pagure

Clone

#4731 Switch default Git auth backend to the internal 'pagure_authorized_keys' backend
Opened 3 years ago by ngompa. Modified 2 years ago
ngompa/pagure switch-default-git-backend  into  master

Merge
file modified
+1 -1 
@@ -255,7 +255,7 @@ 
 

  - `pagure`: Pagure git auth implementation (using keyhelper.py and aclchecker.py) that is used via sshd AuthorizedKeysCommand
 

  - `pagure_authorized_keys`: Pagure git auth implementation that writes to authorized_keys file
 

  

- Defaults to: ``gitolite3``
 

+ Defaults to: ``pagure_authorized_keys``
 

  

  .. note:: The option GITOLITE_BACKEND is the legacy name, and for backwards compatibility reasons will override this setting

file modified
+5 -5 
@@ -146,7 +146,7 @@ 
 

  created manually.
 

  

  For example you can place them under ``/srv/git/repositories/`` which would
 

- make ``/srv/git`` the home of your gitolite user.
 

+ make ``/srv/git`` the home of your git user.
 

  

  You would then create the folders with:
 

  ::
 
@@ -180,9 +180,9 @@ 
 

  * Give apache permission to read the repositories owned by the ``git`` user.
 

  

  For the sake of this document, we assume that the web application runs under
 

- the ``git`` user, the same user as your gitolite user, but apache itself
 

+ the ``git`` user, the same user as your git user, but apache itself
 

  runs under the ``httpd`` (or ``apache2``) user. So by default, apache
 

- will not be allowed to read git repositories created and managed by gitolite.
 

+ will not be allowed to read git repositories created and managed by pagure.
 

  

  To give apache this permission (required to make git clone via http work),
 

  we use file access control lists (aka FACL):
 
@@ -192,7 +192,7 @@ 
 

      setfacl -Rdm user:apache:rx /srv/git
 

      setfacl -Rm user:apache:rx /srv/git
 

  

- Where ``/srv/git`` is the home of your gitolite user (which will thus need
 

+ Where ``/srv/git`` is the home of your git user (which will thus need
 

  to be adjusted for your configuration).
 

  

  
@@ -272,7 +272,7 @@ 
 

  If you installed by RPM, then enable and start the worker services
 

  ::
 

  

-         systemctl enable --now pagure_worker.service pagure_gitolite_worker.service
 

+         systemctl enable --now pagure_worker.service pagure_authorized_keys_worker.service
 

          

  

  Set up virus scanning

file modified
+16 
@@ -74,6 +74,13 @@ 
 

  GIT_URL_SSH = 'ssh://git@localhost.localdomain/'
 

  GIT_URL_GIT = 'git://localhost.localdomain/'
 

  

+ ### Folder containing the pagure user SSH authorized keys
 

+ SSH_FOLDER = os.path.join(
 

+     os.path.abspath(os.path.dirname(__file__)),
 

+     '..',
 

+     '.ssh'
 

+ )
 

+ 

  ### Folder containing to the git repos
 

  GIT_FOLDER = os.path.join(
 

      os.path.abspath(os.path.dirname(__file__)),
 
@@ -125,6 +132,15 @@ 
 

  

  # SSH Information
 

  

+ ### SSH commend for interacting with repositories
 

+ SSH_COMMAND_NON_REPOSPANNER = (
 

+     [
 

+         "/usr/bin/%(cmd)s",
 

+         os.path.join(GIT_FOLDER, "%(reponame)s"),
 

+     ],
 

+     {"GL_USER": "%(username)s"},
 

+ )
 

+ 

  ### The ssh certificates of the git server to be provided to the user
 

  ### /!\ format is important
 

  # SSH_KEYS = {'RSA': {'fingerprint': '<foo>', 'pubkey': '<bar>'}}

file modified
-3 
@@ -81,9 +81,6 @@ 
 

  

  %{?systemd_requires}
 

  

- # No dependency of the app per se, but required to make it working.
 

