Git is awesome and you want it in your large company?
Then you will need to take into account some of the unique characteristics of such an environment.
Namely:
- centralization
- authentication
- authorization
(and more, detailed in this presentation)
Unraveling Multimodality with Large Language Models.pdf
DVCS in big corporation
1. DVCS in big Corporation
November, 14th 2011 DVCS in big Corporation
2. DVCS in big Corporation
About Challenges Solutions
● Me ● Authentication ● Centralization
● DVCS ● Authorization ● Visualization
November, 14th 2011 DVCS in big Corporation
34. You've got git.
Now What?
November, 14th 2011 DVCS in big Corporation
35. What is missing?
Client side Server side
November, 14th 2011 DVCS in big Corporation
36. Gitolite: authorization script
Client side Server side
gl-auth-command Repo1:
user1, user2
Git command
+ Repo2:
user2, user3
=
Cmd output
November, 14th 2011 DVCS in big Corporation
37. Gitolite: openssh
Client side Server side
gl-auth-command Repo1:
user1, user2
Repo2:
user2, user3
Git command
ssh
Cmd output
November, 14th 2011 DVCS in big Corporation
38. Gitolite: forced command
~/.ssh/authorized_keys
Command=
"compileEverything/gitolite/bin/gl-auth-command
bjensen",
no-port-forwarding,no-X11-forwarding,
no-agent-forwarding,no-pty ssh-rsa
AAAAB3NzaC1yc2EAAA...
November, 14th 2011 DVCS in big Corporation
39. Gitolite: not for users
Client side Server side
gl-auth-command Repo1:
Repo1:
fisheye
user1
Repo2:
Repo2:
sonar
user2
ssh
November, 14th 2011 DVCS in big Corporation
40. SSH is not enough
Client side Server side
ssh gitolite
November, 14th 2011 DVCS in big Corporation
41. Git & “smart http”
Client side Server side
git-
http-backend
httpd
November, 14th 2011 DVCS in big Corporation
42. Gitolite: httpd
Client side LDAP Server side
git-
gl-auth-command http-backend
+
Git command
httpd =
Http answer
November, 14th 2011 DVCS in big Corporation
43. Gitolite: LDAP alias
Httpd.conf
<AuthnProviderAlias ldap myldap>
AuthLDAPBindDN cn=Manager,dc=example,dc=com
AuthLDAPBindPassword secret
AuthLDAPURL
ldap://localhost:9011/dc=example,dc=com
?uid?sub?(objectClass=*)
</AuthnProviderAlias>
November, 14th 2011 DVCS in big Corporation
45. Gitolite: https://itsvcprdgit:8453/hgit
Httpd.conf
# GitHttp on 8453
<VirtualHost itsvcprdgit.world.company:8453>
ServerName itsvcprdgit.world.company
ServerAlias itsvcprdgit
SetEnv GIT_PROJECT_ROOT /path/to/repositories
SetEnv GIT_HTTP_EXPORT_ALL
SetEnv GITOLITE_HTTP_HOME
/home/auser/compileEverything
November, 14th 2011 DVCS in big Corporation
46. Httpd: multi-domain SSL certificate
Client side Server side
itsvcprdgit
httpdX509v3X509v3 Subject Alternative Name:
extensions:
DNS:itsvcprdgit.world.company,
DNS:itsvcprdgit
itsvcprdgit.world.company
November, 14th 2011 DVCS in big Corporation
47. Are we there yet?
Client side Server side
ssh gitolite
httpd
November, 14th 2011 DVCS in big Corporation
49. gitweb.cgi ?
Client side Server side
Gitweb.cgi
gl-auth-command
httpd
?
