From b2780b4b4feb6c45551e25a752da31fb67c98842 Mon Sep 17 00:00:00 2001 From: Neal Gompa Date: Nov 10 2023 18:08:23 +0000 Subject: Switch default Git auth backend to the 'pagure_authorized_keys' backend The Gitolite backend has turned into a rather difficult backend to support by default. Among other things, newer versions of Gitolite seem to have issues with parsing the configuration data generated by Pagure. Combined with the performance issues for larger setups and the complexity required to set up Pagure correctly with the Gitolite backend, it makes sense to switch the default backend to the simpler, internal one. Signed-off-by: Neal Gompa --- diff --git a/doc/configuration.rst b/doc/configuration.rst index e74d6a7..8ca2e63 100644 --- a/doc/configuration.rst +++ b/doc/configuration.rst @@ -255,7 +255,7 @@ By default pagure provides the following backends: - `pagure`: Pagure git auth implementation (using keyhelper.py and aclchecker.py) that is used via sshd AuthorizedKeysCommand - `pagure_authorized_keys`: Pagure git auth implementation that writes to authorized_keys file -Defaults to: ``gitolite3`` +Defaults to: ``pagure_authorized_keys`` .. note:: The option GITOLITE_BACKEND is the legacy name, and for backwards compatibility reasons will override this setting diff --git a/doc/install.rst b/doc/install.rst index a299d04..73d1c55 100644 --- a/doc/install.rst +++ b/doc/install.rst @@ -146,7 +146,7 @@ All these repositories are stored in different folders that must be created manually. For example you can place them under ``/srv/git/repositories/`` which would -make ``/srv/git`` the home of your gitolite user. +make ``/srv/git`` the home of your git user. You would then create the folders with: :: @@ -180,9 +180,9 @@ Adjust them for your needs * Give apache permission to read the repositories owned by the ``git`` user. For the sake of this document, we assume that the web application runs under -the ``git`` user, the same user as your gitolite user, but apache itself +the ``git`` user, the same user as your git user, but apache itself runs under the ``httpd`` (or ``apache2``) user. So by default, apache -will not be allowed to read git repositories created and managed by gitolite. +will not be allowed to read git repositories created and managed by pagure. To give apache this permission (required to make git clone via http work), we use file access control lists (aka FACL): @@ -192,7 +192,7 @@ we use file access control lists (aka FACL): setfacl -Rdm user:apache:rx /srv/git setfacl -Rm user:apache:rx /srv/git -Where ``/srv/git`` is the home of your gitolite user (which will thus need +Where ``/srv/git`` is the home of your git user (which will thus need to be adjusted for your configuration). @@ -272,7 +272,7 @@ pagure. If you installed by RPM, then enable and start the worker services :: - systemctl enable --now pagure_worker.service pagure_gitolite_worker.service + systemctl enable --now pagure_worker.service pagure_authorized_keys_worker.service Set up virus scanning diff --git a/files/pagure.cfg.sample b/files/pagure.cfg.sample index 26dff0d..5a6e1db 100644 --- a/files/pagure.cfg.sample +++ b/files/pagure.cfg.sample @@ -74,6 +74,13 @@ DOC_APP_URL = 'http://docs.localhost.localdomain' GIT_URL_SSH = 'ssh://git@localhost.localdomain/' GIT_URL_GIT = 'git://localhost.localdomain/' +### Folder containing the pagure user SSH authorized keys +SSH_FOLDER = os.path.join( + os.path.abspath(os.path.dirname(__file__)), + '..', + '.ssh' +) + ### Folder containing to the git repos GIT_FOLDER = os.path.join( os.path.abspath(os.path.dirname(__file__)), @@ -125,6 +132,15 @@ GL_BINDIR = None # SSH Information +### SSH commend for interacting with repositories +SSH_COMMAND_NON_REPOSPANNER = ( + [ + "/usr/bin/%(cmd)s", + os.path.join(GIT_FOLDER, "%(reponame)s"), + ], + {"GL_USER": "%(username)s"}, +) + ### The ssh certificates of the git server to be provided to the user ### /!\ format is important # SSH_KEYS = {'RSA': {'fingerprint': '', 'pubkey': ''}} diff --git a/files/pagure.spec b/files/pagure.spec index d11614a..cef000c 100644 --- a/files/pagure.spec +++ b/files/pagure.spec @@ -69,9 +69,6 @@ Requires: python%{python_pkgversion}-wtforms %{?systemd_requires} -# No dependency of the app per se, but required to make it working. -Requires: gitolite3 - %description Pagure is a light-weight git-centered forge based on pygit2. diff --git a/pagure/default_config.py b/pagure/default_config.py index 615293b..528aae8 100644 --- a/pagure/default_config.py +++ b/pagure/default_config.py @@ -152,6 +152,11 @@ DISABLE_REMOTE_PR = False # Folder where to place the ssh keys for the mirroring feature MIRROR_SSHKEYS_FOLDER = "/var/lib/pagure/sshkeys/" +# Folder containing the pagure user SSH authorized keys +SSH_FOLDER = os.path.join( + os.path.abspath(os.path.dirname(__file__)), "..", "lcl", ".ssh" +) + # Folder containing to the git repos # Note that this must be exactly the same as GL_REPO_BASE in gitolite.rc GIT_FOLDER = os.path.join( @@ -199,7 +204,7 @@ GITOLITE_KEYDIR = None # Backend for git auth decisions # This may be either a static helper (like gitolite based) or dynamic. -GIT_AUTH_BACKEND = "gitolite3" +GIT_AUTH_BACKEND = "pagure_authorized_keys" # Legacy option name for GIT_AUTH_BACKEND, retained for backwards compatibility # This option overrides GIT_AUTH_BACKEND @@ -564,7 +569,7 @@ ALLOW_HTTP_PULL_PUSH = True # Whether to allow pushing via HTTP ALLOW_HTTP_PUSH = False # Path to Gitolite-shell if using that, None to use Git directly -HTTP_REPO_ACCESS_GITOLITE = "/usr/share/gitolite3/gitolite-shell" +HTTP_REPO_ACCESS_GITOLITE = None # repoSpanner integration settings # Path the the repoBridge binary @@ -634,12 +639,10 @@ SSH_COMMAND_REPOSPANNER = ( ) SSH_COMMAND_NON_REPOSPANNER = ( [ - "/usr/share/gitolite3/gitolite-shell", - "%(username)s", - "%(cmd)s", - "%(reponame)s", + "/usr/bin/%(cmd)s", + os.path.join(GIT_FOLDER, "%(reponame)s"), ], - {}, + {"GL_USER": "%(username)s"}, ) CSP_HEADERS = (