Feature #6619

[Deployment] [Documentation] Install system-wide git credential helper for arvados-hosted https git-urls

Added by Tom Clegg over 6 years ago. Updated over 6 years ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Category:
Deployment
Target version:
Start date:
07/20/2015
Due date:
% Done:

100%

Estimated time:
(Total: 0.00 h)
Story points:
-

Description

Git can be configured to use the ARVADOS_API_TOKEN environment variable to authenticate to gitolite. A single-user setup would look like this:
  • git config 'credential.https://git.zzzzz.arvadosapi.com/.username' none
    git config 'credential.https://git.zzzzz.arvadosapi.com/.helper' \
     '!cred(){ cat >/dev/null; if [ "$1" = get ]; then echo password=$ARVADOS_API_TOKEN; fi; };cred'
    
  • See source:services/arv-git-httpd/server_test.go#L77 for a working example used in the test suite.

(The literal username "none" is for real. It's just a placeholder; the arv-git-httpd server ignores it.)

This should be enabled by default on all shell VMs by running git config --system ..., installing a /etc/gitconfig with puppet, or [...].

This setup should also be documented at http://doc.arvados.org/install/install-shell-server.html


Subtasks

Task #6671: Review branch: 6619-doc-updateResolvedRadhika Chippada


Related issues

Blocks Arvados - Story #6617: [Workbench] [Documentation] Display https url in repositories panel in manage_account page. Update documentation as needed.Resolved07/17/2015

Associated revisions

Revision ee29db4a
Added by Radhika Chippada over 6 years ago

refs #6619
Merge branch '6619-doc-update'

History

#1 Updated by Nico César over 6 years ago

Personally I don't like doing --system level configurations because we could be using git clone for other stuff, with unwanted consecuences. Correct me if I'm wrong the "git config" could be done when the user is created and only once. sound like a job for /usr/local/arvados/install-arvados-tokens.rb or /usr/local/arvados/update-shell-accounts.rb.

#2 Updated by Tom Clegg over 6 years ago

Nico Cesar wrote:

Personally I don't like doing --system level configurations because we could be using git clone for other stuff

This config only applies to urls with the given form, and only if not overridden in --global or per-repo configs or on the command line. It looks like this in .gitconfig:

[credential "https://git.zzzzz.arvadosapi.com/"]
    username = none
    helper = "!cred(){ cat >/dev/null; if [ \"$1\" = get ]; then echo password=$ARVADOS_API_TOKEN; fi; };cred" 

Using "git clone for other stuff" wouldn't be affected unless it was cloning from https://git.zzzzz.arvadosapi.com/ (and didn't want to specify/override). And Arvados tokens are the only way to authenticate to those URLs. Using "your token" automatically for arvados git urls seems no more intrusive than defaulting to ~/.ssh/id authentication for SSH git urls...?

I figured using system level config would make it easier for us to update the default/automatic config without mucking with users' own configs. But I suppose that only holds for shared shell VMs, so maybe it's no big win.

Anyway, if it makes more sense to put it in each user's ~/.gitconfig that's totally fine. As long as it's enabled by default for all logins, it's all the same to me...

#3 Updated by Tom Clegg over 6 years ago

  • Description updated (diff)

#4 Updated by Nico César over 6 years ago

(.. I agree on all the stuff cutted here...)

Tom Clegg wrote:

I figured using system level config would make it easier for us to update the default/automatic config without mucking with users' own configs. But I suppose that only holds for shared shell VMs, so maybe it's no big win.

Anyway, if it makes more sense to put it in each user's ~/.gitconfig that's totally fine. As long as it's enabled by default for all logins, it's all the same to me...

it's almost the same effort for the current state of the art. one is a global file provided by puppet, the other one is modifing the create_user script.

I have no strong preferences here. I think the user modification will keep it more aisolated. proabably is better down the road... but again. no particular preference.

any comment on thiss ward?

#5 Updated by Ward Vandewege over 6 years ago

Nico Cesar wrote:

(.. I agree on all the stuff cutted here...)

Tom Clegg wrote:

I figured using system level config would make it easier for us to update the default/automatic config without mucking with users' own configs. But I suppose that only holds for shared shell VMs, so maybe it's no big win.

Anyway, if it makes more sense to put it in each user's ~/.gitconfig that's totally fine. As long as it's enabled by default for all logins, it's all the same to me...

it's almost the same effort for the current state of the art. one is a global file provided by puppet, the other one is modifing the create_user script.

I have no strong preferences here. I think the user modification will keep it more aisolated. proabably is better down the road... but again. no particular preference.

any comment on this ward?

Systemwide seems fine since it's pretty narrow. Agree on the potential pitfalls of doing this systemwide by default, but it's only for the local git repo and users can still override this locally.

#6 Updated by Tom Clegg over 6 years ago

  • Target version set to Arvados Future Sprints

#7 Updated by Tom Clegg over 6 years ago

  • Target version changed from Arvados Future Sprints to 2015-08-05 sprint

#8 Updated by Radhika Chippada over 6 years ago

  • Assigned To set to Nico César
  • Target version changed from 2015-08-05 sprint to 2015-07-22 sprint

#9 Updated by Nico César over 6 years ago

  • Status changed from New to Resolved

#10 Updated by Peter Amstutz over 6 years ago

"Configure git to use the ARVADOS_API_TOKEN environment variable to authenticate to gitolite."

That's not quite right, it uses the ARVADOS_API_TOKEN to talk to arv-git-httpd, not gitolite. This should say:

"Configure git to use the ARVADOS_API_TOKEN environment variable to authenticate to arv-git-httpd."

Also available in: Atom PDF