5

I have successfully set up gitweb on an apache vHost accessable for all authenticated users.

The server itself provides several git repositories via https and has per user/group access to those projects. For example test1.git is only readable/writable by group test1 and test2.git is only readable/writable by group test2.

Now I also want only those groups to see their corresponding git repositories in the gitweb interface. Is it possible to have those granular access rights for gitweb?

If not, is there a light-weight web gui for git, that can handle basic http authentication per project (and possibly ldap authentication for later)?

Edit Just to make things clearer (as there seems some confusion from the comments): Example:

  • There are 10 repositories (test1, test2, ... test10)

  • user lockdoc is in group test1 and test3

  • Once authenticated over http with username lockdoc and his/her password, this user can only see git projects test1 and test3 and cannot browse/see any other projects

  • No need for writing (pushing) over the webinterface, as this is already implemented

lockdoc
  • 1,539
  • 1
  • 18
  • 31
  • Do you want to have a simple, *read only* view of your repositories (in this case GitWeb is suitable) or do you want to manage the repositories (in that case gitolite as answered by @VonC is an option)? – try-catch-finally Dec 31 '12 at 09:31
  • By the way, I think this question is better suited in the [Server Fault](http://serverfault.com/) Stack. – try-catch-finally Dec 31 '12 at 09:38
  • You could try matching different URLs in different `` or `` sections requiring different authentication settings (file, method, ...). – try-catch-finally Dec 31 '12 at 09:43
  • 1
    I confirm, based on your edit, that gitolite is the right tool for the job. I have edited my answer with more details. – VonC Dec 31 '12 at 12:22

1 Answers1

4

No GUI, but I would recommend using gitolite for this kind of fine-grained authorization.

See this httpd.conf for LDAP and gitolite access:

  • you can define a gitweb access, which in turn will call gitolite, see this gitweb.conf.pl script
  • you can define an https access which will also call gitolite (in order to allow or deny access, depending on your id)

The https config would look like this: 

ScriptAlias /hgit/ @H@/sbin/gitolite-shell/
SetEnv GIT_HTTP_BACKEND "@H@/usr/local/apps/git/libexec/git-core/git-http-backend"
<Location /hgit>
   ...
</Location>

In both case, you can protect those http addresses with LDAP-based authentication:

AuthName "LDAP authentication for ITSVC Smart HTTP Git repositories"
AuthType Basic
AuthBasicProvider myldap companyldap
AuthzLDAPAuthoritative Off
Require valid-user

And you will register your users/groups/repos in the gitolite.conf configuration file associated with gitolite.

@lockdoc_repos           =   test1 test3 # group of repo

repo @lockdoc_repos
    R                    = lockdoc # read-only access for lockdoc
    R                    = gitweb daemon # can be browsed

See "testing/info/refs not found in gitolite after removing R @all rule" for more on how to allow browsing for a repo, by sitaram (Sitaram Chamarty), creator of gitolite himself.

Community
  • 1
  • 1
VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250