1. 技术文章
  2. can gitolite work without users ssh keys for authorization

can gitolite work without users ssh keys for authorization

[亡魂溺海] 提交于 2019-11-30 16:21:51

问题


My organization finds that adding 150 users pub keys for one single repo to gitolite as a huge task and administering it would require additional resource. we have around 20 this kind of repos. is there any other option other than adding users ssh keys for authorization. We are using http protocol to access the git repos. Thanks


回答1:


"https access" means you can authenticate through LDAP;

That also means you can configure gitolite to query the ldap group of the user:

Gitolite's groups are pretty convenient, but some organizations already have similar (or sufficient) information in their LDAP store.

Gitolite can tap into that information, with a little help.
Write a program which, given a username, queries your LDAP store and returns a space-separated list of groups that the user is a member of.
Then put the full path to this program in an rc variable called GROUPLIST_PGM, like so:

GROUPLIST_PGM           =>  '/home/git/bin/ldap-query-groups',

Now you can use those groupnames in access rules in gitolite, because the user is a member of those groups as well as any normal gitolite groups you may have added him to in the conf file.

Caution: your program must do its own logging if you want the audit trail of "why/how did this user get access to this repo at this time?" to resolve properly. Gitolite does not do any logging of the results of the queries because for people who don't need it that would be a huge waste.

My own script:

#!/bin/bash
export H="/path/to/home"
export D=3
aluser="${1}"
if [[ "${aluser}" == "" ]] ; then exit 0 ; fi
afuser="${H}/gitolite/ldap/${aluser}"
afuserl="${afuser}.log"
if [[ "${aluser}" =~ ^[0-9]+$  && ! -e "${afuser}" ]] ; then
  echo "Potential Company user, checking group..." >> "${afuserl}"
  lport="1234"
  if [[ "${lport#@}" == "${lport}" && ! -e "${afluser}" ]] ; then
    l=$(ldapsearch -H ldaps://ldap.server:1234 -x -D "CN=abcd,OU=Accounts,DC=company" -w xxxx -b "OU=People,DC=company" -s sub -a always -z 1000 "(cn~=${aluser})" "memberof" | grep -i "memberof")
    echo "LDAP='${l}'" >> a
    if [[ "${l#*CN=}" != "${l}" ]] ; then
      names=""
      while read -r line; do
        if [[ "${line#*CN=}" != "${line}" ]] ; then
          aname="${line#*CN=}"
          aname="${aname%%,*}"
          if [[ "${names}" != "" ]] ; then names="${names} " ; fi
          names="${names}${aname}"
        fi
      done <<< "${l}"
      echo "${names}" >> "${afuser}"
    fi
  fi
fi
if [[ -e "${afuser}" ]]; then
  echo "REMOTE_USER_GROUPS='$(cat ${afuser})' for user '${aluser}'" >> "${afuserl}"
  cat ${afuser}
fi

No need for any more ssh key!



来源:https://stackoverflow.com/questions/19111952/can-gitolite-work-without-users-ssh-keys-for-authorization

标签
gitolite
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!