Story #6617
Updated by Tom Clegg over 9 years ago
Background: When logged in to a shell node via SSH, you can access git repositories via SSH (like git@git.zzzzz.arvadosapi.com) by using agent forwarding. However, if you log in to a shell node via webshell, your options are:
* Create/store a private key on the shell node. This is a bad practice.
* Don't use SSH to authenticate to git repos when logged in via webshell.
The infrastructure is in place (pending #6619) to authenticate _via https_ using the arvados API token that is automatically added to your environment at login time. Of course, this only helps when you clone/push @https://git.zzzzz.arvadosapi.com/foo/bar.git@ -- but doc.arvados.org and Workbench's "Manage Account" page only suggest using the url @git@git.zzzzz.arvadosapi.com:foo/bar.git@.
Both docs and Workbench must be updated to present both options and provide guidance about when to use each.
* Clone with HTTPS if your ARVADOS_API_TOKEN env var is set (e.g., you're logged in to an Arvados shell VM). This is the best option for shell VMs even if you're logged in with SSH: it means "push" will work next time you log in, even if you log in with Webshell.
* Clone with SSH if you've added your SSH key to Arvados and it's available in your login session (e.g., you're cloning to your workstation).