Geo: When pushing over SSH to a secondary with git-lfs enabled, the user is prompted for HTTP auth
When pushing over SSH to a secondary with git-lfs enabled, the JSON auth blob that is returned from POST /internal/lfs_authenticate
, contains credentials & href designed for the secondary. The fragment needs to contain credentials & href designed for the primary.
e.g.
Primary
upload
$ ssh -p 2221 -- ash@ee-secondary1.local git-lfs-authenticate root/test.git upload
{"header":{"Authorization":"Basic abc123"},"href":"https://ee-primary.local/root/test.git/info/lfs/"}
Secondary
upload
$ ssh -p 2222 -- ash@ee-secondary1.local git-lfs-authenticate root/test.git upload
{"header":{"Authorization":"Basic def456"},"href":"https://ee-secondary1.local/root/test.git/info/lfs/"}
It's also worth noting, that when downloading LFS objects, we should still return the secondary URL to keep the operation as fast as possible:
download
$ ssh -p 2222 -- ash@ee-secondary1.local git-lfs-authenticate root/test.git download
{"header":{"Authorization":"Basic def456"},"href":"https://ee-secondary1.local/root/test.git/info/lfs/"}
To work correctly, the secondary must return the same JSON auth blob as the primary.
Edited by Ash McKenzie