How to use authenticated http access to Gerrit REST API when auth type is set to OpenID or LDAP?

[Jonas Bang]

I have 2 Gerrit installations. One is running OpenID, the other is running LDAP.

I'm now starting to look into REST API. If I set permission "read" on "refs/*" for "anonymous group" I can read just fine just by accessing the url directly.

I'm using https://github.com/maveonair/gerry as wrapper.

Now, I would like not to have "anonymous group" able to clone and read everything.

So, I try to set my Gerrit username and the Gerrit generated HTTP password. But it still only works if I set "read" on "refs/*" for "anonymous group". If I set "read" on "refs/*" only for a group which I'm member of, then it returns empty (it does not fail). It is as if I'm still accessing as anonymous even that I have set username and password.

Is it required that Gerrit runs auth type HTTP in order to get authenticated http access to Gerrit REST API to work, or what could be the problem here?

Br,

Jonas

[David Ostrovsky]

Check the development documentation [1]. Basically you want this:

curl --digest --user username:password http://localhost:8080/a/path/to/api/

[1] https://gerrit.googlesource.com/gerrit/+/master/Documentation/dev-rest-api.txt

[Saša Živkov]

I don't know how gerry works.

To trigger authentication for your REST API calls you need to add /a in front of the rest end point:

http://host:port/a/rest/end/point

Br,

Jonas

--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
 
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Jonas Bang]

More details on the scenarios:

OpenID (Gerrit 2.6rc4). I can understand why 1) works, and why 2) and 3) doesn't work, but I expected 4) to also work.

• 1
• Access anonymous (i.e. only using url)
• Access set to "read" on "refs/*" for "anonymous group"
• Result: REST API projects and changes works
• 2
• Access non-anonymous (i.e. using url + username + password)
• Access set to "read" on "refs/*" for "anonymous group"
• Result: REST API reply: "Problem accessing /a/projects/. Reason: Unauthorized"
• 3
• Access anonymous (i.e. only using url)
• Access set to "read" on "refs/*" for group which I'm user of
• Result: REST API empty list of projects
• 4
• Access non-anonymous (i.e. using url + username + password)
• Access set to "read" on "refs/*" for group which I'm user of
• Result: REST API reply: "Problem accessing /a/projects/. Reason: Unauthorized"

[Saša Živkov]

On Tue, Jun 18, 2013 at 1:51 PM, Jonas Bang <em...@jonasbang.dk> wrote:

More details on the scenarios:

OpenID (Gerrit 2.6rc4). I can understand why 1) works, and why 2) and 3) doesn't work, but I expected 4) to also work.

• 1
• Access anonymous (i.e. only using url)
• Access set to "read" on "refs/*" for "anonymous group"
• Result: REST API projects and changes works
• 2
• Access non-anonymous (i.e. using url + username + password)
• Access set to "read" on "refs/*" for "anonymous group"
• Result: REST API reply: "Problem accessing /a/projects/. Reason: Unauthorized"
• 3
• Access anonymous (i.e. only using url)
• Access set to "read" on "refs/*" for group which I'm user of
• Result: REST API empty list of projects
• 4
• Access non-anonymous (i.e. using url + username + password)
• Access set to "read" on "refs/*" for group which I'm user of
• Result: REST API reply: "Problem accessing /a/projects/. Reason: Unauthorized"

As David mentioned you need the --digest option if sending the request from curl.

If using another client you need to make sure that it will use digest authentication.

 

On Tuesday, June 18, 2013 1:29:19 PM UTC+2, Jonas Bang wrote:

I have 2 Gerrit installations. One is running OpenID, the other is running LDAP.

I'm now starting to look into REST API. If I set permission "read" on "refs/*" for "anonymous group" I can read just fine just by accessing the url directly.

I'm using https://github.com/maveonair/gerry as wrapper.

Now, I would like not to have "anonymous group" able to clone and read everything.

So, I try to set my Gerrit username and the Gerrit generated HTTP password. But it still only works if I set "read" on "refs/*" for "anonymous group". If I set "read" on "refs/*" only for a group which I'm member of, then it returns empty (it does not fail). It is as if I'm still accessing as anonymous even that I have set username and password.

Is it required that Gerrit runs auth type HTTP in order to get authenticated http access to Gerrit REST API to work, or what could be the problem here?

Br,

Jonas

--

[Jonas Bang]

Thanks a million, using "--digest" was the key :)

/Jonas

On Tuesday, June 18, 2013 1:29:19 PM UTC+2, Jonas Bang wrote:

[Jonas Bang]

So, I got it working using curl and digest. But I need it in my rails project. Do you know how to use digest in e.g. HTTParty? The Gerry lib is using HTTParty, but how to change it to use digest?
The code is here: https://github.com/maveonair/gerry/blob/master/lib/gerry/client.rb

I have tried a simple setup like http://stackoverflow.com/questions/4472378/httparty-digest-auth but that does not work, it returns an empty list (as if accessing anonymously).

/Jonas

On Tuesday, June 18, 2013 1:29:19 PM UTC+2, Jonas Bang wrote:

[Jonas Bang]

Ok, found it: https://github.com/maveonair/gerry/blob/master/lib/gerry/client/request.rb

Just need to change "basic_auth" to "digest_auth".

/Jonas

On Tuesday, June 18, 2013 1:29:19 PM UTC+2, Jonas Bang wrote: