It doesn't matter if the auth is handled by our proxy (on the Allura VM) or
by an infra proxy, as long as we can tell if the infra proxy has already
handled the auth and what the username is.  We'd just need to modify the
ApacheAccessHandler.py to detect pre-authed requests and use the username
without attempting to auth it with Allura.  In other words, it should be a
simple if condition in ApacheAccessHandler.py:check_authentication as long
as infra can surface the username and auth flag to us in a reasonable way
(such as an cgi / env variable).


On Thu, Mar 27, 2014 at 6:00 PM, Dave Brondsema <[email protected]> wrote:

> On 03/27/2014 05:38 PM, Cory Johns wrote:
> > SCM access is now configured on forge-allura.apache.org, and you can
> fork
> > the Allura repository there and submit merge requests.
>
> Nice - I will see about updating our contributing pages (in wiki and
> docs) to include this nice process soon.
>
> >
> > The instruction box on the repo browse page (e.g.,
> > https://forge-allura.apache.org/p/allura/git/) and merge request
> > instructions will display the correct URL for each repository, but it
> > should be noted that forks (and other repos created through Allura) will
> > use URLs of the form
> > https://forge-allura.apache.org/git/u/<username>/<fork-name>
> > while the Allura repo will use the canonical repository at
> > https://git-wip-us.apache.org/repos/asf/allura.git.  You will also need
> to
> > use your Allura username when authenticating for the fork, and your
> Apache
> > username / password when authenticating for the canonical Allura repo.
> >  (Hopefully, we'll get the auth better integrated before too long.)
>
> Some time ago we had talked about combined auth (ASF LDAP + local
> accounts, all mapping to local usernames).  I don't know if that'll be
> very simple to apply to SCM though.  Particularly since it would be Not
> Good to send ASF LDAP passwords through the allura-vm box for scm
> authentication.  (Web authentication would be done with an
> infra-controlled proxy in front of our webapp).  Maybe some
> infra-controlled git-http proxy could be devised too.
>
>
> --
> Dave Brondsema : [email protected]
> http://www.brondsema.net : personal
> http://www.splike.com : programming
>                <><
>
>

Reply via email to