Question: How to create SSH extension point from plugin without plugin parent (for LFS plugin)
93 views
Skip to first unread message
Remy Bohmer
Dec 21, 2016, 10:52:08 AM12/21/16
to Repo and Gerrit Discussion
Hi,
Normally SSH extension points inside plugins are called via:
ssh -p <port> <host> <*****pluginname*****> <ssh-entry> <ssh-args>
I would like to create the following commandline for the LFS plugin:
ssh -p <port> <host> git-lfs-authenticate <ssh-args> to support SSH
URL configurations connections without the need to modify the user
environments.
LFS protocol requires this format:
$ ssh [{user}@]{server} git-lfs-authenticate {path} {operation}
according to https://github.com/git-lfs/git-lfs/blob/master/docs/api/server-discovery.md
As such I need to create an SSH entry point in this format from the plugin:
ssh -p <port> <host> <ssh-entry> <ssh-args>
Thus without <*****pluginname*****>
It may be an alias as well that point to the same named entry inside the plugin.
This would be similar to the 'ssh -p 29418 localhost kill', command.
The gerrit etc/gerrit.config configuration for alias only redirects to
the gerrit namespace, not to the root.
Anyone an idea how to do this from a plugin?
Kind regards,
Remy
Normally SSH extension points inside plugins are called via:
ssh -p <port> <host> <*****pluginname*****> <ssh-entry> <ssh-args>
I would like to create the following commandline for the LFS plugin:
ssh -p <port> <host> git-lfs-authenticate <ssh-args> to support SSH
URL configurations connections without the need to modify the user
environments.
LFS protocol requires this format:
$ ssh [{user}@]{server} git-lfs-authenticate {path} {operation}
according to https://github.com/git-lfs/git-lfs/blob/master/docs/api/server-discovery.md
As such I need to create an SSH entry point in this format from the plugin:
ssh -p <port> <host> <ssh-entry> <ssh-args>
Thus without <*****pluginname*****>
It may be an alias as well that point to the same named entry inside the plugin.
This would be similar to the 'ssh -p 29418 localhost kill', command.
The gerrit etc/gerrit.config configuration for alias only redirects to
the gerrit namespace, not to the root.
Anyone an idea how to do this from a plugin?
Kind regards,
Remy
Shawn Pearce
Dec 21, 2016, 12:20:08 PM12/21/16
to Remy Bohmer, Repo and Gerrit Discussion
Aliases should be able to dive into plugins:
Looking at the code, it hasn't changed since 521380a, so it should still work to say:
[ssh-alias]
git-lfs-authenticate = lfsplugin authenticate
Anyone an idea how to do this from a plugin?
Kind regards,
Remy
--
--
To unsubscribe, email repo-discuss+unsubscribe@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Remy Bohmer
Dec 21, 2016, 1:19:40 PM12/21/16
to Shawn Pearce, Repo and Gerrit Discussion
Hi Shawn,
Well, that makes it available in the _gerrit_ namespace, like in 'ssh
-p 29418 localhost gerrit git-lfs-authenticate'.
It should be available exactly as 'ssh -p 29418 localhost
git-lfs-authenticate', and that may point to the plugins 'lfs
git-lfs-authenticate'.
So, this alias does not solve the problem... It effectively replaces
only 'lfs' with 'gerrit',
Thus still not in the same namespace as the 'ps' and 'kill' command...
Kind regards,
Remy
-p 29418 localhost gerrit git-lfs-authenticate'.
It should be available exactly as 'ssh -p 29418 localhost
git-lfs-authenticate', and that may point to the plugins 'lfs
git-lfs-authenticate'.
So, this alias does not solve the problem... It effectively replaces
only 'lfs' with 'gerrit',
Thus still not in the same namespace as the 'ps' and 'kill' command...
Kind regards,
Remy
Jacek Centkowski
Dec 23, 2016, 9:23:39 AM12/23/16
to Repo and Gerrit Discussion, s...@google.com, li...@bohmer.net
It looks that is should be achievable by tweaking com.google.gerrit.sshd.SshModule.configureAliases() so that one could decide upon which com.google.gerrit.sshd.Commands.key(...) it should register plugin command. I can POC that in the following days to see if it works and we can collectively review it. Does that make sense to you guys?
