gerrit account management

850 views
Skip to first unread message

Xianghua Xiao

unread,
Feb 3, 2011, 4:19:57 PM2/3/11
to Repo and Gerrit Discussion
is there a way via command line to remove any accounts from Gerrit,
including the very first admin account?
(say, when I switch from http to ldap authentication, ldap will refuse
to login any username that duplicated whatever http login used).

is there a plan that I can add/remove users via the UI?

last, if I need add special account, e.g. non-interactive and such, I
will have to use gerrity-create-account to bypass the default
authentication(e.g. ldap), correct? special accounts normally do not
have ldap/http username setup.

thanks,
xianghua

Shawn Pearce

unread,
Feb 23, 2011, 1:56:36 PM2/23/11
to Xianghua Xiao, Repo and Gerrit Discussion
On Thu, Feb 3, 2011 at 13:19, Xianghua Xiao <xiaoxi...@gmail.com> wrote:
> is there a way via command line to remove any accounts from Gerrit,
> including the very first admin account?

No. You need to manually edit the database to delete the records.

> (say, when I switch from http to ldap authentication, ldap will refuse
> to login any username that duplicated whatever http login used).
>
> is there a plan that I can add/remove users via the UI?

Not really. I haven't wanted to do account management in Gerrit, its
annoying. Most of my installations use either OpenID, or have a
higher-level organization that provides an LDAP directory (Google,
Eclipse Foundation, etc.) with all of the user accounts.

> last, if I need add special account, e.g. non-interactive and such, I
> will have to use gerrity-create-account to bypass the default
> authentication(e.g. ldap), correct? special accounts normally do not
> have ldap/http username setup.

Correct. However these usernames are then blocked from logging in via
LDAP or HTTP, as their account already exists. So try to use a name
that isn't used inside of the upstream directory. :-)

Markus Duft

unread,
Nov 15, 2013, 1:16:18 AM11/15/13
to repo-d...@googlegroups.com, Xianghua Xiao
May I pick up this oldish thread, as my question fits?

How about removing users that had been removed from the LDAP directory? Is there any plan how to deal with this? Should those accounts stay alive forever? We have exceptions like this:

[2013-11-12 12:29:35,143] WARN  com.google.gerrit.server.auth.ldap.LdapGroupBackend : Cannot lookup membershipsOf XXXXX in LDAP
java.util.concurrent.ExecutionException: com.google.gerrit.server.account.AccountException: No such user:XXXXXX
        at com.google.common.util.concurrent.AbstractFuture$Sync.getValue(AbstractFuture.java:306)
        at com.google.common.util.concurrent.AbstractFuture$Sync.get(AbstractFuture.java:293)
        at com.google.common.util.concurrent.AbstractFuture.get(AbstractFuture.java:116)
        at com.google.common.util.concurrent.Uninterruptibles.getUninterruptibly(Uninterruptibles.java:135)
        at com.google.common.cache.LocalCache$Segment.getAndRecordStats(LocalCache.java:2410)
        at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2380)
        at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2342)
        at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2257)
        at com.google.common.cache.LocalCache.get(LocalCache.java:4000)
        at com.google.common.cache.LocalCache.getOrLoad(LocalCache.java:4004)
        at com.google.common.cache.LocalCache$LocalLoadingCache.get(LocalCache.java:4874)
        at com.google.gerrit.server.auth.ldap.LdapGroupBackend.membershipsOf(LdapGroupBackend.java:189)


somewhat all over the logs. I just wanted to start deleting those users from the DB when i stoppen and thought about what happens to reviews for/from those persons then? Will they stay functional?

Cheers,
Markus


Oleksandr Presich

unread,
Nov 15, 2013, 2:02:49 AM11/15/13
to repo-d...@googlegroups.com, Xianghua Xiao
+1 to this questions, there is so many such errors, that sometimes it is hard to find useful information in the log.

Пʼятниця, 15 листопада 2013 р. 08:16:18 UTC+2 користувач Markus Duft написав:

Markus Duft

unread,
Nov 18, 2013, 2:47:36 AM11/18/13
to repo-d...@googlegroups.com, Xianghua Xiao, Shawn Pearce
Shawn, any comment on that? Please...? :)

Regards,
Markus

Doug Kelly

unread,
Nov 18, 2013, 9:17:28 AM11/18/13
to repo-d...@googlegroups.com, Xianghua Xiao, Shawn Pearce


On Monday, November 18, 2013 1:47:36 AM UTC-6, Markus Duft wrote:
Shawn, any comment on that? Please...? :)

Regards,
Markus

Am Freitag, 15. November 2013 08:02:49 UTC+1 schrieb Oleksandr Presich:
+1 to this questions, there is so many such errors, that sometimes it is hard to find useful information in the log.

