Deleting users from gerrit

[thomasmu...@yahoo.com]

Hi, how can i delete users from gerrit please? (In version 2.15 as the account table does not exist) 

A user has asked me to remove his account but i have no idea how to with 2.15 as it's now stored in branches.

[Luca Milanesio]

You can disable a user but you shouldn't remove it.

A user that "has made stuff in the past" and is not active anymore, shouldn't be removed because it would create inconsistency in the user identities resolution.

Luca.

On 16 Oct 2017, at 11:48, thomasmulhall410 via Repo and Gerrit Discussion <repo-d...@googlegroups.com> wrote:

Hi, how can i delete users from gerrit please? (In version 2.15 as the account table does not exist) 

A user has asked me to remove his account but i have no idea how to with 2.15 as it's now stored in branches.

--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[thomasmu...@yahoo.com]

I've set it inactive but that is only preventing the user from being added for reviewers, the user can still sign in even though inactive is supposed to prevent signing in.

On Monday, October 16, 2017 at 11:50:20 AM UTC+1, lucamilanesio wrote:

You can disable a user but you shouldn't remove it.

A user that "has made stuff in the past" and is not active anymore, shouldn't be removed because it would create inconsistency in the user identities resolution.

Luca.

On 16 Oct 2017, at 11:48, thomasmulhall410 via Repo and Gerrit Discussion <repo-d...@googlegroups.com> wrote:

Hi, how can i delete users from gerrit please? (In version 2.15 as the account table does not exist) 

A user has asked me to remove his account but i have no idea how to with 2.15 as it's now stored in branches.

--
--

To unsubscribe, email repo-disc...@googlegroups.com

[Luca Milanesio]

If the user is flagged as inactive, shouldn't be allowed to login at all.

See the documentation at:

https://gerrit-review.googlesource.com/Documentation/cmd-set-account.html

If that is not true, there must be a bug somewhere.

Luca.

To unsubscribe, email repo-discuss...@googlegroups.com

[thomasmu...@yahoo.com]

thanks, ok i've filled https://bugs.chromium.org/p/gerrit/issues/detail?id=7438 as still more then 7+ hours have passed and the user can still sign in.

[David Pursehouse]

On Mon, Oct 16, 2017 at 8:11 PM thomasmulhall410 via Repo and Gerrit Discussion <repo-d...@googlegroups.com> wrote:

thanks, ok i've filled https://bugs.chromium.org/p/gerrit/issues/detail?id=7438 as still more then 7+ hours have passed and the user can still sign in.

The user can still sign in because you're using "development become any account" auth.

 

To unsubscribe, email repo-discuss...@googlegroups.com

[Wyatt Allen]

If the user is flagged as inactive, shouldn't be allowed to login at all.

In my understanding, the inactive bit means the user hasn't logged in in within some timeframe, so that they aren't suggested as reviewers. For this reason, an inactive user can log in, and if they do, they're marked as active.

To unsubscribe, email repo-discuss+unsubscribe@googlegroups.com

More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.

To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
--
To unsubscribe, email repo-discuss+unsubscribe@googlegroups.com

More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.

To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss+unsubscribe@googlegroups.com.

[Wyatt Allen]

I realize now that my message is inconsistent with the docs Luca linked to.

Maybe I have the auth.autoUpdateAccountActiveStatus flag enabled somehow?

[thomasmu...@yahoo.com]

even when logged in, the user is still set to inactive :).

To unsubscribe, email repo-discuss...@googlegroups.com

More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
--
To unsubscribe, email repo-discuss...@googlegroups.com

[Edwin Kempin]

On Mon, Oct 16, 2017 at 10:27 PM, 'Wyatt Allen' via Repo and Gerrit Discussion <repo-d...@googlegroups.com> wrote:

If the user is flagged as inactive, shouldn't be allowed to login at all.

In my understanding, the inactive bit means the user hasn't logged in in within some timeframe, so that they aren't suggested as reviewers. For this reason, an inactive user can log in, and if they do, they're marked as active.

This behavior is custom to the Gerrit servers run by Google.

For open source Gerrit inactive users can't log in. An exception is the DEVELOPMENT_BECOME_ANY_ACCOUNT mode which as the name suggests is only for development and allows to login with any account (including inactive ones).

[Luca Milanesio]

Hi Paladox,

shouldn't we spend time fixing real bugs instead of this one?

DEVELOPMENT_BECOME_ANY_ACCOUNT is more a "mock auth" rather than a feature for a proper setup.

We should possibly even lock the listen IP to 127.0.0.1 to make sure that isn't used outside your local box.

Luca.

To unsubscribe, email repo-discuss...@googlegroups.com

[Luca Milanesio]

On 17 Oct 2017, at 07:28, 'Edwin Kempin' via Repo and Gerrit Discussion <repo-d...@googlegroups.com> wrote:

On Mon, Oct 16, 2017 at 10:27 PM, 'Wyatt Allen' via Repo and Gerrit Discussion <repo-d...@googlegroups.com> wrote:

If the user is flagged as inactive, shouldn't be allowed to login at all.

In my understanding, the inactive bit means the user hasn't logged in in within some timeframe, so that they aren't suggested as reviewers. For this reason, an inactive user can log in, and if they do, they're marked as active.

