Gerrit internal account

[Marcelo Avila de Oliveira]

Hi guys,

I'm using LDAP authentication on Gerrit (auth.type=LDAP)... If I create an internal account using "gerrit create-account" command is it possible to use the web UI with this account? If not, is there any way to use the web UI with an account that do not exist in LDAP?

TIA & regards,

--

Marcelo Ávila de Oliveira

CPqD - Information Technology Engineer

Tel.: +55 19 3705-4125

mav...@cpqd.com.br

www.cpqd.com.br

[Shawn Pearce]

On Tue, May 14, 2013 at 6:08 AM, Marcelo Avila de Oliveira
<mav...@cpqd.com.br> wrote:
> I'm using LDAP authentication on Gerrit (auth.type=LDAP)... If I create an
> internal account using "gerrit create-account" command is it possible to use
> the web UI with this account? If not, is there any way to use the web UI
> with an account that do not exist in LDAP?

No, and no. Unfortunately the web UI requires the account to exist in LDAP.

[Marcelo Avila de Oliveira]

2013/5/14 Shawn Pearce <s...@google.com>

Ok... no UI... one more question: I'm using "auth.gitBasicAuth = true". Will the "--http-password <PASSWORD>" used in "gerrit create-account" work like expected? Or Gerrit will try to validate the password using LDAP? (and fail because the internal account does not exist in LDAP)

[Luca Milanesio]

Hi Marcelo,

when you set "auth.gitBasicAuth = true" then the HTTP password in Gerrit is no longer used and the accounts are validated using the User Registry (i.e. LDAP).

Hope this helps.

Luca.

--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
 
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Marcelo Avila de Oliveira]

Hi Luca,

Yes, this helped... unfortunately this behavior is not what I expected for an internal account created using the create-account command.

Thanks a lot,

--

Marcelo Ávila de Oliveira

CPqD - Information Technology Engineer

Tel.: +55 19 3705-4125

mav...@cpqd.com.br

www.cpqd.com.br

2013/5/27 Luca Milanesio <luca.mi...@gmail.com>

[Luca Milanesio]

The "create-account" command is mainly reserved for internal-only use:

- batch events

- admin automation

See "create-account'" documentation:

https://gerrit-review.googlesource.com/Documentation/cmd-create-account.html

Why were you expecting something different ?

I may guess what you would like to achieve though ... we have actually implemented a "auth-backend" that extends the usage of internal users defined in Gerrit DB for regular user management.

Is that what you were looking for ?

Luca.

[Marcelo Avila de Oliveira]

The "create-account" doc says: "If LDAP authentication is being used, the user account is created without checking the LDAP directory"... if the user account was created without checking the LDAP directory it does not make sense to check the LDAP to validate the password, does it? I expected Gerrit worked something like that:

Is it an internal account?

  Yes

    check internal password

  No

    Is auth.gitBasicAuth = false?

    Yes

      check internal password

    No

      check LDAP password

We're trying to grant Gerrit access to some third party users (which do not have LDAP account). It's seems that this is not possible using HTTP...

[Luca Milanesio]

I think you are confusing the two concepts:

a) Create account has the purpose of creating internal use only accounts on Gerrit DB only, without any validation on external systems (i.e. LDAP)

b) The usage of internal use only accounts as they were "external users" respects the logic for external users (and not the internal use only ones)

What you are trying to achieve will be officially supported when the Auth-backend work will be finalised.

You will be able to have multiple user registries (i.e. LDAP + Internal users) and be able to grant specific permissions to them via Gerrit groups.

Do not overuse the current "internal users" for the time being ;-)

Luca.

[Marcelo Avila de Oliveira]

2013/5/27 Luca Milanesio <luca.mi...@gmail.com>

I think you are confusing the two concepts:

a) Create account has the purpose of creating internal use only accounts on Gerrit DB only, without any validation on external systems (i.e. LDAP)

This is exactly the behavior I would like to see, to use the "internal account" without LDAP validation... but, unfortunately, when gitBasicAuth is set to true (because I need this for all the "external accounts") this is not possible.

In other words: if you have gitBasicAuth = true it is not possible to use "internal accounts" through HTTP (only through SSH).

