[AUTH] how make gerrit support restrict login account by iplist
87 views
Skip to first unread message
唐木村
Aug 9, 2020, 11:21:16 PM8/9/20
to Repo and Gerrit Discussion
Dear Gerrit maintainer
we often need provide external user to browse gerrit website, and config ACL for this external user
and ACL problem is that if the external user “get“ internal user account username and password, the the external also get internal permission
i know it is NOT gerrit problem, it is common account leak problem
BUT whether gerrit can support iplist bind account ??? because generally external user also by allow iplist to access gerrit, the ip is constraint condition
ALSO, any other method can restrict login account by iplist ???
for example, gitlab can support ip
Marcus Tang
Nasser Grainawi
Aug 10, 2020, 5:59:33 PM8/10/20
to 唐木村, Repo and Gerrit Discussion
I don’t know of any way to restrict access by IP in Gerrit’s ACLs. I would guess there are others interested in such a feature though. Create an issue? https://www.gerritcodereview.com/issues.html
Marcus Tang--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/repo-discuss/8e275508-f346-4453-b13f-8d1cf4a87f87n%40googlegroups.com.
Luca Milanesio
Aug 10, 2020, 6:03:30 PM8/10/20
to Repo and Gerrit Discussion, Luca Milanesio, 唐木村, Nasser Grainawi
On 10 Aug 2020, at 22:59, Nasser Grainawi <nas...@codeaurora.org> wrote:
On Aug 9, 2020, at 9:21 PM, 唐木村 <tmc...@gmail.com> wrote:Dear Gerrit maintainerwe often need provide external user to browse gerrit website, and config ACL for this external userand ACL problem is that if the external user “get“ internal user account username and password, the the external also get internal permissioni know it is NOT gerrit problem, it is common account leak problemBUT whether gerrit can support iplist bind account ??? because generally external user also by allow iplist to access gerrit, the ip is constraint conditionALSO, any other method can restrict login account by iplist ???for example, gitlab can support ipI don’t know of any way to restrict access by IP in Gerrit’s ACLs. I would guess there are others interested in such a feature though. Create an issue? https://www.gerritcodereview.com/issues.html
I did something similar by implementing a permission backend and using the incoming request HTTP headers to restrict the visibility.
I believe it could be done by using the source-ip also.
HTH
Luca.
Marcus Tang--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/repo-discuss/8e275508-f346-4453-b13f-8d1cf4a87f87n%40googlegroups.com.--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/repo-discuss/ECE365C0-80CE-4D1E-8642-2CB0BA8BF609%40codeaurora.org.
Nasser Grainawi
Aug 10, 2020, 6:07:46 PM8/10/20
to Luca Milanesio, Repo and Gerrit Discussion, 唐木村
On Aug 10, 2020, at 4:03 PM, Luca Milanesio <luca.mi...@gmail.com> wrote:On 10 Aug 2020, at 22:59, Nasser Grainawi <nas...@codeaurora.org> wrote:
On Aug 9, 2020, at 9:21 PM, 唐木村 <tmc...@gmail.com> wrote:Dear Gerrit maintainerwe often need provide external user to browse gerrit website, and config ACL for this external userand ACL problem is that if the external user “get“ internal user account username and password, the the external also get internal permissioni know it is NOT gerrit problem, it is common account leak problemBUT whether gerrit can support iplist bind account ??? because generally external user also by allow iplist to access gerrit, the ip is constraint conditionALSO, any other method can restrict login account by iplist ???for example, gitlab can support ipI don’t know of any way to restrict access by IP in Gerrit’s ACLs. I would guess there are others interested in such a feature though. Create an issue? https://www.gerritcodereview.com/issues.htmlI did something similar by implementing a permission backend and using the incoming request HTTP headers to restrict the visibility.I believe it could be done by using the source-ip also.
That probably only works for HTTP(S) access though, correct? Could it be made to work for SSH too?
