[JIRA] (JENKINS-60833) Plugin assumes password and http password are the same

[kunickiaj@gmail.com (JIRA)]

Adam Kunicki created an issue

Jenkins / JENKINS-60833 Plugin assumes password and http password are the same Issue Type: Bug Assignee: Luca Domenico Milanesio Components: gerrit-code-review-plugin Created: 2020-01-22 02:17 Environment: Jenkins 2.190.3 LTS Gerrit 3.0.3 LDAP login Priority: Critical Reporter: Adam Kunicki We are using LDAP login for our Gerrit instance. For REST calls (including repo cloning) you must generate an HTTP password that is different from the LDAP login. The gerrit-code-review-plugin currently assumes that these are the same. The client library used, does support setting them separately (https://github.com/uwolfer/gerrit-rest-java-client/blob/v0.8.15/src/main/java/com/urswolfer/gerrit/client/rest/GerritAuthData.java#L101) This is causing us to see the following in the gerrit logs: [2020-01-22 01:35:58,480] [HTTP-21816] WARN com.google.gerrit.httpd.auth.ldap.LdapLoginServlet : 'jenkins-ci' failed to sign in: Incorrect username or password This appears to coincide with posting comments, as we are not seeing any Verification status changes or comments from Jenkins using gerritReview or gerritComment. I've confirmed that using an http client the HTTP password (same as one in credentials id used for cloning) is sufficient. For example to set the Verified -1 label: POST to gerrit-server.com/a/changes/<change id>/revisions/<patchset number>/review This appears to be discussed in this issue and resolved in PR#70 Add Comment

This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f)

[kunickiaj@gmail.com (JIRA)]

Adam Kunicki updated an issue

Jenkins / JENKINS-60833 Plugin assumes password and http password are the same

Change By: Adam Kunicki

We are using LDAP login for our Gerrit instance. For REST calls (including repo cloning) you must generate an HTTP password that is different from the LDAP login.

The gerrit-code-review-plugin currently assumes that these are the same. The client library used, does support not permit setting them separately the httpPassword flag ([https://github.com/uwolfer/gerrit-rest-java-client/blob/v0.8.15/src/main/java/com/urswolfer/gerrit/client/rest/GerritAuthData.java#L101)]

This is causing us to see the following in the gerrit logs:

{code:java} [2020-01-22 01:35:58,480] [HTTP-21816] WARN  com.google.gerrit.httpd.auth.ldap.LdapLoginServlet : 'jenkins-ci' failed to sign in: Incorrect username or password {code}

This appears to coincide with posting comments, as we are not seeing any Verification status changes or comments from Jenkins using gerritReview or gerritComment. I've confirmed that using an http client the HTTP password (same as one in credentials id used for cloning) is sufficient. For example to set the Verified -1 label: POST to gerrit-server.com/a/changes/<change id>/revisions/<patchset number>/review

This appears to be discussed in [this issue | https://github.com/uwolfer/gerrit-rest-java-client/issues/46] and resolved in PR#70

Add Comment

[kunickiaj@gmail.com (JIRA)]

Adam Kunicki updated an issue

Jenkins / JENKINS-60833 Plugin assumes password and http password are the same Change By: Adam Kunicki

We are using LDAP login for our Gerrit instance. For REST calls (including repo cloning) you must generate an HTTP password that is different from the LDAP login.

The gerrit-code-review-plugin currently does not permit setting the httpPassword flag ([https://github.com/uwolfer/gerrit-rest-java-client/blob/v0.8.15/src/main/java/com/urswolfer/gerrit/client/rest/GerritAuthData.java#L101)]

This is causing us to see the following in the gerrit logs: {code:java} [2020-01-22 01:35:58,480] [HTTP-21816] WARN  com.google.gerrit.httpd.auth.ldap.LdapLoginServlet : 'jenkins-ci' failed to sign in: Incorrect username or password {code}

This appears to coincide with posting comments, as we are not seeing any Verification status changes or comments from Jenkins using gerritReview or gerritComment. I've confirmed that using an http client the HTTP password (same as one in credentials id used for cloning) is sufficient. For example to set the Verified -1 label: POST to gerrit-server.com/a/changes/<change id>/revisions/<patchset number>/review This appears to be discussed in [this issue |https://github.com/uwolfer/gerrit-rest-java-client/issues/46] and resolved in PR#70

Add Comment

[jon.sten@gmail.com (JIRA)]

Jon Sten assigned an issue to Jon Sten

Jenkins / JENKINS-60833 Plugin assumes password and http password are the same

Change By: Jon Sten Assignee: Luca Domenico Milanesio Jon Sten

Add Comment

[jon.sten@gmail.com (JIRA)]

Jon Sten commented on JENKINS-60833

Re: Plugin assumes password and http password are the same Wish I've looked here last week. I've debugged and fixed the issue, see https://review.gerrithub.io/c/jenkinsci/gerrit-code-review-plugin/+/484902

Add Comment

[jon.sten@gmail.com (JIRA)]

Jon Sten started work on JENKINS-60833

Change By: Jon Sten Status: Open In Progress

Add Comment

[jon.sten@gmail.com (JIRA)]

Jon Sten updated JENKINS-60833

Jenkins / JENKINS-60833

Plugin assumes password and http password are the same

Change By: Jon Sten Status: In Progress Review

Add Comment

[luca.milanesio@gmail.com (JIRA)]

Luca Domenico Milanesio updated JENKINS-60833

Thanks Jon Sten for your fix.

Jenkins / JENKINS-60833 Plugin assumes password and http password are the same

Change By: Luca Domenico Milanesio Status: In Review Fixed but Unreleased Resolution: Fixed

Add Comment

This message was sent by Atlassian Jira (v7.13.12#713012-sha1:6e07c38)