02 Aug 2012, 23:19
Generic-user-small

Patrick D O'Hara (1 post)

We are evaluating new SCM tools where I work. We have been using Git unofficially for some time. Recently an incedent caused some in management to demand that we stop using Git until we can solve the auditing whole. So we have been looking at solutions to integrate Active Directory with Git. I am wondering again about the audit trail of changes in our repository. As I understand it commits are logged on the local system without authentication. After some number of changes have been added to the local repository then these changes can be pushed to a central repository where authentication is required to be allowed to push the changes. Since the authentication happens later and in a different context there is nothing that ensures the author value of a commit is validated by active directory (or anything else).

Is my understanding correct?

Pat O

06 Oct 2012, 11:18
Mlafeldt-twitter_pragsmall

Mathias Lafeldt (2 posts)

Yes, you cannot control what’s being done in the local Git repositories. But when the commits are pushed to the Git server, you can authenticate the user doing the push.

To control write access, you can deploy an ACL system based on Git commit hooks. Reading can only be controlled by wrapping “git-upload-pack” on the server side though, as support for pull hooks has been removed from Git due to security concerns.

But managing hooks for multiple repos is tedious. At work, we’re instead using a custom login shell for SSH accounts to provide restricted Git access. The shell is hooked up to Kerberos.

For more information, I recommend the following links:

  • http://git-scm.com/book/ch7-4.html
  • https://github.com/blog/530-how-we-made-github-fast

-Mathias

  You must be logged in to comment