November, 14th 2011 DVCS in big Corporation
50. GitWeb: GL_USER
~/gitweb/gitweb.conf.pl
# finally the user name
$ENV{GL_USER} = $cgi->remote_user || "gitweb";
# now get gitolite stuff in...
unshift @INC, $ENV{GL_BINDIR};
require gitolite; gitolite -> import;
November, 14th 2011 DVCS in big Corporation
51. GitWeb: repo_rights()
~/gitweb/gitweb.conf.pl
$export_auth_hook = sub {
my $repo = shift;
return unless $repo =~ s/^Q$projectrootE/?
(.+).git$/$1/;
# check for (at least) "R" permission
my ($perm, $creator) = &repo_rights($repo);
return ($perm =~ /R/);
};
November, 14th 2011 DVCS in big Corporation
52. GitWeb: https://itsvcprdgit:8443/git
Httpd.conf
DocumentRoot compileEverything/gitweb
Alias /git compileEverything/gitweb
<Directory compileEverything/gitweb>
AuthBasicProvider myldap
AddHandler cgi-script cgi
DirectoryIndex gitweb.cgi
</Directory>
November, 14th 2011 DVCS in big Corporation
53. Are we there now?
Client side Server side
ssh gitolite
httpd
gitweb
November, 14th 2011 DVCS in big Corporation
55. cgit.cgi ?
Client side Server side
cgit.cgi
gl-auth-command
httpd
November, 14th 2011 DVCS in big Corporation
56. CGit: repo_rights()
~/cgit/cgit.pl
if ($request_uri ne "/cgit/" && $request_uri ne
"/cgit/cgit.pl/") {
(my $repo)=($path_info =~ //([^/]+)/);
my ($perm, $creator) = &repo_rights($repo);
if ($perm =~ /R/)
system("compileEverything/cgit/cgit.cgi");
else
print " <h1>HTTP Status 403 - Access is
denied</h1>n"; }
November, 14th 2011 DVCS in big Corporation
57. CGit: https://itsvcprdgit:8463/cgit
Httpd.conf
DocumentRoot compileEverything/cgit
Alias /cgit compileEverything/cgit
<Directory compileEverything/cgit>
AuthBasicProvider myldap
SetEnv GIT_PROJECT_ROOT=.../repositories
AddHandler cgi-script .cgi .pl
DirectoryIndex cgit.pl
</Directory>
November, 14th 2011 DVCS in big Corporation
58. And now?
Client side Server side
ssh
httpd https://itsvcprdgit:8453/hgit
https://itsvcprdgit:8443/git
gitweb
https://itsvcprdgit:8463/cgit
cgit
November, 14th 2011 DVCS in big Corporation
59. What do they want?
Client side Server side
ssh
httpd https://itsvc/hgit NO PORT
NUMBER
https://itsvc/git
gitweb
SHORT
https://itsvc/cgit NAMES
cgit
November, 14th 2011 DVCS in big Corporation
60. Reverse Proxy
Client side Server side
ssh
httpd
itsvc
gitweb
cgit
November, 14th 2011 DVCS in big Corporation
62. There, there?
Client side Server side
ssh
httpd https://itsvc/hgit
https://itsvc/git
https://itsvc/cgit
November, 14th 2011 DVCS in big Corporation
63. What!?
Client side Server side
November, 14th 2011 DVCS in big Corporation
65. Issue1: gitolite + hook
Client side Server side
gl-auth-command
Pre-receive
hook
November, 14th 2011 DVCS in big Corporation
66. Issue1: pre-receive hook
glog=`git log --format='%cn~%h~%s' $new --not
--all`
for cns in $glog ; do
atLeastOneCommit=true
echo branch $name: $cns
cn=`echo $cns | cut -d~ -f1`
hash=`echo $cns | cut -d~ -f2`
subject=`echo $cns | cut -d~ -f3`
if [ "$cn" = "$GL_USER" ]; then
echo "one commit found with $GL_USER as
committer name"
exit 0
fi
done
November, 14th 2011 DVCS in big Corporation
67. Issue1: pre-receive hook effect
push
remote: no commit with a committer name equals to 'bjensen',
so this push is denied.
