How can we achieve fine grained ACL with smart http in gitolite?
What this exactly means is: If I restrict certain repos for some users in gitolite using ssh and if I try to clone the restricted repo, gitolite tells:
Fatal R any (some_username) is denied.
Please make sure the repository exists".
How to achieve the above mentioned ACL by using smart http?
If possible please specify the setup(apache2) for achieving the same.
gitolite is compatible with smart http, as I mentioned in 2012 or in here.
All you need to do is set those 4 lines:
SetEnv GIT_PROJECT_ROOT @H@/repositories
SetEnv GIT_HTTP_EXPORT_ALL
SetEnv GITOLITE_HTTP_HOME @H@
ScriptAlias /hgit/ /path/to/gitolite/sbin/gitolite-shell/
SetEnv GIT_HTTP_BACKEND "/path/to/git/libexec/git-core/git-http-backend"
That way, any url with a path starting with /hgit will query gitolite first (through its src/gitolite-shell perl script)
git clone http://myserver/hgit/myrepo.git
You need to couple that with a way to authenticate yourself through one of the authentication basic provider (file, ldap, dbm, ...)
In my httpd.conf, I use LDAP.
AuthName "LDAP authentication for ITSVC Smart HTTP Git repositories"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPBindDN "@LDAP_BINDDN@"
AuthLDAPBindPassword @LDAP_PASSWORD@
AuthLDAPURL @LDAP_URL@
AuthLDAPGroupAttribute member
You would replace the placeholder string @xxx@ by their actual values.
