Authorized RW access to repositories

[Mykel Alvis <my...@weirdness.com>]

I have a requirement to prevent external access to a repository without
authorization.
Does the username/password in the servers section of settings.xml work with
Basic Auth?
Are there other authentication methods that can be utilized?

The situation is this:

   - The company is primarily a MS shop, and uses AD, which I believe is
   LDAP, as their user datastore.
   - Company policy absolutely prevents non-company hardware from being
   directly connected to the internal network, including via VPN.
   - There are approximately 70 developers working on this project, split
   fairly equally among internal company employees, on site contractors who
   aren't allowed to connect to the internal network, and offshore developers.
   - SCM is subversion fronted by apache that hits LDAP for auth
   - The proxy that I'm using to mirror "central" must be accessible to
   all developers.  Currently, it resides on the internal company network which
   prevents 60% of the developers from reaching it because they're either
   offshore or  using hardware from their consulting firm.
   - Equipment exists to host the release and snapshot internal
   repositories on the company DMZ, as well as the proxy, but both services
   must require authorization against LDAP.
   - It is a requirement that artifacts be deployable without user
   interaction, including specifying usernames and passwords.  It is allowable
   (and desireable) to have credentials in the settings.xml file, though.
   - To cap all of this off, most or all of the equipment that we're
   discussing is being consolidated to the parent facility soon, but I'm just
   throwing that problem into the mix for the sympathy vote. :)

I've already had all the discussions about the issues surrounding the fact
that legions of the company's developers aren't allowed access to

My plan is this:

   1. Run a proxy or series of proxies fronted by apache using Basic Auth
   connected to the internal company user datastore.
   2. Run an ftp server as the means for deployment to the internal
   release and snapshot repositories and have the proxy point to the ftp
   directories. The ftp server would also need to validate against the interal
   company user datastore

I would prefer to use ssh for security reasons, but my experience with
deploying via ssh has produced the (possibly delusional) view that the only
way to do so is to have everyone generate a keypair and install them on the
ssh server.  This would be a significant administrative headache due to the
number of developers and their geographic dispersion.

I'm not a security expert, so is there another SSH-ish or SSH-based solution
that someone has used that would allow us to specify all the credential
information in an individual users settings.xml file to do unprompted
deployment?  It would need to not require that an administrator manage some
authorized_keys2 file, so that user access could be granted and revoked
using the centralized user datastore and in order to improve on the ftp
solution would need to encrypt keys.
I had considered having a single private key and distributing that, and
changing the key every time someone's authorization was removed, but that
seemed very problematic to me.

Thanks,
Mykel

-- 
I'm just an unfrozen caveman software developer.  I don't understand your
strange, "modern" ways.

Re: Authorized RW access to repositories

[Arnaud Bailly <ab...@oqube.com>]

Hello,
I have setup something quite similar for my former company, although
the physical security requirements were less stringent: We had
off-shore developers, customer-side developers and our own developers
located both at our main office and customer's office. We needed to
isolate each projects.

We use Apache frontend with SSL key authentication for everything: subversion, web
site and repository access. Access to svn and project's site is
controlled by simple CN lists, CRL can be used to invalidate keys when
someone leaves. Deployment is handled by continuum which is run
internally (so no uploading rights problem).

It works both in Windows and linux clients and only
needs that the client install the private key in browser and svn
client, a trivial task. Benefits:
 - transparent strong authentication (no passwords to type, users are
 identified as precisely as possible
 - management is relatively easy, even in "manual" mode (ie. without a
 real PKI infrastructure). We don't use LDAP based key authentication but it's just because I
 never took the time to read the apache doc :-) 
- fine grained access control to projects (and even projects parts if needed)

HTH,
-- 
OQube < software engineering \ génie logiciel >
Arnaud Bailly, Dr.
\web> http://www.oqube.com


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org

Re: Authorized RW access to repositories

[Mykel Alvis <my...@weirdness.com>]

Thanks.  I'll look into the WebDAV support.

On 8/16/06, Mike Perham <mp...@us.ibm.com> wrote:
>
>
>
>
>
>
> authorized_keys is the only way I know to do this easily.  Look into the
> webdav wagon.  That might allow you to use your LDAP auth for HTTP PUTs
> and
> GETs to/from the repo so you don't have to go through any Unix security
> hurdles.
>
> mykel.alvis@gmail.com wrote on 08/16/2006 12:36:45 PM:
>
> > I'm not a security expert, so is there another SSH-ish or SSH-based
> solution
> > that someone has used that would allow us to specify all the credential
> > information in an individual users settings.xml file to do unprompted
> > deployment?  It would need to not require that an administrator manage
> some
> > authorized_keys2 file, so that user access could be granted and revoked
> > using the centralized user datastore and in order to improve on the ftp
> > solution would need to encrypt keys.
>



-- 
I'm just an unfrozen caveman software developer.  I don't understand your
strange, "modern" ways.

Re: Authorized RW access to repositories

[Mike Perham <mp...@us.ibm.com>]

authorized_keys is the only way I know to do this easily.  Look into the
webdav wagon.  That might allow you to use your LDAP auth for HTTP PUTs and
GETs to/from the repo so you don't have to go through any Unix security
hurdles.

mykel.alvis@gmail.com wrote on 08/16/2006 12:36:45 PM:

> I'm not a security expert, so is there another SSH-ish or SSH-based
solution
> that someone has used that would allow us to specify all the credential
> information in an individual users settings.xml file to do unprompted
> deployment?  It would need to not require that an administrator manage
some
> authorized_keys2 file, so that user access could be granted and revoked
> using the centralized user datastore and in order to improve on the ftp
> solution would need to encrypt keys.