November, 14th 2011 DVCS in big Corporation
68. Issue2: Actual user on server
Client side Server side
putty
November, 14th 2011 DVCS in big Corporation
69. Issue2: authorname on server
auser@vonc-VirtualBox:~/gitolite/demo$
../../bin/git commit -m "default user on server"
[master c694ed7] default user on server
Committer: auser <auser@vonc-VirtualBox.(none)>
Your name and email address were configured
automatically based on your username and
hostname.
Please check that they are accurate.
git config --global user.name "Your Name"
git config --global user.email you@exemp.com
November, 14th 2011 DVCS in big Corporation
70. Issue2: putty+ git wrapper
Client side Server side
putty
Git
wrapper
November, 14th 2011 DVCS in big Corporation
71. Issue2: authorname on server
alias agitBjensenItsvcprdgit='alias git="$
{H}/sbin/wgit u
bjensen,bjensen@example.com,itsvcprdgit.world.compan
y,bjensen"'
auser@vonc-VirtualBox:~$ git st
[ bjensen,bjensen@example.com for
itsvcprdgit.world.company ]
# On branch master
nothing to commit (working directory clean)
November, 14th 2011 DVCS in big Corporation
72. Finally, are we there?
Client side Server side
ssh gitolite
Pre-
httpd Git
wrapper
receive
hook
gitweb cgit
November, 14th 2011 DVCS in big Corporation
77. DVCS in big Corporation
November, 14th 2011 DVCS in big Corporation
If you need to introduce any tool in a big corporation,
this presentation will help you be ware of the
question you need to be prepare to answer.
This is a more Git-oriented presentation, but most of
it equally applies to Mercurial.
78. DVCS in big Corporation
About Challenges Solutions
● Me ● Authentication ● Centralization
● DVCS ● Authorization ● Visualization
November, 14th 2011 DVCS in big Corporation
79. Quick notes
November, 14th 2011 DVCS in big Corporation
http://www.slideshare.net/dchaffiol/dvcs-in-big-corporation
80. About : me
November, 14th 2011 DVCS in big Corporation
The opinions and elements in this presentations are
mine and does not represent my current or former
clients.
81. About : me on SO
100K+
Many times during the day
Every single day
A Lot Rep ask@me
November, 14th 2011 DVCS in big Corporation
82. CVCS
Client side Server side
November, 14th 2011 DVCS in big Corporation
83. And then, a miracle:
November, 14th 2011 DVCS in big Corporation
84. DVCS
Client side Server side
November, 14th 2011 DVCS in big Corporation
85. Git on a client
November, 14th 2011 DVCS in big Corporation
86. Git on a client
eclipse
November, 14th 2011 DVCS in big Corporation
87. Git on a client
eclipse
November, 14th 2011 DVCS in big Corporation
88. Reaction?
Not enthusiastic
November, 14th 2011 DVCS in big Corporation
89. Issues? Authentication.
Who is VonC?
X41064
LDAP
November, 14th 2011 DVCS in big Corporation
110. You've got git.
Now What?
November, 14th 2011 DVCS in big Corporation
111. What is missing?
Client side Server side
November, 14th 2011 DVCS in big Corporation
112. Gitolite: authorization script
Client side Server side
gl-auth-command Repo1:
user1, user2
Git command
+ Repo2:
user2, user3
=
Cmd output
November, 14th 2011 DVCS in big Corporation
https://github.com/sitaramc/gitolite
113. Gitolite: openssh
Client side Server side
gl-auth-command Repo1:
user1, user2
Repo2:
user2, user3
Git command
ssh
Cmd output
November, 14th 2011 DVCS in big Corporation
114. Gitolite: forced command
~/.ssh/authorized_keys
Command=
"compileEverything/gitolite/bin/gl-auth-command
bjensen",
no-port-forwarding,no-X11-forwarding,
no-agent-forwarding,no-pty ssh-rsa
AAAAB3NzaC1yc2EAAA...