- Requires:           gitolite3
 

- 

  %description
 

  Pagure is a light-weight git-centered forge based on pygit2.

file modified
+10 -7 
@@ -142,6 +142,11 @@ 
 

  # Folder where to place the ssh keys for the mirroring feature
 

  MIRROR_SSHKEYS_FOLDER = "/var/lib/pagure/sshkeys/"
 

  

+ # Folder containing the pagure user SSH authorized keys
 

+ SSH_FOLDER = os.path.join(
 

+     os.path.abspath(os.path.dirname(__file__)), "..", "lcl", ".ssh"
 

+ )
 

+ 

  # Folder containing to the git repos
 

  # Note that this must be exactly the same as GL_REPO_BASE in gitolite.rc
 

  GIT_FOLDER = os.path.join(
 
@@ -189,7 +194,7 @@ 
 

  

  # Backend for git auth decisions
 

  # This may be either a static helper (like gitolite based) or dynamic.
 

- GIT_AUTH_BACKEND = "gitolite3"
 

+ GIT_AUTH_BACKEND = "pagure_authorized_keys"
 

  

  # Legacy option name for GIT_AUTH_BACKEND, retained for backwards compatibility
 

  # This option overrides GIT_AUTH_BACKEND
 
@@ -551,7 +556,7 @@ 
 

  # Whether to allow pushing via HTTP
 

  ALLOW_HTTP_PUSH = False
 

  # Path to Gitolite-shell if using that, None to use Git directly
 

- HTTP_REPO_ACCESS_GITOLITE = "/usr/share/gitolite3/gitolite-shell"
 

+ HTTP_REPO_ACCESS_GITOLITE = None
 

  

  # repoSpanner integration settings
 

  # Path the the repoBridge binary
 
@@ -621,12 +626,10 @@ 
 

  )
 

  SSH_COMMAND_NON_REPOSPANNER = (
 

      [
 

-         "/usr/share/gitolite3/gitolite-shell",
 

-         "%(username)s",
 

-         "%(cmd)s",
 

-         "%(reponame)s",
 

+         "/usr/bin/%(cmd)s",
 

+         os.path.join(GIT_FOLDER, "%(reponame)s"),
 

      ],
 

-     {},
 

+     {"GL_USER": "%(username)s"},
 

  )
 

  

  CSP_HEADERS = (

The Gitolite backend has turned into a rather difficult backend to support
by default. Among other things, newer versions of Gitolite seem to have
issues with parsing the configuration data generated by Pagure.

Combined with the performance issues for larger setups and the complexity
required to set up Pagure correctly with the Gitolite backend, it makes
sense to switch the default backend to the simpler, internal one.

Signed-off-by: Neal Gompa ngompa13@gmail.com

@pingou I don't know when we want to make this change, but I'm getting frustrated by gitolite becoming randomly broken on top of the poor performance.

Issues like #3971 are now commonplace for me on both Mageia and openSUSE, especially since openSUSE Leap 15.1 and newer are afflicted with the problem.

I'm obviously okay with us fixing #3971 for 5.9, but for 6.0, we should just change the default.

Thanks for this. As someone impacted by the bug mentioned in #3971, I think this makes sense. Unfortunately, though, this patch won't work out of the box as is. As you know, I spent several hours trying to get the pagure git auth working (with your help as well; thank you for that), so I thought it'd be a good idea to comment here and explain what you need to do in order to get things up and running.

  • You will need to set AuthorizedKeysCommand and AuthorizedKeysCommandUser on /etc/sshd/sshd_config. Currently the documentation doesn't mention anything about it. There is a Fedora configuration example here:

https://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/basessh/templates/sshd_config#n46

  • You will need to set SSH_KEYS_USERNAME_EXPECT on pagure.cfg.

