gerrit apache auth with kerberos
538 views
Skip to first unread message
patrick
Jan 3, 2012, 12:06:39 PM1/3/12
to Repo and Gerrit Discussion
Hello,
first sorry for my poor english:
I try to setup kerberos authentication on apache for access to gerrit
I can make it work when i use kerberos login/password but now I whant
to use kerberos ticket and when i try it gerrit give me that error :
The HTTP server did not provide the username in the Authorization
header when it forwarded the request to Gerrit Code Review
After a tcpdump i can see in the http request that apache is
forwarding the kerberos ticket to gerrit.
so my question is : Is it possible to tell apache to give the username
to gerrit instead of the kerberos ticket?
here my apache et gerrit configuration file
apache :
<VirtualHost *:80>
ServerName gerrit
ProxyRequests Off
ProxyVia Off
ProxyPreserveHost On
<Location "/login/">
AuthName "Gerrit Code Review"
Require valid-user
Options none
Order allow,deny
Allow from all
AuthType KerberosV5
Krb5Keytab /etc/apache2/krb5.keytab
</Location>
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://127.0.0.1:8080/
</VirtualHost>
gerrit:
[gerrit]
basePath = git
canonicalWebUrl = http://gerrit/
[database]
type = H2
database = db/ReviewDB
[auth]
type = HTTP
[sendemail]
smtpServer = localhost
[container]
user = git
javaHome = /usr/lib/jvm/java-6-sun-1.6.0.26/jre
[sshd]
listenAddress = *:29418
[httpd]
listenUrl = proxy-http://*:8080/
[cache]
directory = cache
thanks
first sorry for my poor english:
I try to setup kerberos authentication on apache for access to gerrit
I can make it work when i use kerberos login/password but now I whant
to use kerberos ticket and when i try it gerrit give me that error :
The HTTP server did not provide the username in the Authorization
header when it forwarded the request to Gerrit Code Review
After a tcpdump i can see in the http request that apache is
forwarding the kerberos ticket to gerrit.
so my question is : Is it possible to tell apache to give the username
to gerrit instead of the kerberos ticket?
here my apache et gerrit configuration file
apache :
<VirtualHost *:80>
ServerName gerrit
ProxyRequests Off
ProxyVia Off
ProxyPreserveHost On
<Location "/login/">
AuthName "Gerrit Code Review"
Require valid-user
Options none
Order allow,deny
Allow from all
AuthType KerberosV5
Krb5Keytab /etc/apache2/krb5.keytab
</Location>
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://127.0.0.1:8080/
</VirtualHost>
gerrit:
[gerrit]
basePath = git
canonicalWebUrl = http://gerrit/
[database]
type = H2
database = db/ReviewDB
[auth]
type = HTTP
[sendemail]
smtpServer = localhost
[container]
user = git
javaHome = /usr/lib/jvm/java-6-sun-1.6.0.26/jre
[sshd]
listenAddress = *:29418
[httpd]
listenUrl = proxy-http://*:8080/
[cache]
directory = cache
thanks
patrick
Jan 4, 2012, 5:49:24 AM1/4/12
to Repo and Gerrit Discussion
ok I get it
The solution is to add the kerberos user name in the http header, here
my new configuration:
apache :
<VirtualHost *:80>
ServerName gerrit
ProxyRequests Off
ProxyVia Off
ProxyPreserveHost On
<Location "/login/">
AuthName "Gerrit Code Review"
Require valid-user
Options none
Order allow,deny
Allow from all
AuthType KerberosV5
Krb5Keytab /etc/apache2/krb5.keytab
KrbLocalUserMapping On #this strip the realm in the username
RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1]
#add atribute X-Forwarded-User fill with the username in the
header
RequestHeader add X-Forwarded-User %{RU}e
# remove the kerberos ticket from the http because gerrit don't
need it (optional)
Requestheader unset Authorization
</VirtualHost>
gerrit :
[gerrit]
basePath = git
canonicalWebUrl = http://gerrit/
[database]
type = H2
database = db/ReviewDB
[auth]
type = HTTP
httpHeader = X-Forwarded-User #tel gerrit to take the username in
X-Forwarded-User var
> ProxyPassReverse /http://127.0.0.1:8080/
The solution is to add the kerberos user name in the http header, here
my new configuration:
apache :
<VirtualHost *:80>
ServerName gerrit
ProxyRequests Off
ProxyVia Off
ProxyPreserveHost On
<Location "/login/">
AuthName "Gerrit Code Review"
Require valid-user
Options none
Order allow,deny
Allow from all
AuthType KerberosV5
Krb5Keytab /etc/apache2/krb5.keytab
</Location>
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://127.0.0.1:8080/
#get the kerberos username
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://127.0.0.1:8080/
RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1]
#add atribute X-Forwarded-User fill with the username in the
header
RequestHeader add X-Forwarded-User %{RU}e
# remove the kerberos ticket from the http because gerrit don't
need it (optional)
Requestheader unset Authorization
</VirtualHost>
gerrit :
[gerrit]
basePath = git
canonicalWebUrl = http://gerrit/
[database]
type = H2
database = db/ReviewDB
[auth]
type = HTTP
X-Forwarded-User var
[sendemail]
smtpServer = localhost
[container]
user = git
javaHome = /usr/lib/jvm/java-6-sun-1.6.0.26/jre
[sshd]
listenAddress = *:29418
[httpd]
listenUrl = proxy-http://*:8080/
[cache]
directory = cache
smtpServer = localhost
[container]
user = git
javaHome = /usr/lib/jvm/java-6-sun-1.6.0.26/jre
[sshd]
listenAddress = *:29418
[httpd]
listenUrl = proxy-http://*:8080/
[cache]
directory = cache
> </VirtualHost>
>
> gerrit:
>
> [gerrit]
> basePath = git
> canonicalWebUrl =http://gerrit/
>
> gerrit:
>
> [gerrit]
> basePath = git
Reply all
Reply to author
Forward
0 new messages