and Gerrit HTTP password are not accepted at password prompt (using the addresses shown in the project detail page). I have not found a workaround for this issue. #2: REST API A direct access to authenticated REST API (a/) is not directly possible. As a workaround, I first do a login with the /login/ url with a following to the rest API. This way I can use the reverse proxy authentication information (but not the HTTP Password displayed in Gerrit settings). Is this the expected behavior? IMHO it would just be easier for everyone to just leave authentication of every request to the reverse proxy when using "auth.type = HTTP". (I have posted this issue already on gerrit discussion list, but got no reply so far: https://groups.google.com/forum/#!topic/repo-discuss/UnQd3HsL820 )
Mar 2 2015,
Jun 8 2015,
Jul 28 2015,
Can this get merged into stable-2.11? This patch applies cleanly and it provides a way to fix issue #3208 for people (i.e., me). I rolled my own local gerrit.war for the time being, but it would be good if there was an official build. If 2.12 is due out sooner than a 2.11.3 would be out, then nevermind!
Aug 4 2015,
Change for 2.11: https://gerrit-review.googlesource.com/70070
Aug 4 2015,
Issue 3208 has been merged into this issue.
Aug 6 2015,
@geek...: The change is in review for 2.11 (backport). It would be great if your could verify that it fixes things for your as well (I do not have time to test it right now). Please post test-results here.
Aug 18 2015,
Sorry for the delay in responding, I can confirm that the backport in 70070 works for me.
Aug 19 2015,
Aug 21 2015,
Sign in to add a comment