#4731 Switch default Git auth backend to the internal 'pagure_authorized_keys' backend
Opened 8 months ago by ngompa. Modified 2 months ago

file modified
+1 -1
@@ -255,7 +255,7 @@ 

  - `pagure`: Pagure git auth implementation (using keyhelper.py and aclchecker.py) that is used via sshd AuthorizedKeysCommand

  - `pagure_authorized_keys`: Pagure git auth implementation that writes to authorized_keys file

  

- Defaults to: ``gitolite3``

+ Defaults to: ``pagure_authorized_keys``

  

  .. note:: The option GITOLITE_BACKEND is the legacy name, and for backwards compatibility reasons will override this setting

  

file modified
+5 -5
@@ -146,7 +146,7 @@ 

  created manually.

  

  For example you can place them under ``/srv/git/repositories/`` which would

- make ``/srv/git`` the home of your gitolite user.

+ make ``/srv/git`` the home of your git user.

  

  You would then create the folders with:

  ::
@@ -180,9 +180,9 @@ 

  * Give apache permission to read the repositories owned by the ``git`` user.

  

  For the sake of this document, we assume that the web application runs under

- the ``git`` user, the same user as your gitolite user, but apache itself

+ the ``git`` user, the same user as your git user, but apache itself

  runs under the ``httpd`` (or ``apache2``) user. So by default, apache

- will not be allowed to read git repositories created and managed by gitolite.

+ will not be allowed to read git repositories created and managed by pagure.

  

  To give apache this permission (required to make git clone via http work),

  we use file access control lists (aka FACL):
@@ -192,7 +192,7 @@ 

      setfacl -Rdm user:apache:rx /srv/git

      setfacl -Rm user:apache:rx /srv/git

  

- Where ``/srv/git`` is the home of your gitolite user (which will thus need

+ Where ``/srv/git`` is the home of your git user (which will thus need

  to be adjusted for your configuration).

  

  
@@ -272,7 +272,7 @@ 

  If you installed by RPM, then enable and start the worker services

  ::

  

-         systemctl enable --now pagure_worker.service pagure_gitolite_worker.service

+         systemctl enable --now pagure_worker.service pagure_authorized_keys_worker.service

          

  

  Set up virus scanning

file modified
+16
@@ -74,6 +74,13 @@ 

  GIT_URL_SSH = 'ssh://git@localhost.localdomain/'

  GIT_URL_GIT = 'git://localhost.localdomain/'

  

+ ### Folder containing the pagure user SSH authorized keys

+ SSH_FOLDER = os.path.join(

+     os.path.abspath(os.path.dirname(__file__)),

+     '..',

+     '.ssh'

+ )

+ 

  ### Folder containing to the git repos

  GIT_FOLDER = os.path.join(

      os.path.abspath(os.path.dirname(__file__)),
@@ -125,6 +132,15 @@ 

  

  # SSH Information

  

+ ### SSH commend for interacting with repositories

+ SSH_COMMAND_NON_REPOSPANNER = (

+     [

+         "/usr/bin/%(cmd)s",

+         os.path.join(GIT_FOLDER, "%(reponame)s"),

+     ],

+     {"GL_USER": "%(username)s"},

+ )

+ 

  ### The ssh certificates of the git server to be provided to the user

  ### /!\ format is important

  # SSH_KEYS = {'RSA': {'fingerprint': '<foo>', 'pubkey': '<bar>'}}

file modified
-3
@@ -81,9 +81,6 @@ 

  

  %{?systemd_requires}

  

- # No dependency of the app per se, but required to make it working.

- Requires:           gitolite3

- 

  %description

  Pagure is a light-weight git-centered forge based on pygit2.

  

file modified
+10 -7
@@ -142,6 +142,11 @@ 

  # Folder where to place the ssh keys for the mirroring feature

  MIRROR_SSHKEYS_FOLDER = "/var/lib/pagure/sshkeys/"

  

+ # Folder containing the pagure user SSH authorized keys

+ SSH_FOLDER = os.path.join(

+     os.path.abspath(os.path.dirname(__file__)), "..", "lcl", ".ssh"

+ )

+ 

  # Folder containing to the git repos

  # Note that this must be exactly the same as GL_REPO_BASE in gitolite.rc

  GIT_FOLDER = os.path.join(
@@ -189,7 +194,7 @@ 

  

  # Backend for git auth decisions

  # This may be either a static helper (like gitolite based) or dynamic.

- GIT_AUTH_BACKEND = "gitolite3"

+ GIT_AUTH_BACKEND = "pagure_authorized_keys"

  

