Gitweb in 2.5 missing?

[Steffen Gebert]

Hi,

after installing Gerrit 2.5rc0, all the links to gitweb end up with Not Found.

When installing 2.4.2 in the same way, everything works.

Am I missing sth. or is there a new bug? Couldn't find anything in the logs (like extracting it to a plugin etc.)

Yours
Steffen

[Luca Milanesio]

Hi,
I came into the same problem yesterday ... but the problem is actually different :-)

This is due to a change on the level of security applied by GitServlet: now the GitWeb makes sure that the user has full access to ALL branches (refs/meta/config included) otherwise it returns a 404.
The problem is: repo owner and gerrit administrator has implicit access to refs/meta/config ... and thus an extra bit is need on the if() checking permissions.

I will push a fix on the master later today for review.

Luca.

> --
> To unsubscribe, email repo-discuss...@googlegroups.com
> More info at http://groups.google.com/group/repo-discuss?hl=en

[Luca Milanesio]

The fix is here:
https://gerrit-review.googlesource.com/#/c/37682/

@Edwin: as this impacts the stable-2.5, is it possible, if the fix is approved, to merge it to the stable-2.5 branch as well ?

Luca.

[Edwin Kempin]

2012/9/7 Luca Milanesio <luca.mi...@gmail.com>

The fix is here:
https://gerrit-review.googlesource.com/#/c/37682/

@Edwin: as this impacts the stable-2.5, is it possible, if the fix is approved, to merge it to the stable-2.5 branch as well ?

Done [1]. Luca, thanks for fixing this!

[1] https://gerrit-review.googlesource.com/37741
 

[Tomas Hellberg]

I have this problem in 2.5.1. The only work-around I have found is to give all users OWNER permissions, and I really do not want that.

What's the status on this issue? Should it be fixed in 2.5.1? If that is the case, what might I have misconfigured to experience this problem?

/Tomas

[Shawn Pearce]

Did you try granting Read on refs/* ? That is the rule that should
grant gitweb access.

[Tomas Hellberg]

Did you try granting Read on refs/* ? That is the rule that should
grant gitweb access.

Yes, I have tried with Read:ALLOW for refs/* but that does nothing for me. Even Owner:ALLOW for refs/* for a custom group does nothing. The only setting I have found that works for me is Owner:ALLOW for the built-in groups Registered Users and Anonymous Users.

 

[Tomas Hellberg]

Did you try granting Read on refs/* ? That is the rule that should
grant gitweb access.

Shawn, I have found a workaround for this problem:

If I grant Read:ALLOW for refs/meta/config to a group, then the members of that group can access Gitweb. So at least in my case, Read:ALLOW on refs/* is not enough for some weird reason.

 

[Shawn Pearce]

Does a parent project (e.g. All-Projects) have some sort of exclusive
entry for refs/meta/config?

[Tomas Hellberg]

Does a parent project (e.g. All-Projects) have some sort of exclusive
entry for refs/meta/config?

 

Yes, you are correct. All-Projects have Read:ALLOW for refs/meta/config for "Project Owners". Is that not the default setting for All-Projects?

[valenti...@gmx.de]

Hi,

I have hit this bug too on 2.5.2. I have one administrator account and two users. The admin is the only one who can view gitweb. I have tried giving Read:ALLOW for refs/meta/config to the group of the users but this does not solve my problem. Also the 404 is the only error I get, there is nothing on the console.

V-

[valenti...@gmx.de]

On Tuesday, March 26, 2013 10:11:14 AM UTC+1, valenti...@gmx.de wrote:

Hi,

I have hit this bug too on 2.5.2. I have one administrator account and two users. The admin is the only one who can view gitweb. I have tried giving Read:ALLOW for refs/meta/config to the group of the users but this does not solve my problem. Also the 404 is the only error I get, there is nothing on the console.

FYI: here is the complete config of my current projects:

 $ for i in $(ls); do echo $i ; cd $i ;  git show refs/meta/config:project.config ; cd .. ; done
All-Projects.git
[project]
        description = Rights inherited by all other projects
        state = active
[capability]
        administrateServer = group Administrators
        administrateServer = group ldap/Administrators
Wizards-Castle.git
[access]
        inheritFrom = YellowBrickRoad
[project]
        state = active
        description = The Wizard's castle. Only accessible to Oz-admin group.
[submit]
        action = fast forward only
[access "refs/*"]
        read = deny group ldap/Oz
YellowBrickRoad.git
[access]
        inheritFrom = All-Projects
[project]
        state = active
        description = One of the projects in Oz. Administered by the OZ-admin group.
[submit]
        action = fast forward only
[access "refs/heads/*"]
        read = group ldap/Oz
        create = group ldap/Oz
        push = group ldap/Oz
        pushMerge = group ldap/Oz
        owner = group ldap/Oz-admin
        forgeAuthor = group ldap/Oz
        forgeCommitter = group ldap/Oz
[access "refs/tags/*"]
        pushTag = group ldap/Oz
[access "refs/*"]
        owner = group ldap/Oz-admin
[access "refs/meta/config"]
        read = group ldap/Oz

[Olivier Croquette]

On Tuesday, May 14, 2013 3:37:27 PM UTC+2, Jonas Bang wrote:

Using Gerrit 2.5.2. I also had issues with this.