This behavior is custom to the Gerrit servers run by Google.

For open source Gerrit inactive users can't log in.

Agreed, that's the behaviour we all rely on :-)

If we allow inactive users to login again .... many people will have problems.

An exception is the DEVELOPMENT_BECOME_ANY_ACCOUNT mode which as the name suggests is only for development and allows to login with any account (including inactive ones).

Agreed, that's only for local development (as the prefix suggests) and not for pre-prod, staging or prod.

To unsubscribe, email repo-discuss...@googlegroups.com

[Sven Selberg]

I don''t think we should lock listen to 127.0.0.1 when auth.type = development_become_any_account, there are instances where you want do expose a dev Gerrit instance for demo purposes.

We could however set it to 127.0.0.1 on init but let the user alter it as they please, that way the user must take an active decision to open up their local instance.

/Sven

To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[thomasmu...@yahoo.com]

Im not sure if i can use an external login system as it may break the wmflabs terms of conditions. As i wont have control over how the login system is handled.

@Luca what about creating a new in built system auth that can be used in prod? That way users doin't have to use external services to setup gerrit :).

[David Pursehouse]

On Tue, Oct 17, 2017 at 7:56 PM thomasmulhall410 via Repo and Gerrit Discussion <repo-d...@googlegroups.com> wrote:

Im not sure if i can use an external login system as it may break the wmflabs terms of conditions. As i wont have control over how the login system is handled.

Given that currently anyone can log in as admin, I'm not sure how much worse it could be.

 

@Luca what about creating a new in built system auth that can be used in prod? That way users doin't have to use external services to setup gerrit :).

On Monday, October 16, 2017 at 11:48:46 AM UTC+1, thomasmu...@yahoo.com wrote:

Hi, how can i delete users from gerrit please? (In version 2.15 as the account table does not exist) 

A user has asked me to remove his account but i have no idea how to with 2.15 as it's now stored in branches.

--

[thomasmu...@yahoo.com]

Yep, though i could have use prod's ldap (wikimedia's) but was told i coulden't as users passwords could have been exposed.

But a new auth system that is built into gerrit would probaly lead to the replace of the development one :).

[Luca Milanesio]

On 17 Oct 2017, at 11:56, thomasmulhall410 via Repo and Gerrit Discussion <repo-d...@googlegroups.com> wrote:

Im not sure if i can use an external login system as it may break the wmflabs terms of conditions. As i wont have control over how the login system is handled.

@Luca what about creating a new in built system auth that can be used in prod? That way users doin't have to use external services to setup gerrit :).

It already exists, have you checked the official Docker image?

https://hub.docker.com/r/gerritcodereview/gerrit/

It is a docker-compose YAML file that uses OpenLDAP and PHP LDAP Admin.

The wheel already exists, no need for re-invention ;-)

It works like a charm and has a web-based user configuration screen.

Luca.

On Monday, October 16, 2017 at 11:48:46 AM UTC+1, thomasmu...@yahoo.com wrote:

Hi, how can i delete users from gerrit please? (In version 2.15 as the account table does not exist) 

A user has asked me to remove his account but i have no idea how to with 2.15 as it's now stored in branches.

[thomasmu...@yahoo.com]

Hmm, i guess i could use mediawiki vagrant as there is a puppet role it seems.

Though it seems when i telnet to a port it's accissible on my other instance

gerrit-test3.git.eqiad.wmflabs:1389 :).

I will try to switch to that.

On Monday, October 16, 2017 at 11:48:46 AM UTC+1, thomasmu...@yahoo.com wrote:

[thomasmu...@yahoo.com]

I've had to delete the db and recreate it but it now uses ldap :)

https://ldapauth-gitldap.wmflabs.org/wiki/Main_Page

https://wikitech.wikimedia.org/wiki/Nova_Resource:Git/SAL

On Monday, October 16, 2017 at 11:48:46 AM UTC+1, thomasmu...@yahoo.com wrote:

[Luca Milanesio]

.... and ? Do you still see the same problem?

[thomasmu...@yahoo.com]

Logging in dosen't work when set inactive :).

On Tuesday, October 17, 2017 at 2:40:07 PM UTC+1, lucamilanesio wrote:

.... and ? Do you still see the same problem?

On 17 Oct 2017, at 13:48, thomasmulhall410 via Repo and Gerrit Discussion <repo-d...@googlegroups.com> wrote:

I've had to delete the db and recreate it but it now uses ldap :)

https://ldapauth-gitldap.wmflabs.org/wiki/Main_Page

https://wikitech.wikimedia.org/wiki/Nova_Resource:Git/SAL

On Monday, October 16, 2017 at 11:48:46 AM UTC+1, thomasmu...@yahoo.com wrote:

Hi, how can i delete users from gerrit please? (In version 2.15 as the account table does not exist) 

A user has asked me to remove his account but i have no idea how to with 2.15 as it's now stored in branches.

--
--

To unsubscribe, email repo-disc...@googlegroups.com

[Luca Milanesio]

Cool, so this problem / discussion thread should be considered resolved :-)

To unsubscribe, email repo-discuss...@googlegroups.com