To view this discussion on the web visit https://groups.google.com/d/msgid/repo-discuss/8F4DB6F9-5AE2-4CCB-ABC9-FBE9E39D3040%40gmail.com.
Luca Milanesio
Aug 10, 2020, 6:18:38 PM8/10/20
to Nasser Grainawi, Luca Milanesio, Repo and Gerrit Discussion, 唐木村
On 10 Aug 2020, at 23:07, Nasser Grainawi <nas...@codeaurora.org> wrote:
On Aug 10, 2020, at 4:03 PM, Luca Milanesio <luca.mi...@gmail.com> wrote:On 10 Aug 2020, at 22:59, Nasser Grainawi <nas...@codeaurora.org> wrote:
On Aug 9, 2020, at 9:21 PM, 唐木村 <tmc...@gmail.com> wrote:Dear Gerrit maintainerwe often need provide external user to browse gerrit website, and config ACL for this external userand ACL problem is that if the external user “get“ internal user account username and password, the the external also get internal permissioni know it is NOT gerrit problem, it is common account leak problemBUT whether gerrit can support iplist bind account ??? because generally external user also by allow iplist to access gerrit, the ip is constraint conditionALSO, any other method can restrict login account by iplist ???for example, gitlab can support ipI don’t know of any way to restrict access by IP in Gerrit’s ACLs. I would guess there are others interested in such a feature though. Create an issue? https://www.gerritcodereview.com/issues.htmlI did something similar by implementing a permission backend and using the incoming request HTTP headers to restrict the visibility.I believe it could be done by using the source-ip also.That probably only works for HTTP(S) access though, correct?
Correct, the virtual-hosting example at [1] uses the HOST header to restrict the visibility of the projects.
Could it be made to work for SSH too?
I believe it should be possible, but not in the scope of [1] but for the IP-based ACLs, yes.
Luca.
Martin Fick
Aug 11, 2020, 6:29:30 PM8/11/20
to Nasser Grainawi, 唐木村, Repo and Gerrit Discussion, nasser=cod...@codeaurora.org
On 2020-08-10 15:59, Nasser Grainawi wrote:
>> On Aug 9, 2020, at 9:21 PM, 唐木村 <tmc...@gmail.com> wrote:
>> Dear Gerrit maintainer
>>
>> we often need provide external user to browse gerrit website, and
>> config ACL for this external user
>> and ACL problem is that if the external user “get“ internal user
>> account username and password, the the external also get internal
>> permission
>> i know it is NOT gerrit problem, it is common account leak problem
>>
>> BUT whether gerrit can support iplist bind account ??? because
>> generally external user also by allow iplist to access gerrit, the
>> ip is constraint condition
>> ALSO, any other method can restrict login account by iplist ???
While potentially not very pretty, it may be possible to take advantage
>> On Aug 9, 2020, at 9:21 PM, 唐木村 <tmc...@gmail.com> wrote:
>> Dear Gerrit maintainer
>>
>> we often need provide external user to browse gerrit website, and
>> config ACL for this external user
>> and ACL problem is that if the external user “get“ internal user
>> account username and password, the the external also get internal
>> permission
>> i know it is NOT gerrit problem, it is common account leak problem
>>
>> BUT whether gerrit can support iplist bind account ??? because
>> generally external user also by allow iplist to access gerrit, the
>> ip is constraint condition
>> ALSO, any other method can restrict login account by iplist ???
of the RequestListener:
https://gerrit-review.googlesource.com/Documentation/dev-plugins.html#request-listener
from a plugin to detect the sourceip and throw an exception when the
operation is not allowed,
-Martin
--
The Qualcomm Innovation Center, Inc. is a member of Code
Aurora Forum, hosted by The Linux Foundation
唐木村
Dec 1, 2020, 9:16:34 AM12/1/20
to Repo and Gerrit Discussion
@MartinFick
great idea !!!
but as you know, whether already exist this kind plugin on gerrit offical plugin web ???
or any example code for this featrue??? thanks a lot
Reply all
Reply to author
Forward
0 new messages