November, 14th 2011 DVCS in big Corporation
115. Gitolite: not for users
Client side Server side
gl-auth-command Repo1:
Repo1:
fisheye
user1
Repo2:
Repo2:
sonar
user2
ssh
November, 14th 2011 DVCS in big Corporation
116. SSH is not enough
Client side Server side
ssh gitolite
November, 14th 2011 DVCS in big Corporation
117. Git & “smart http”
Client side Server side
git-
http-backend
httpd
November, 14th 2011 DVCS in big Corporation
118. Gitolite: httpd
Client side LDAP Server side
git-
gl-auth-command http-backend
+
Git command
httpd =
Http answer
November, 14th 2011 DVCS in big Corporation
119. Gitolite: LDAP alias
Httpd.conf
<AuthnProviderAlias ldap myldap>
AuthLDAPBindDN cn=Manager,dc=example,dc=com
AuthLDAPBindPassword secret
AuthLDAPURL
ldap://localhost:9011/dc=example,dc=com
?uid?sub?(objectClass=*)
</AuthnProviderAlias>
November, 14th 2011 DVCS in big Corporation
121. Gitolite: https://itsvcprdgit:8453/hgit
Httpd.conf
# GitHttp on 8453
<VirtualHost itsvcprdgit.world.company:8453>
ServerName itsvcprdgit.world.company
ServerAlias itsvcprdgit
SetEnv GIT_PROJECT_ROOT /path/to/repositories
SetEnv GIT_HTTP_EXPORT_ALL
SetEnv GITOLITE_HTTP_HOME
/home/auser/compileEverything
November, 14th 2011 DVCS in big Corporation
122. Httpd: multi-domain SSL certificate
Client side Server side
itsvcprdgit
httpdX509v3X509v3 Subject Alternative Name:
extensions:
DNS:itsvcprdgit.world.company,
DNS:itsvcprdgit
itsvcprdgit.world.company
November, 14th 2011 DVCS in big Corporation
123. Are we there yet?
Client side Server side
ssh gitolite
httpd
November, 14th 2011 DVCS in big Corporation
125. gitweb.cgi ?
Client side Server side
Gitweb.cgi
gl-auth-command
httpd
?
November, 14th 2011 DVCS in big Corporation
126. GitWeb: GL_USER
~/gitweb/gitweb.conf.pl
# finally the user name
$ENV{GL_USER} = $cgi->remote_user || "gitweb";
# now get gitolite stuff in...
unshift @INC, $ENV{GL_BINDIR};
require gitolite; gitolite -> import;
November, 14th 2011 DVCS in big Corporation
127. GitWeb: repo_rights()
~/gitweb/gitweb.conf.pl
$export_auth_hook = sub {
my $repo = shift;
return unless $repo =~ s/^Q$projectrootE/?
(.+).git$/$1/;
# check for (at least) "R" permission
my ($perm, $creator) = &repo_rights($repo);
return ($perm =~ /R/);
};
November, 14th 2011 DVCS in big Corporation
128. GitWeb: https://itsvcprdgit:8443/git
Httpd.conf
DocumentRoot compileEverything/gitweb
Alias /git compileEverything/gitweb
<Directory compileEverything/gitweb>
AuthBasicProvider myldap
AddHandler cgi-script cgi
DirectoryIndex gitweb.cgi
</Directory>
November, 14th 2011 DVCS in big Corporation
129. Are we there now?
Client side Server side
ssh gitolite
httpd
gitweb
November, 14th 2011 DVCS in big Corporation
131. cgit.cgi ?