  • You will also need to set SSH_COMMAND_NON_REPO_SPANNER to:

SSH_COMMAND_NON_REPOSPANNER = ([
    "/usr/bin/%(cmd)s",
    "/srv/git/repositories/%(reponame)s",
], {"GL_USER": "%(username)s"})

There is also a Fedora example here:

https://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/pagure/frontend/templates/pagure.cfg#n345

This should be better documented in the docs; the default is to always use gitolite3, which obviously doesn't work, and there's no mention in the docs about using this /usr/bin/%(cmd)s.

Anyway, with these modifications I was finally able to clone a repository using the pagure git auth backend.
Edited 3 years ago by sergiodj

This is probably not ready to go because we need documentation and a way to avoid changes to sshd_config(5) to make things work by default...

rebased onto dcd2ab7b155758fd0e4c37b583a146b583d45284
3 years ago

apart from the sshd_config thing, you need

HTTP_REPO_ACCESS_GITOLITE = None for http repo access too.

rebased onto 1b8eeb82aaeaae6f5797eb565b8c0292bae110e1
3 years ago

2 new commits added

  • Switch default Git auth backend to the 'pagure_authorized_keys' backend
  • doc: Update information about supported Git auth backends
3 years ago

rebased onto b0393e955a892f8bb5b0680beecf4c27223ec7b3
3 years ago

rebased onto d48ccadfab751e924a24ba6e43b5dfaa55db35a9
3 years ago

rebased onto c7d9837e82fe9a9a68d7b16d28756c670b089dc7
3 years ago

2 new commits added

  • Switch default Git auth backend to the 'pagure_authorized_keys' backend
  • doc: Update information about supported Git auth backends
3 years ago

2 new commits added

  • Switch default Git auth backend to the 'pagure_authorized_keys' backend
  • doc: Update information about supported Git auth backends
3 years ago

2 new commits added

  • Switch default Git auth backend to the 'pagure_authorized_keys' backend
  • doc: Update information about supported Git auth backends
3 years ago

rebased onto 0b4398be31b21982f5724fb2f3b8b506eccdd6d4
3 years ago

rebased onto 852ebe6
3 years ago

rebased onto 703837556b163d0de3c0c5bf4ed0e46983d8337f
3 years ago

rebased onto 17b8b05484f27d49f69ddc0b649bc5d34b3903b3
3 years ago

WTF?

01:28:13  Failed tests:
01:28:13  FAILED test: py-test_pagure_flask_api_fork

rebased onto c0c0583712b07e1bb3a98566ec2fb9f68e6905a1
2 years ago

rebased onto 38770e4
2 years ago
Metadata
None
No Tags
Flags
jenkins
failure
Build #3695 failed (commit: 38770e40)
2 years ago
jenkins
failure
Build #3694 failed (commit: 38770e40)
2 years ago
jenkins
failure
Build #3451 failed (commit: 17b8b054)
3 years ago
jenkins
success (100%)
Build #3372 successful (commit: 70383755)
3 years ago
jenkins
success (100%)
Build #3370 successful (commit: 70383755)
3 years ago
jenkins
success (100%)
Build #3365 successful (commit: 8d3ce9f3)
3 years ago
jenkins
success (100%)
Build #3362 successful (commit: 8d3ce9f3)
3 years ago
jenkins
success (100%)
Build #3357 successful (commit: 8d3ce9f3)
3 years ago
jenkins
success (100%)
Build #3360 successful (commit: 8d3ce9f3)
3 years ago
jenkins
success (100%)
Build #3166 successful (commit: dcd2ab7b)
3 years ago
jenkins
success (100%)
Build #3138 successful (commit: 02e2ee8c)
3 years ago
Changes Summary 5
+1 -1
file changed
doc/configuration.rst
+5 -5
file changed
doc/install.rst
+16 -0
file changed
files/pagure.cfg.sample
+0 -3
file changed
files/pagure.spec
+10 -7
file changed
pagure/default_config.py
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.