This solved it for me:

Add Read:ALLOW on refs/* for the group which needs gitweb access

Remove the "Exclusive" for "Project Owners" on Read:ALLOW for refs/meta/config

I am using Gerrit 2.6.1 and I hit the same problem.
Jonas solution worked for me (thanks for sharing it).

This problem is not easy to troubleshoot because there is not indication in the log files about the cause of the 404.

Shall I open a bug report ?

Olivier

[Shawn Pearce]

No, it works as designed. :-)

gitweb can't do branch restrictions so it is disabled for users that
don't have read on refs/*. The exclusive read for project owners on
refs/meta/config is the safest configuration out of the box, as
refs/meta/config contains the access controls for each project.

Maybe this needs to be addressed in the config-gitweb documentation or
common errors pages.

[Bassem Rabil]

Does this permission scheme applied to cgit as well ? Or in cgit it is dependent on the web server user permission to the repository file system ?

Thanks and Regards

Bassem Guendy

[Shawn Pearce]

On Thu, Nov 28, 2013 at 10:07 AM, Bassem Rabil
<bassem.ra...@ericsson.com> wrote:
> Does this permission scheme applied to cgit as well ? Or in cgit it is
> dependent on the web server user permission to the repository file system ?

It only applies to gitweb managed by Gerrit.

cgit is run outside of Gerrit, so the permissions do not apply there.
For some installations this could be a concern that cgit bypasses
Gerrit read ACLs, for others it may be a non-issue. gitweb can also be
configured to run outside of Gerrit[1].

[1] https://gerrit-documentation.storage.googleapis.com/Documentation/2.7/config-gitweb.html#_external_unmanaged_gitweb

> Thanks and Regards
> Bassem Guendy
>
> On Thursday, November 28, 2013 12:09:11 PM UTC-5, Shawn Pearce wrote:
>>
>> On Thu, Nov 28, 2013 at 2:49 AM, Olivier Croquette <ocroq...@free.fr>
>> wrote:
>> > On Tuesday, May 14, 2013 3:37:27 PM UTC+2, Jonas Bang wrote:
>> >>
>> >> Using Gerrit 2.5.2. I also had issues with this.
>> >>
>> >> This solved it for me:
>> >> Add Read:ALLOW on refs/* for the group which needs gitweb access
>> >> Remove the "Exclusive" for "Project Owners" on Read:ALLOW for
>> >> refs/meta/config
>> >
>> >
>> > I am using Gerrit 2.6.1 and I hit the same problem.
>> > Jonas solution worked for me (thanks for sharing it).
>> >
>> > This problem is not easy to troubleshoot because there is not indication
>> > in
>> > the log files about the cause of the 404.
>> >
>> > Shall I open a bug report ?
>>
>> No, it works as designed. :-)
>>
>> gitweb can't do branch restrictions so it is disabled for users that
>> don't have read on refs/*. The exclusive read for project owners on
>> refs/meta/config is the safest configuration out of the box, as
>> refs/meta/config contains the access controls for each project.
>>
>> Maybe this needs to be addressed in the config-gitweb documentation or
>> common errors pages.
>

> --

> --
> To unsubscribe, email repo-discuss...@googlegroups.com
> More info at http://groups.google.com/group/repo-discuss?hl=en
>

> ---
> You received this message because you are subscribed to the Google Groups
> "Repo and Gerrit Discussion" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to repo-discuss...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.

[Bassem Rabil]

Thanks Shawn, this has clarified it to me.

[Bassem Rabil]

For gitweb links when the user is not logged, you get error 404 from Tomcat. We tried to redirect this 404 error page to Gerrit login page using web.xml in tomcat, and it didn't work.

Is there a known workaround to redirect error pages for gitweb to Gerrit login page instead ?

Thanks and Regards

Bassem Guendy

[Vadim Dvorkin]

I tried to configure gitweb for gerrit 2.7 and 2.8. Only this solution produces good results. Unfortunately, all access configurations are visible to everybody who has Read:ALLOW on refs/*.

As I understand, it will be correct to replace in https://gerrit-documentation.storage.googleapis.com/Documentation/2.7/config-gitweb.html#_internal_managed_gitweb
"
Access Control
Access controls for internally managed gitweb page views are enforced using the standard project READ +1 permission.
"
"READ +1" by  "Read:ALLOW on refs/*"

--Vadim