  # Legacy option name for GIT_AUTH_BACKEND, retained for backwards compatibility

  # This option overrides GIT_AUTH_BACKEND
@@ -551,7 +556,7 @@ 

  # Whether to allow pushing via HTTP

  ALLOW_HTTP_PUSH = False

  # Path to Gitolite-shell if using that, None to use Git directly

- HTTP_REPO_ACCESS_GITOLITE = "/usr/share/gitolite3/gitolite-shell"

+ HTTP_REPO_ACCESS_GITOLITE = None

  

  # repoSpanner integration settings

  # Path the the repoBridge binary
@@ -621,12 +626,10 @@ 

  )

  SSH_COMMAND_NON_REPOSPANNER = (

      [

-         "/usr/share/gitolite3/gitolite-shell",

-         "%(username)s",

-         "%(cmd)s",

-         "%(reponame)s",

+         "/usr/bin/%(cmd)s",

+         os.path.join(GIT_FOLDER, "%(reponame)s"),

      ],

-     {},

+     {"GL_USER": "%(username)s"},

  )

  

  CSP_HEADERS = (

The Gitolite backend has turned into a rather difficult backend to support
by default. Among other things, newer versions of Gitolite seem to have
issues with parsing the configuration data generated by Pagure.

Combined with the performance issues for larger setups and the complexity
required to set up Pagure correctly with the Gitolite backend, it makes
sense to switch the default backend to the simpler, internal one.

Signed-off-by: Neal Gompa ngompa13@gmail.com

@pingou I don't know when we want to make this change, but I'm getting frustrated by gitolite becoming randomly broken on top of the poor performance.

Issues like #3971 are now commonplace for me on both Mageia and openSUSE, especially since openSUSE Leap 15.1 and newer are afflicted with the problem.

I'm obviously okay with us fixing #3971 for 5.9, but for 6.0, we should just change the default.

Thanks for this. As someone impacted by the bug mentioned in #3971, I think this makes sense. Unfortunately, though, this patch won't work out of the box as is. As you know, I spent several hours trying to get the pagure git auth working (with your help as well; thank you for that), so I thought it'd be a good idea to comment here and explain what you need to do in order to get things up and running.

  • You will need to set AuthorizedKeysCommand and AuthorizedKeysCommandUser on /etc/sshd/sshd_config. Currently the documentation doesn't mention anything about it. There is a Fedora configuration example here:

https://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/basessh/templates/sshd_config#n46

  • You will need to set SSH_KEYS_USERNAME_EXPECT on pagure.cfg.

  • You will also need to set SSH_COMMAND_NON_REPO_SPANNER to:

SSH_COMMAND_NON_REPOSPANNER = ([
    "/usr/bin/%(cmd)s",
    "/srv/git/repositories/%(reponame)s",
], {"GL_USER": "%(username)s"})

There is also a Fedora example here:

https://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/pagure/frontend/templates/pagure.cfg#n345

This should be better documented in the docs; the default is to always use gitolite3, which obviously doesn't work, and there's no mention in the docs about using this /usr/bin/%(cmd)s.

Anyway, with these modifications I was finally able to clone a repository using the pagure git auth backend.

This is probably not ready to go because we need documentation and a way to avoid changes to sshd_config(5) to make things work by default...

rebased onto dcd2ab7b155758fd0e4c37b583a146b583d45284

8 months ago

apart from the sshd_config thing, you need

HTTP_REPO_ACCESS_GITOLITE = None for http repo access too.

rebased onto 1b8eeb82aaeaae6f5797eb565b8c0292bae110e1

6 months ago

2 new commits added

  • Switch default Git auth backend to the 'pagure_authorized_keys' backend
  • doc: Update information about supported Git auth backends
6 months ago

rebased onto b0393e955a892f8bb5b0680beecf4c27223ec7b3

6 months ago

rebased onto d48ccadfab751e924a24ba6e43b5dfaa55db35a9

6 months ago

rebased onto c7d9837e82fe9a9a68d7b16d28756c670b089dc7

6 months ago

2 new commits added

  • Switch default Git auth backend to the 'pagure_authorized_keys' backend
  • doc: Update information about supported Git auth backends
6 months ago

2 new commits added

  • Switch default Git auth backend to the 'pagure_authorized_keys' backend
  • doc: Update information about supported Git auth backends
6 months ago

2 new commits added

  • Switch default Git auth backend to the 'pagure_authorized_keys' backend
  • doc: Update information about supported Git auth backends
6 months ago

rebased onto 0b4398be31b21982f5724fb2f3b8b506eccdd6d4

6 months ago

rebased onto 852ebe6

5 months ago

rebased onto 703837556b163d0de3c0c5bf4ed0e46983d8337f

5 months ago

rebased onto 17b8b05

5 months ago

WTF?

01:28:13  Failed tests:
01:28:13  FAILED test: py-test_pagure_flask_api_fork

rebased onto c0c0583

2 months ago

rebased onto 38770e4

2 months ago