Two gerrit instances with different user accesses
35 views
Skip to first unread message
Mattias Vannergård
Apr 24, 2015, 3:26:15 PM4/24/15
to repo-d...@googlegroups.com
Hi!
I have been using gerrit with LDAP as authentication. Now I need two groups to have access to two parts of the git-server.
I have started to add some people to group1 in the LDAP and some people to group2 in the LDAP.
I have installed two instances of gerrit, gerrit1 and gerrit2, working with gitrepo-basePath1 and gitrepo-basePath2 separately, and they run fine with LDAP, but all people still have access to both gerrit1 and gerrit2.
How do I configure gerrit so that only people in group1 get access to gerrit1 and people in group2 get access to gerrit2?
I guess I have to switch to HTTP_LDAP to be able to stop people in group1 from reading stuff in gerrit2/gitRepo2.
Or should it be done in some other way outside of gerrit?
BR
/Mattias
/Mattias
Lawrence
Apr 24, 2015, 3:42:41 PM4/24/15
to repo-d...@googlegroups.com
By default, Anonymous (users not logged in) have read access to all repo. You can disable that by removing Anonymous Read access on refs/* in All-Projects.
Then either only allow one group to login (perhaps through ldap.accountBase), or allow both groups to login, but only give one group read access.
Another way is to use one gerrit instance, only allowing group1 to access projects1 and group2 to access projects2.
Magnus Bäck
Apr 27, 2015, 2:22:40 AM4/27/15
to Mattias Vannergård, repo-d...@googlegroups.com
On Friday, April 24, 2015 at 21:26 CEST,
Gerrit supports per-project and per-branch read permissions. Is there
any particular reason why you want to run two Gerrit instances in the
first place?
--
Magnus Bäck | Software Engineer, Development Tools
magnu...@sonymobile.com | Sony Mobile Communications
any particular reason why you want to run two Gerrit instances in the
first place?
--
Magnus Bäck | Software Engineer, Development Tools
magnu...@sonymobile.com | Sony Mobile Communications
Mattias Vannergård
Apr 27, 2015, 3:17:48 AM4/27/15
to repo-d...@googlegroups.com, mattias.v...@gmail.com
The git-repositories shall be physically separated. Is it possible to connect one gerrit instance to two physically separated locations?
I also want different ports to enter gerrit, like myserver:8080 and myserver:8081. (The second one shall be accessible from another site, and will be opened up in the firewall, but the first will not. But, also, I do not want the first group to have access to the second gerrit instance.)
I think I need two instances to do accomplish this. And I thought that I had to use LDAP-groups. But, if there is a simpler solution, by configuring gerrit, I am willing to listen. Do you have a better setup?
Still a bit unsure on how to actually set apache and gerrit up to get the correct function.
The gerrit access control is rather complex. You can do a lot of things, but it takes time to learn all the twists...
BR
/Mattias
/Mattias
Reply all
Reply to author
Forward
0 new messages