Пʼятниця, 15 листопада 2013 р. 08:16:18 UTC+2 користувач Markus Duft написав:
May I pick up this oldish thread, as my question fits?

How about removing users that had been removed from the LDAP directory? Is there any plan how to deal with this? Should those accounts stay alive forever? We have exceptions like this:

...

somewhat all over the logs. I just wanted to start deleting those users from the DB when i stoppen and thought about what happens to reviews for/from those persons then? Will they stay functional?
 
I'm not Shawn, but I have the feeling removing the users entirely from the database is a Bad Idea(tm).  I have a hunch (but I haven't taken time to confirm) that you should just be able to remove the row in account_external_ids where the external_id is gerrit:(username)?  This would effectively break the LDAP integration on the account and make it a pure Gerrit-internal account. Additionally, you'd also want to make sure the user is set to disabled (the SSH backend might still provide a means to access their account).  Also, I have no idea what this would do if the userid was ever re-added -- I'd suspect they wouldn't be able to log into Gerrit until you add the row that was deleted and re-activate their account.

I agree, though, these exceptions are just a bit obnoxious.

--Doug

Shawn Pearce

unread,
Nov 18, 2013, 10:59:42 AM11/18/13
to Doug Kelly, repo-discuss, Xianghua Xiao
Doug is correct. Don't delete the account. If you do the attribution
information on reviews is broken and it starts saying "Anonymous
Coward" created a change or commented on a change when you look at
older reviews. This is probably not what you want in your version
control database.

Instead remove the account_external_ids and account_ssh_keys so there
is no way to authenticate into the account, and mark the account
"inactive = true" in the accounts table so it is not offered as a
completion suggestion.

Doug Kelly

unread,
Nov 18, 2013, 11:08:42 AM11/18/13
to repo-d...@googlegroups.com, Doug Kelly, Xianghua Xiao


On Monday, November 18, 2013 9:59:42 AM UTC-6, Shawn Pearce wrote:
Doug is correct. Don't delete the account. If you do the attribution
information on reviews is broken and it starts saying "Anonymous
Coward" created a change or commented on a change when you look at
older reviews. This is probably not what you want in your version
control database.

Instead remove the account_external_ids and account_ssh_keys so there
is no way to authenticate into the account, and mark the account
"inactive = true" in the accounts table so it is not offered as a
completion suggestion.

Also, I will add if you do attempt to add a new LDAP user with a username that Gerrit has a record of (i.e. after deleting the "gerrit:username" row from account_external_ids, a new user attempts to log in with that userid) and that user tries to log in, Gerrit will attempt to create a new account and fail due to the username collision.  This isn't too much of a problem for us, since we normally don't reuse LDAP usernames, but I also didn't want to take that chance.

I'll offer a slightly less brute force way to squelch this warning here:


--Doug

Shawn Pearce

unread,
Nov 18, 2013, 11:15:33 AM11/18/13
to Doug Kelly, repo-discuss, Xianghua Xiao
On Mon, Nov 18, 2013 at 8:08 AM, Doug Kelly <doug...@gmail.com> wrote:
> On Monday, November 18, 2013 9:59:42 AM UTC-6, Shawn Pearce wrote:
>>
>> Doug is correct. Don't delete the account. If you do the attribution
>> information on reviews is broken and it starts saying "Anonymous
>> Coward" created a change or commented on a change when you look at
>> older reviews. This is probably not what you want in your version
>> control database.
>>
>> Instead remove the account_external_ids and account_ssh_keys so there
>> is no way to authenticate into the account, and mark the account
>> "inactive = true" in the accounts table so it is not offered as a
>> completion suggestion.
>
>
> Also, I will add if you do attempt to add a new LDAP user with a username
> that Gerrit has a record of (i.e. after deleting the "gerrit:username" row
> from account_external_ids, a new user attempts to log in with that userid)
> and that user tries to log in, Gerrit will attempt to create a new account
> and fail due to the username collision. This isn't too much of a problem
> for us, since we normally don't reuse LDAP usernames, but I also didn't want
> to take that chance.

Yes this happens because there is a "username:foo" record in the
account_external_ids table. Also delete that row. :-)

> I'll offer a slightly less brute force way to squelch this warning here:
>
> https://gerrit-review.googlesource.com/51851

Thanks, I will take a look.

Markus Duft

unread,
Nov 19, 2013, 2:03:22 AM11/19/13
to repo-d...@googlegroups.com, Doug Kelly, Xianghua Xiao
Thanks a lot for the info you two :) Also I /do/ forgive a non-Shawn answering ;)

I tweaked the DB accordingly (drop all external_ids and ssh_keys, set to INACTIVE=Y), let's see what happens next :D

Cheers,
Markus
Reply all
Reply to author
Forward
0 new messages