Redmine access control for gitblit

[bandarupalli satyanarayana]

Hi,

    I have installed redmine and gitblit. Now I would like to access gitblit with redmine login credentials.
For this i need to write a new function, Could someone guide me where to write new function and to integrate that with gitblit code.
 
 Thanks,
 Satya.

[James Moger]

Hi Satya,

You shouldn't have to write any code to authenticate against Redmine.
Try these settings:

realm.userService = com.gitblit.RedmineUserService
realm.redmine.backingUserService = ${baseFolder}/users.conf
realm.redmine.url = http://example.com/redmine

-J

[bandarupalli satyanarayana]

Hi James,

  Thank you very much for the Hint. I made the changes in gitblit.properties file but getting below error on gitblit server.

WARN  Failed to authenticate via username/password against Redmine
ERROR Failed to authenticate via apikey against Redmine
java.io.FileNotFoundException: http://example.com/redmineusers/current.json?key=password
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream.

  My environment is gitblit-1.2.1 is running on my local PC (windows 7) and redmine-2.0.4 application is running on remote Linux machine.
 Do I need to copy mysql connector jdbc jar file into gitblit-1.2.1/ext dir on my windows machine.

[James Moger]

Hi Satya,

Sorry, I should have been more specific. You need to set the url for
your Redmine install in the realm.redmine.url setting - i.e. the url
you enter in your browser to browse Redmine. If the Redmine server is
not within your intranet then hopefully you can browse it using
https:// rather than http://.

-J

[bandarupalli satyanarayana]

Hi James,

  I understood what you said and my redmine server is within intranet.For security reason I have modified the host name as example.com

I have set the url in gitblit.properties file as
realm.redmine.url = http://hostname.com/redmine

Do I need to user jdbc jar file?

-satya

[James Moger]

No. The authentication is entirely HTTP & JSON. You are not
communicating with the backend database, you are communicating only
with Redmine.

Your exception indicates one of the following: the url is incorrect,
your Redmine installation does not support the API, or you have
disabled API authentication. Please review this section of the API
documentation and compare it to your Redmine server settings:
http://www.redmine.org/projects/redmine/wiki/Rest_Api#Authentication

http://www.redmine.org/projects/redmine/wiki/Rest_Api

-J

[bandarupalli satyanarayana]

Hi James,

  I went through the given links and enable REST web service in redmine(2.0.4). Even then I am facing the same problem.

  I am sure that I am using the right url as the same url works in browser.I am using gitblit1.2.1, hope this version of gitblit support the feature.

Redmine 2.0.4 running on Linux.
Gitblit1.2.1 running on windows.

  May be problem with windows and Linux environment or may be some firewall issue in linux box, I am trying to debug in that scenario. I will update you.

-satya

[James Moger]

Maybe there is a bug in RedmineUserService.
Can you use curl to grab the json object from that url?

-J

[bandarupalli satyanarayana]

  Hi James,

   Gitblit gives me below error when I try to access gitblit using redmine credentials

  WARN  Failed to authenticate via username/password against Redmine

ERROR Failed to authenticate via apikey against Redmine

java.net.UnknownHostException: servername.comusers

  I tried using curl command but it returns html code as output.
curl http://servername.com/redmine
Is this the right command?   Else what command I have to us to get json object?

-satya

[James Moger]

If you are using an API key (easier to test with curl) it should be
something like this:

curl http://yourserver.com/redmine/users/current.json?key=yada

Unknown host exception definitely means your server name is incorrect
or unresolvable. Perhaps it is a WINS name on a lan? Try using the
ip address directly.

[bandarupalli satyanarayana]

  Hi James,

    Now authentication works fine, I have added '/' after 'http://example.com/redmine' then it fixed the problem. Thank you very much for the help.

realm.redmine.url = http://example.com/redmine/ 

[James Moger]

Good news! I'll fix Gitblit to append a slash if it is missing.

-J

[bandarupalli satyanarayana]

  Hi James,

   I am trying to provide access control for git branches.

when I search I got below link which has comments from you.
http://code.google.com/p/gitblit/issues/detail?id=36

I followed the link below link which was provided by you, but this page doesn't exist now.Do you have alternative link?

https://github.com/gitblit/gitblit/blob/master/groovy/protect-refs.groovy

-satya

[James Moger]

It moved.

https://github.com/gitblit/gitblit/blob/master/distrib/groovy/protect-refs.groovy

And it may move again. :)
-J

[bandarupalli satyanarayana]

Hi James,

  Thanks for the script. I tried to configure in hook script but didn't work
  How to configure groovy script in gitblit to restrict PUSH access to particular branch?
  Do I need to add in post-receive scripts or pre-receive scripts?

   -Satya

[James Moger]

1. You need to put your groovy script in your "groovy.scriptsFolder" location
2. You need to specify this script as a pre-receive script either
globally (gitblit.properties) or for a particular repository (edit
repository)

Pre-receive
Ref update commands are coming from the client but have not yet been
applied to the repository.
This is the place to block pushes.

Post-receive
Ref update commands have been processed and applied to the repository
by the server.
This is the place for build automation or email notifications or
Flurfunk posts or whatever.

-J

[bandarupalli satyanarayana]

Hi James,

   Yeah, I tried both ways after copying the script
 1. edit particular repository and select groovy script
 2. Giving the path of groovy script path for variable "groovy.preReceiveScripts"

 I am using TortoiseGit in windows to Clone and push changes back into Git Repository which is on Linux box and I am able to push to master branch.

  -Satya.

[James Moger]

Now that I review your inquiry I'm not sure if you want to block
pushing to a particular ref OR if you want to protect a particular
ref. There are two scripts (both need to be appropriately modified
for your repo):

https://github.com/gitblit/gitblit/blob/master/src/main/distrib/data/groovy/blockpush.groovy
https://github.com/gitblit/gitblit/blob/master/src/main/distrib/data/groovy/protect-refs.groovy

Both of those scripts log to the console so if you are running GO from
a command prompt you should be able to see if the script was
triggered.

-J

[bandarupalli satyanarayana]

  Hi James,

  One more issue what I have observed is whenever an user is added into gitblit from Redmine that user is provided with admin rights by default.
Is this a bug in RedmineUserService?

-satya.

[James Moger]

This is an excellent question and one I had myself when reviewing the
contribution of the RedmineUserService in more detail.

It might be a flaw, but it was explicitly part of the design.

If the JSON user object returned from Redmine has a non-empty "login"
field, the user is assumed to be a Redmine admin and is therefore made
a Gitblit admin. This appears to be an undocumented feature/behavior
of Redmine.

My preference would be to tie admin rights to Redmine group membership
- much like we've done for LDAP - but the contributor did not continue
working on the service and I have not installed a local Redmine to
implement it myself.

-J