summaryrefslogtreecommitdiff
path: root/about/what-is.mdwn
blob: e1fa5c933fa4b6d3a7a6c18f1280fdc37f5ae1f0 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
[[!meta title="What is Gitano?"]]

<!-- The elevator pitch -->

Gitano is a git server
providing user separation
with ssh keys or passwords
with access rules defined in customisable ACLs
and maximally sandboxed hooks written in Lua
with this configuration stored in git repositories
for both global and per-repository configuration
with additional server-side commands for easier administration
accessible over the git, http and ssh transport protocols.

<!-- More in-depth description of features -->

NOTE: This section is a work in progress

# Is a git server providing user separation with ssh keys or passwords

Git servers implement the `git-{receive,upload}-pack` commands when accessed over ssh, handle requests to `/info/refs?service=git-{upload,receive}-pack` when accessed over http, and the bespoke protocol of the git transport.

Gitano implements the ssh interface by generating a `.ssh/authorized_keys` file for all the permitted ssh keys that runs a proxy command that determines which user the key belonged to and whether the user is permitted to run the requested command before running the git command.

Gitano implements the http interface by providing `gitano-smart-http.cgi` which the system administrator configures their web server to run, which authenticates the user based on a generated htpasswd file then determines whether the authenticated user is permitted to run the requested service before handing it off to `git-http-backend`.

Gitano implements the git interface by generating `git-daemon-export-ok` files for every repository that the anonymous user is permitted to read.

# Access rules defined as customisable ACLs

All Gitano commands consult ACLs written in [lace][] to determine whether the operation is permitted.

This allows a Gitano administrator to define rules that permit delegation of roles to different users,
and if those roles are defined by group membership and the ability to add a user to a group is delegated
then the permission to grant permissions can also be delegated.

[lace]: https://www.gitano.org.uk/lace/