How to allow http basic authentication for hooks in Gerrit 2.14.6

[Mai Waly]

Hi all,

Please help.

At 2.14.6 there is not HTTP Digest Authentication allowed, how to over come this problem as all our workflow golang scripts uses it.
or even how to enable http basic authentication.

Thanks

[Alon Bar-Lev]

Hi,
Try to use auth.type = HTTP_LDAP or even HTTP and have apache httpd
reverse proxy with mod_authnz_ldap, mod_authn_file or mod_auth_digest
or mod_auth_basic.
Regards,
Alon

> --
> --
> To unsubscribe, email repo-discuss...@googlegroups.com
> More info at http://groups.google.com/group/repo-discuss?hl=en
>
> ---
> You received this message because you are subscribed to the Google Groups
> "Repo and Gerrit Discussion" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to repo-discuss...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Mai Waly]

Thanks for your reply.

But for http basic authentication where should the user save the password file

[Matthew Webber]

At 2.14.6 there is not HTTP Digest Authentication allowed, how to over come this problem as all our workflow golang scripts uses it.
or even how to enable http basic authentication.

As I guess you saw in the 2.14 release notes, digest authentication has been removed, and is not coming back. You have to switch to using basic authentication. This is fairly simple to do. The main thing to remember is that basic authentication does not encrypt the credentials at all, so should only use it over an encrypted session (eg https), unless you are on a trusted internal network (although in that case it's still a bad idea).

If you need help in converting your scripts, tell us what they currently use.

[Matthew Webber]

Hi,
Try to use auth.type = HTTP_LDAP or even HTTP and have apache httpd
reverse proxy with mod_authnz_ldap, mod_authn_file or mod_auth_digest
or mod_auth_basic.
Regards,
Alon

I don't think that is relevant here. The use of digest/basic authentication is about how you authenticate to Gerrit when you're using the REST API, not when you log in to the web interface.

[Matthew Webber]

But for http basic authentication where should the user save the password file

If you're happy with where it is currently saved, why not use the same location?

[Mai Waly]

We never used it we used http password generated by gerrit new gerrit has no http password in user profile. 

And we are stuck as our hooks http digest and we dont know how to over come that in gerrit 2.14.6.

We dont know a WA for that like as long as gerrit is not helping in creating it for us how do we do it ourselves?

Thanks.

On Thu, 19 Apr 2018, 7:14 pm Matthew Webber, <mat...@unsolvable.org> wrote:

But for http basic authentication where should the user save the password file

If you're happy with where it is currently saved, why not use the same location?

--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

---

You received this message because you are subscribed to a topic in the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/repo-discuss/dENn8H5bIDI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to repo-discuss...@googlegroups.com.

[Blank Liu]

Hi, Mai

Generally speaking, I guess your issues can be summarized with two questions.

1. Where is the "HTTP Password" menu in 2.14?

2. Where is the HTTP password stored?

For issue 1,

Whether the "HTTP Password" menu is visible or not is decided by the Gerrit system configuration item "auth.gitBasicAuthPolicy".

Setting the value for this item as "HTTP_LDAP" would bring back the "HTTP Password" menu.

And you may need to read detail introduction of another configuration item "auth.type" as well in order to understand the connection between these two items.

For issue 2,

According to official release document of 2.14 (https://www.gerritcodereview.com/releases/2.14.md#HTTP-Digest-Authentication-Removed), the HTTP password is

stored in a branch of the All-Users repo. And this branch is refs/meta/external-ids.

Therefore, you can clone this repository and check out (git fetch origin refs/meta/external-ids:meta-external-ids && git checkout meta-external-ids) this branch, then 

you will understand how HTTP password is stored.

Please note: the HTTP password isn't shown as plain text under the "HTTP Password" menu.

Which means, once you click the "Generate Password" button, you have to copy the password and store it because it's hidden after refreshing the page.

As to your hook, you need to use HTTPBasicAuth instead of HTTPDigestAuth if you use Python module requests.

Hope this can help.