The NCEAS GitHub organizational account should be used as our main means to share new projects that are willing to have everything be public, but we also keep a copy on NCEAS servers by setting up an automated pull from GitHub.
For projects that are too large for GitHub, or for which they want their repo to be private, the main repo would be on the NCEAS servers, and people would push to that.
This document describes the proposed and partially constructed structure of a Git based code repository at NCEAS. These git repositories would likely live alongside the svn repositories that we now support, although maybe at some time current SVN repositories could be migrated to git if the time warranted. The current implementation allows only private repositories that are accessible via LDAP login by the members of the nceas-staff LDAP group. Future improvements would be to optionally allow anonymous read access (see below for details).
Current Git repo URL: https://code.nceas.ucsb.edu/git/*
Git repositories are served over https using Apache with git-http-backend to deliver the content from
saturn.nceas.ucsb.edu. Git repositories for nceas are currently located in
/var/gitrepos/. Any repository added to this directory will be accessible as long as it is both readable and writable by the web user (
www-data). Repositories should be created as bare git repositories, using
git init –bare. When configuring to clone from such a repository, you need to include your username in the URL so that
git knows who you are. For example, on your local client you might use:
git clone https://email@example.com/git/myrepo.git
Authentication is handled using LDAP. Accounts are drawn only from the 'ou=Account,dc=ecoinformatics,dc=org' tree, which means accounts are shared with SVN, plone, and other systems at NCEAS. Currently, access is only granted to members of the cn=nceas-staff LDAP group.
Authorization is handled using HTTP Basic authorization over an SSL connection with AUthLDAP as the authentication provider in Apache. This is configured in the 'LocationMatch' directive of the Apache configuration file for each virtual host. This access needs to be protected by SSL so that username/passwords are passed encrypted. Here's the relevant portion of the Apache configuration file:
SetEnv GIT_PROJECT_ROOT /var/gitrepos SetEnv GIT_HTTP_EXPORT_ALL ScriptAlias /git/ /usr/lib/git-core/git-http-backend/ <LocationMatch "^/git//.*"> AuthBasicProvider ldap AuthType basic AuthName "GIT NCEAS access" AuthLDAPURL ldap://ldap.ecoinformatics.org/ou=Account,dc=ecoinformatics,dc=org?uid?sub?(objectClass=*) AuthLDAPGroupAttributeIsDN on Require ldap-group cn=nceas-staff,dc=ecoinformatics,dc=org </LocationMatch>
An alternative is to only try to protect write access, leaving anonymous read access enabled. I attempted to configure this as:
but this did not work fully – anonymous pull and clone requests worked fine, but push requests were not successful because authentication was not properly invoked. More experimentation is needed here. See http://git.661346.n2.nabble.com/git-http-backend-and-Authenticated-Pushes-td4703506.html.
cd nceas-staff sudo mkdir newrepo.git cd newrepo.git
sudo git init --bare
cd .. sudo chgrp -R www-data newrepo.git sudo chmod -R g+w newrepo.git
<LocationMatch "^/git/CHANGETHISDIR/.*"> AuthBasicProvider ldap AuthType basic AuthName "GIT NCEAS access" AuthLDAPURL ldap://ldap.ecoinformatics.org/ou=Account,dc=ecoinformatics,dc=org?uid?sub?(objectClass=*) AuthLDAPGroupAttributeIsDN on Require ldap-group cn=CHANGETHISGROUPNAME,ou=Groups,dc=ecoinformatics,dc=org </LocationMatch>
sudo service apache2 restart
From the local machine terminal:
git clone https://firstname.lastname@example.org/git/nceas-staff/newrepo.git
git add welcomeToGit.txt git commit -m "initial commit message"
git push -u origin master
An alternate to using Apache to serve the Git repositories is to use Gitolite, which handles access control using ssh keys that are used to dispatch to a single shared account. Some experimentation with a gitolite configuration has been done as well, which is located in
/var/git on saturn. The main issue with gitolite is not being able to share accounts that have been configured in LDAP, and having to manually manage potentially hundreds of user ssh keys to control access.
Gitolite is being used on Saturn in /var/git for biengeo, environmental-layers, and TRN.