Can't log in as admin user any more

[Arunabha]

Hi Gerrit experts,
Yesterday, I set up a gerrit repo yesterday
and logged in using open id successfully. I was able to perform all
admin tasks etc. Today, when I log in using the same open-id, Gerrit
thinks I am a new user rather than the admin user. It no longer seems
possible to log in as the admin, even when I'm using the same open-id
as the admin.

I confirmed that there were two users with the same email.

gerrit> select FULL_NAME,PREFERRED_EMAIL,REGISTERED_ON,ACCOUNT_ID from
Accounts;
FULL_NAME | PREFERRED_EMAIL | REGISTERED_ON |
ACCOUNT_ID
---------------+-----------------------+-------------------------
+-----------
Arunabha | x...@gmail.com | 2012-01-29 18:05:40.272 | 1000000
NULL | x...@gmail.com | 2012-01-30 15:21:58.375 | 1000001

The same email seems to have two accounts created on different days.

The only thing I changed was to restart Gerrit to serve on port 8081
instead of 8080.

I'd love to be able to resolve this without recreating the repo. Any
help is very welcome.

Thanks,
Arunabha

[Shawn Pearce]

On Mon, Jan 30, 2012 at 18:53, Arunabha <aruna...@gmail.com> wrote:
>                         Yesterday, I set up a gerrit repo yesterday
> and logged in using open id successfully. I was able to perform all
> admin tasks etc. Today, when I log in using the same open-id, Gerrit
> thinks I am a new user rather than the admin user. It no longer seems
> possible to log in as the admin, even when I'm using the same open-id
> as the admin.
>
> I confirmed that there were two users with the same email.
>
> gerrit> select FULL_NAME,PREFERRED_EMAIL,REGISTERED_ON,ACCOUNT_ID from
> Accounts;
>  FULL_NAME      | PREFERRED_EMAIL       | REGISTERED_ON           |
> ACCOUNT_ID
>  ---------------+-----------------------+-------------------------
> +-----------
>  Arunabha  | x...@gmail.com | 2012-01-29 18:05:40.272 | 1000000
>  NULL        | x...@gmail.com | 2012-01-30 15:21:58.375 | 1000001

Look at the account_external_ids table. This will record the OpenID
strings used. Some OpenID providers return different strings based on
the hostname you access your server at, e.g. "http://localhost:8080/"
would get assigned a different identifier string than
"http://review.example.com/", even if they are the same server. Google
Accounts and Yahoo both have this behavior.

> The same email seems to have two accounts created on different days.
>
> The only thing I changed was to restart Gerrit to serve on port 8081
> instead of 8080.

Yes, this would also do it. Changing the port number will also change
the OpenID strings.

To make your new "you" account an administrator you would need to find
the Administrators group in the account_groups table and then insert
your new account_id (1000001) into account_group_members table for
that group_id. After doing that restart the server to make sure the
change is visible.

[Jason Axelson]

On Thu, Feb 2, 2012 at 5:15 AM, Shawn Pearce <s...@google.com> wrote:
> To make your new "you" account an administrator you would need to find
> the Administrators group in the account_groups table and then insert
> your new account_id (1000001) into account_group_members table for
> that group_id. After doing that restart the server to make sure the
> change is visible.

Wouldn't that cause the user to still have two (mostly) duplicate
accounts? I think another solution would be to change the account_id's
in the account_external_ids table to point to the original account id.
Then you could clean up the newly created account by removing it from
the accounts table. Is there any other thing place it would need to be
removed from? (assuming that no ssh keys or anything have been added
to the account). I'm looking into using a method like the one I just
outlined to transfer our gerrit server to a new hostname.

Jason

[Shawn Pearce]

Yes, this would also work.

[YenCheng Wang]

Hi all,

    I'm facing the same problem. my first login account did not an administrator.

    last week, I set auth.type = OPENID, and the first account indeed an administrator.

    but this week, I change auth.type = HTTP, and reset my database, and my first login account not an admin.

    and I follow steps to add account_id to account_group_members, restart gerrit server. 

    the web always show bellow messages when I click the People->List Groups 

            Code Review - Error

            server unavailable

            0

            continue

here is some setting of mine~

mysql> select preferred_email,account_id from accounts;

+------------------+------------+

| preferred_email  | account_id |

+------------------+------------+

| yenche...@gmail.com |          1 |

+------------------+------------+

1 row in set (0.00 sec)

mysql> select * from account_group_names

    -> ;

+----------+-----------------------+

| group_id | name                  |

+----------+-----------------------+

|        1 | Administrators        |

|        2 | Anonymous Users       |

|        3 | Registered Users      |

|        4 | Non-Interactive Users |

|        5 | Project Owners        |

+----------+-----------------------+

5 rows in set (0.00 sec)

mysql> select * from account_group_members;

+------------+----------+

| account_id | group_id |

+------------+----------+

|          1 |        1 |

+------------+----------+

1 row in set (0.00 sec)

any information would be appreciated ~ thanks

Arunabha於 2012年1月31日星期二UTC+8上午10時53分25秒寫道：

[Robin Coe]

I have seen the exact same behaviour after switching to LDAP from OpenID, with a db purge in-between.  With OpenID, I was an admin, could create projects and, I assume, modify access (didn't check that).  But now, when I authenticate to a brand new Db using LDAP, gerrit does not add my account to the group_members table.

And adding my id manually to the group_members table doesn't actually help.  I do that, restart gerrit, refresh my browser and now I see that I'm in the Administrators group but I see no UI controls that the admin should have; I can't alter access rights on any project...no Edit button.  Not sure what else an admin should be able to do but that one's pretty important.  I've struggled with finding a solution to this for almost a week now.

So, I'm not sure if there's another Db entry required or whether the Db is ignored for group memberships when auth.LDAP is being used.

[Eugene Sajine]

I used 2.9rc2 and with fresh db I'm not able to get admin rights for my user who logged in first. I'm also using LDAP. 

Any hints?

thanks

[Eugene Sajine]

I really got stuck on that issue: can't proceed becasue i can't get the administrative rights for my user. Help!

Thanks!

[Eugene Sajine]

It seems that there is some bug:

I'm setting up the server from scratch and then I'm trying to make my first login  and the very first login always fails saying that authorization is not available at that time. Then I use the same credentials trying to login again right away and I'm getting in, but my profile number is 1 (not 1000000) and i have no admin rights.

This is 2.9rc2 and LDAP auth

Help!

Thanks!

[Eugene Sajine]

I think i found the problem and workaround - i will pull it out into separate topic

[Chris Mackey]

I noticed similar behaviour when I switched from an H2 database to a Postgres database, and raised the following bug (with workaround) which may be of help: https://code.google.com/p/gerrit/issues/detail?id=2781

Basically it seems to me that when the new database is being generated, it's writing a new set of UUIDs, and adding those as a commit to the existing All-Projects.git config branch, so that file now has 2 sets of UUIDs, one of which only exists in the old database. The creation of the admin user fails at this point because it can't find the UUID from All-Projects in the new database.