Client side Server side
cgit.cgi
gl-auth-command
httpd
November, 14th 2011 DVCS in big Corporation
132. CGit: repo_rights()
~/cgit/cgit.pl
if ($request_uri ne "/cgit/" && $request_uri ne
"/cgit/cgit.pl/") {
(my $repo)=($path_info =~ //([^/]+)/);
my ($perm, $creator) = &repo_rights($repo);
if ($perm =~ /R/)
system("compileEverything/cgit/cgit.cgi");
else
print " <h1>HTTP Status 403 - Access is
denied</h1>n"; }
November, 14th 2011 DVCS in big Corporation
133. CGit: https://itsvcprdgit:8463/cgit
Httpd.conf
DocumentRoot compileEverything/cgit
Alias /cgit compileEverything/cgit
<Directory compileEverything/cgit>
AuthBasicProvider myldap
SetEnv GIT_PROJECT_ROOT=.../repositories
AddHandler cgi-script .cgi .pl
DirectoryIndex cgit.pl
</Directory>
November, 14th 2011 DVCS in big Corporation
134. And now?
Client side Server side
ssh
httpd https://itsvcprdgit:8453/hgit
https://itsvcprdgit:8443/git
gitweb
https://itsvcprdgit:8463/cgit
cgit
November, 14th 2011 DVCS in big Corporation
135. What do they want?
Client side Server side
ssh
httpd https://itsvc/hgit NO PORT
NUMBER
https://itsvc/git
gitweb
SHORT
https://itsvc/cgit NAMES
cgit
November, 14th 2011 DVCS in big Corporation
136. Reverse Proxy
Client side Server side
ssh
httpd
itsvc
gitweb
cgit
November, 14th 2011 DVCS in big Corporation
138. There, there?
Client side Server side
ssh
httpd https://itsvc/hgit
https://itsvc/git
https://itsvc/cgit
November, 14th 2011 DVCS in big Corporation
139. What!?
Client side Server side
November, 14th 2011 DVCS in big Corporation
141. Issue1: gitolite + hook
Client side Server side
gl-auth-command
Pre-receive
hook
November, 14th 2011 DVCS in big Corporation
142. Issue1: pre-receive hook
glog=`git log --format='%cn~%h~%s' $new --not
--all`
for cns in $glog ; do
atLeastOneCommit=true
echo branch $name: $cns
cn=`echo $cns | cut -d~ -f1`
hash=`echo $cns | cut -d~ -f2`
subject=`echo $cns | cut -d~ -f3`
if [ "$cn" = "$GL_USER" ]; then
echo "one commit found with $GL_USER as
committer name"
exit 0
fi
done
November, 14th 2011 DVCS in big Corporation
143. Issue1: pre-receive hook effect
push
remote: no commit with a committer name equals to 'bjensen',
so this push is denied.
November, 14th 2011 DVCS in big Corporation
144. Issue2: Actual user on server
Client side Server side
putty
November, 14th 2011 DVCS in big Corporation
145. Issue2: authorname on server
auser@vonc-VirtualBox:~/gitolite/demo$
../../bin/git commit -m "default user on server"
[master c694ed7] default user on server
Committer: auser <auser@vonc-VirtualBox.(none)>
Your name and email address were configured
automatically based on your username and
hostname.
Please check that they are accurate.
git config --global user.name "Your Name"
git config --global user.email you@exemp.com
November, 14th 2011 DVCS in big Corporation
146. Issue2: putty+ git wrapper
Client side Server side
putty
Git
wrapper
November, 14th 2011 DVCS in big Corporation
147. Issue2: authorname on server
alias agitBjensenItsvcprdgit='alias git="$
{H}/sbin/wgit u
bjensen,bjensen@example.com,itsvcprdgit.world.compan
y,bjensen"'
auser@vonc-VirtualBox:~$ git st
[ bjensen,bjensen@example.com for
itsvcprdgit.world.company ]
# On branch master
nothing to commit (working directory clean)
November, 14th 2011 DVCS in big Corporation
148. Finally, are we there?
Client side Server side
ssh gitolite
Pre-
httpd Git
wrapper
receive
hook
gitweb cgit
November, 14th 2011 DVCS in big Corporation