Block REST API Access via HTTP Credentials

88 views
Skip to first unread message

Lord Raheem

unread,
Jun 1, 2023, 3:17:48 AM6/1/23
to Repo and Gerrit Discussion
I am managing a gerrit server, and because of a security concern I want to block rest api access via http credentials.

Edwin Kempin

unread,
Jun 1, 2023, 3:21:48 AM6/1/23
to Lord Raheem, Repo and Gerrit Discussion
On Thu, Jun 1, 2023 at 9:17 AM Lord Raheem <wmar...@gmail.com> wrote:
I am managing a gerrit server, and because of a security concern I want to block rest api access via http credentials.

What's the security concern?

AFAIK it's not possible to disallow users using the REST API directly, while not breaking the Gerrit web UI for them at the same time.
 

--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/repo-discuss/d0572aed-e7f1-4ad7-8825-ab4f0c5142c5n%40googlegroups.com.

Lord Raheem

unread,
Jun 2, 2023, 2:51:42 AM6/2/23
to Repo and Gerrit Discussion
The security concern is that users are able to use REST API via only http credentials, there is no MFA or some other security layer enabled.

Previously, our Gerrit was on a private network, so this didn't mean much. But now we are going to make it public.

We have some untracked users on gerrit, who have left the org but can possibly send http requests via REST API using HTTP Credentials.

And we either need to filter these requests, OR use some other way of authentication so that REST API can be used with a more secure way and not just HTTP credential.

Kind Regards. 

Edwin Kempin

unread,
Jun 2, 2023, 2:55:56 AM6/2/23
to Lord Raheem, Repo and Gerrit Discussion
On Fri, Jun 2, 2023 at 8:51 AM Lord Raheem <wmar...@gmail.com> wrote:
The security concern is that users are able to use REST API via only http credentials, there is no MFA or some other security layer enabled.

Previously, our Gerrit was on a private network, so this didn't mean much. But now we are going to make it public.

We have some untracked users on gerrit, who have left the org but can possibly send http requests via REST API using HTTP Credentials.

Why not just remove all permissions for these users?
 

And we either need to filter these requests, OR use some other way of authentication so that REST API can be used with a more secure way and not just HTTP credential.

Kind Regards. 

On Thursday, June 1, 2023 at 9:21:48 AM UTC+2 Edwin Kempin wrote:
On Thu, Jun 1, 2023 at 9:17 AM Lord Raheem <wmar...@gmail.com> wrote:
I am managing a gerrit server, and because of a security concern I want to block rest api access via http credentials.

What's the security concern?

AFAIK it's not possible to disallow users using the REST API directly, while not breaking the Gerrit web UI for them at the same time.
 

--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/repo-discuss/d0572aed-e7f1-4ad7-8825-ab4f0c5142c5n%40googlegroups.com.

--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.

Luca Milanesio

unread,
Jun 2, 2023, 3:12:50 AM6/2/23
to Repo and Gerrit Discussion, Luca Milanesio, Lord Raheem

On 2 Jun 2023, at 07:51, Lord Raheem <wmar...@gmail.com> wrote:

The security concern is that users are able to use REST API via only http credentials, there is no MFA or some other security layer enabled.

Previously, our Gerrit was on a private network, so this didn't mean much. But now we are going to make it public.

We have some untracked users on gerrit, who have left the org but can possibly send http requests via REST API using HTTP Credentials.

And we either need to filter these requests, OR use some other way of authentication so that REST API can be used with a more secure way and not just HTTP credential.

You can block them at reverse proxy level by denying access to URLs starting with ‘/a/‘, bearing in mind that you would need a different URL to access the Git/HTTP protocol.
The GUI doesn’t use basic auth and ‘/a/‘ but only a proper login process and a Cookie-based authentication.

HTH

Luca.


Kind Regards. 

On Thursday, June 1, 2023 at 9:21:48 AM UTC+2 Edwin Kempin wrote:
On Thu, Jun 1, 2023 at 9:17 AM Lord Raheem <wmar...@gmail.com> wrote:
I am managing a gerrit server, and because of a security concern I want to block rest api access via http credentials.

What's the security concern?

AFAIK it's not possible to disallow users using the REST API directly, while not breaking the Gerrit web UI for them at the same time.
 

--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/repo-discuss/d0572aed-e7f1-4ad7-8825-ab4f0c5142c5n%40googlegroups.com.

--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.

Lord Raheem

unread,
Jun 2, 2023, 5:09:07 AM6/2/23
to Repo and Gerrit Discussion
Yeah, that souns like a solution.
Can you please let me know what you mean by "you would need a different URL to access the Git/HTTP protocol."

For example my Gerrit is hosted at gerrit.example.com

And I will block URLS: gerrit.example.com/a/*

Kind Regards.

Luca Milanesio

unread,
Jun 2, 2023, 5:21:09 AM6/2/23
to Repo and Gerrit Discussion, Luca Milanesio, Lord Raheem

On 2 Jun 2023, at 10:09, Lord Raheem <wmar...@gmail.com> wrote:

Yeah, that souns like a solution.
Can you please let me know what you mean by "you would need a different URL to access the Git/HTTP protocol."

For example my Gerrit is hosted at gerrit.example.com

And I will block URLS: gerrit.example.com/a/*

Yeah, but then how do you push to the repositories over HTTPS?

Luca.

Lord Raheem

unread,
Jun 2, 2023, 6:11:27 AM6/2/23
to Repo and Gerrit Discussion
What if only git via ssh is used?

Luca Milanesio

unread,
Jun 2, 2023, 6:19:55 AM6/2/23
to Repo and Gerrit Discussion, Luca Milanesio, Lord Raheem

On 2 Jun 2023, at 11:11, Lord Raheem <wmar...@gmail.com> wrote:

What if only git via ssh is used?

Then you don’t have a problem: are you sure that nobody’s using Git/HTTPS in your company?

Luca.

Lord Raheem

unread,
Jun 2, 2023, 6:29:48 AM6/2/23
to Repo and Gerrit Discussion
Not sure at the moment, but this can be enforced.

Also, how can we configure a seperate URL for git/http?
Reply all
Reply to author
Forward
0 new messages