 

b) The usage of internal use only accounts as they were "external users" respects the logic for external users (and not the internal use only ones)

What you are trying to achieve will be officially supported when the Auth-backend work will be finalised.

You will be able to have multiple user registries (i.e. LDAP + Internal users) and be able to grant specific permissions to them via Gerrit groups.

I think this is a very useful/welcome feature!

 

Do not overuse the current "internal users" for the time being ;-)

I'll try to do that but you know: "make do with what you have" :-)

[Luca Milanesio]

On 27 May 2013, at 21:23, Marcelo Avila de Oliveira <mav...@cpqd.com.br> wrote:

 

Do not overuse the current "internal users" for the time being ;-)

I'll try to do that but you know: "make do with what you have" :-)

I am Italian, I do really know what you mean :-)

Luca.

[Dean Wheatley]

Dear Luca/All,

Can you advise if this feature is now available? I tried the below in v2.10 but I couldn't login to the web UI.

What steps will reproduce the problem?

1. Set gerrit.config: auth.type = LDAP, auth.gitBasicAuth = true

2. Call ssh -p 29418 user@host gerrit create-account <USERNAME> --http-password <PASSWORD>

3. Attempt to login to web UI using USERNAME and PASSWORD combination

What is the expected output?  Able to login to web UI.

What do you see instead? "Invalid username or password."

In the error_log:

[2015-04-07 18:05:07,111] INFO  com.google.gerrit.httpd.auth.ldap.LdapLoginServlet : 'USERNAME' failed to sign in: No such user: USERNAME

According to the 2.9 release notes (https://gerrit-documentation.storage.googleapis.com/ReleaseNotes/ReleaseNotes-2.9.html)

"Now if auth.gitBasicAuth is set to true users that exist only in Gerrit but not in LDAP are authenticated with their HTTP password from the Gerrit database."

I (mis?)understood this to mean that I can create a non LDAP account and login to the web UI using these credentials.

Thanks for your help,

Dean

[Fabio Porcedda]

On Tuesday, April 7, 2015 at 10:11:12 AM UTC+2, Dean Wheatley wrote:

Dear Luca/All,

Can you advise if this feature is now available? I tried the below in v2.10 but I couldn't login to the web UI.

What steps will reproduce the problem?

1. Set gerrit.config: auth.type = LDAP, auth.gitBasicAuth = true

2. Call ssh -p 29418 user@host gerrit create-account <USERNAME> --http-password <PASSWORD>

3. Attempt to login to web UI using USERNAME and PASSWORD combination

What is the expected output?  Able to login to web UI.

What do you see instead? "Invalid username or password."

In the error_log:

[2015-04-07 18:05:07,111] INFO  com.google.gerrit.httpd.auth.ldap.LdapLoginServlet : 'USERNAME' failed to sign in: No such user: USERNAME

According to the 2.9 release notes (https://gerrit-documentation.storage.googleapis.com/ReleaseNotes/ReleaseNotes-2.9.html)

"Now if auth.gitBasicAuth is set to true users that exist only in Gerrit but not in LDAP are authenticated with their HTTP password from the Gerrit database."

I (mis?)understood this to mean that I can create a non LDAP account and login to the web UI using these credentials.

Thanks for your help,

Dean

I've the same problem, I'm using LDAP but I want to use the REST API from Jenkins so i need to use an http password.

 

[lucamilanesio]

Hi Fabio,

I did not write that patch in Gerrit 2.9 for service users but I can have a look on the code.

IMHO service users are a very limited functionality and need to remain as that because giving them full access to Gerrit features would open a Security and Compliance hole in the organisation.

Luca.

[Edwin Kempin]

No, this is not about enabling service users to login into the web UI.

This only allows them to use the Gerrit REST API:
  https://gerrit-review.googlesource.com/56031

 

Thanks for your help,

Dean

I've the same problem, I'm using LDAP but I want to use the REST API from Jenkins so i need to use an http password.

 

--

--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[lucamilanesio]

Thanks Edwin, I was actually looking at your change https://gerrit-review.googlesource.com/#/c/56031/.

That is exactly my point: *IF* the patch allowed a service user to act as "regular Gerrit user" it would have broken the Company Security and Compliance policies.

Service users are not meant to be interactive at ALL !!

Thanks for clarifying.

Luca.