Regards
Jacek
Jacek Centkowski
Dec 23, 2016, 12:34:17 PM12/23/16
to Repo and Gerrit Discussion, s...@google.com, li...@bohmer.net
Here is the change in question:
Comments are welcomed ;)
Regards
Jacek
Remy Bohmer
Dec 24, 2016, 3:41:07 AM12/24/16
to Jacek Centkowski, Repo and Gerrit Discussion, Shawn Pearce
Hi,
Excellent! Thanks for this great example!
We are still looking at the authentication part for the LFS call, once we have it working we will post a patch for that too.
Kind regards,
Remy
Op 23 dec. 2016 18:34 schreef "Jacek Centkowski" <geminica...@gmail.com>:
--
Remy Bohmer
Dec 24, 2016, 3:48:25 AM12/24/16
to Jacek Centkowski, Repo and Gerrit Discussion, Shawn Pearce
Hi
Would it also be possible to do this from plugin code itself without patching the Gerrit core? That would allow us to build a plugin for the current released Gerrit releases.
Kind regards,
Remy
Op 24 dec. 2016 09:41 schreef "Remy Bohmer" <li...@bohmer.net>:
Jacek Centkowski
Dec 24, 2016, 9:44:24 AM12/24/16
to Remy Bohmer, Repo and Gerrit Discussion, Shawn Pearce
I don't believe it would work from plugin, yet if it gets accepted we can backport it to stable 2.13. it is kind of a vital for Git LFS, but first it has to be accepted to master ;).
Btw you can post for review whatever you have for LFS SSH auth. We are also interested in that and can contribute if needed ;)
Regards
Jacek
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
Remy Bohmer
Dec 25, 2016, 5:24:43 PM12/25/16
to Jacek Centkowski, Repo and Gerrit Discussion, Shawn Pearce
Hi Jacek,
I posted the patch to the LFS plugin repo.
It works in our environment with a patched git-lfs client that does an ssh call directly to plugin namespace.
The patch only provides the proper Url back to the client such that no per-git-repo client config is needed anymore.
No authorization implemented yet because the LFS plugin seems to accept everything. I also pulled in your patch that implements it: https://gerrit-review.googlesource.com/#/c/91850/, but even then only on the first push I get an error message to authenticate, but every subsequent push just works without providing such token.
Kind regards,
Remy
Op 24 dec. 2016 15:44 schreef "Jacek Centkowski" <geminica...@gmail.com>:
To unsubscribe, email repo-discuss+unsubscribe@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss+unsubscribe@googlegroups.com.
Jacek Centkowski
Jan 2, 2017, 12:11:46 PM1/2/17
to Repo and Gerrit Discussion, geminica...@gmail.com, s...@google.com, li...@bohmer.net
Hi,
have created another approach from global plugin SSH commands (automatic and better IMHO ;)):
will look how it works with LFS tomorrow ;)
Regards
Jacek
Remy
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
Jacek Centkowski
Jan 3, 2017, 10:01:59 AM1/3/17
to Repo and Gerrit Discussion, geminica...@gmail.com, s...@google.com, li...@bohmer.net
There is also another way how we can achieve what is needed without plugin aliases. It will come along the way LFS is integrated into Gerrit. I can develop a patch that exposes requested SSH command that calls command from corresponding LFS plugin - similar way that HTTP endpoint is exposed:
- if plugin is loaded and contains SSH command in question it will call command and return result of it
- otherwise return with failure
Guys how about that approach? I understand that we don't want to open pandora's box (global aliases for plugins ;)) and this seems to be in line to what was done in Gerrit in order to provide LFS support.
Regards
Jacek
Jacek Centkowski
Jan 5, 2017, 4:54:57 PM1/5/17
to Repo and Gerrit Discussion, geminica...@gmail.com, s...@google.com, li...@bohmer.net
here is the change https://gerrit-review.googlesource.com/#/c/93673/ that addresses the problem specifically without trying to introduce too general solution that rises red flags for reviewers ;)
Regards
Jacek
Reply all
Reply to author
Forward
0 new messages