Re: Gerrit + Apache and http authentication

[Steffen Gebert]

Hi Maicon,

yes, we're running apache HTTP auth successfully at http://review.typo3.org.

Our apache config is here: https://gist.github.com/4531841

The script /var/gerrit/scripts/typo3org-authentication.php receives the user input via stdin and just exits 0 if data is correct and 1 otherwise.

Hope that helps.

Yours
Steffen

On Jan 14, 2013, at 6:09 PM, Maicon Kist <maico...@gmail.com> wrote:

> Hi list,
>
> has anybody configured gerrit to work with apache http authentication ?
>
> I'm working on it for 2 days and yet it is not working correctly.
>
> Until now, after the http authentication pop-up, I was able to made it open the gerrit page, but as an "Anonymous Covard" (I made it by removingthe the "httpHeader" option from the gerrit.conf file).
> If I keep the "httpHader" option there, the after the login pop-up, gerrit shows me a page saying that "The HTTP server did not provide the username in the SM_USER header when it forwarded the request to Gerrit Code Review."
>
> Any hint on that ?
>
>
> Thanks.
>
> --
> To unsubscribe, email repo-discuss...@googlegroups.com
> More info at http://groups.google.com/group/repo-discuss?hl=en

[Maicon Kist]

Hi Stefen,

thanks for you reply.

yes, it helped me a lot. Now the authentication is better

. 

But the problem with the SM_USER header continues. 

I tried to remove the "httpHeader" configuration in the gerrit.conf file. But this gets me the anonymous coward login.

Do you know how to make the login as an valid registered user ?

Thanks.

[Steffen Gebert]

Hi Maicon,

We have only set auth.type = HTTP in our gerrit.config

The user name is sent from Apache and gerrit takes it (while trusting that Apache checks the password).

What's your config?

In the docs I see auth.httpHeader [1], which can change the ENV var, from which the username is taken, but we didn't have to set that.

Yours
Steffen

[1] https://gerrit-review.googlesource.com/Documentation/config-gerrit.html#auth.httpHeader

[Maicon Kist]

Hi Steffen

my gerrit.conf is as follows:

[gerrit]

basePath = /srv/git/

canonicalWebUrl = http://localhost:80/

[database]

type = MYSQL

hostname = localhost

database = reviewdb

username = gerrit2

[auth]

type = HTTP

httpHeader = SM_USER

[sendemail]

smtpServer = localhost

[container]

user = gerrit2

javaHome = /usr/lib/jvm/java-7-oracle/jre

[sshd]

listenAddress = *:29418

[httpd]

listenUrl = http://*:8080/

[cache]

directory = cache

If I remove the httpHeader, the authentication process works fine, but I always logon as an "Anonymous Coward" (I dont know how to solve this).

Thanks for you help.

[Maicon Kist]

Steffen,

I manage to configure my user account.

The correct way is without the "httpHeader" configuration. So, I can configure the user name in the "Settings" menu.

Now, the problem that I observed is that my user cannot vote a review with +2,-2, only -1,0,+1. Do you know how I can solve this ?

Best regards,

[Steffen Gebert]

Hi Maicon,

> The correct way is without the "httpHeader" configuration. So, I can configure the user name in the "Settings" menu.

Against what do you check the password? If you also update the account during the login (using ssh gerrit set-account), you should be able automatically feed that information into Gerrit automatically.
(we're currently synchronizing that information once per hour into the DB, which isn't so nice - doing it on demand (=login) should IMHO work pretty well, too)

> Now, the problem that I observed is that my user cannot vote a review with +2,-2, only -1,0,+1. Do you know how I can solve this ?

Well, that's probably because you're not in a group that has these rights.
Do you have admin privileges for that new user? If it's the first one being created, I think you should automatically get them (if you don't have them, add yourself by inserting a row into account_group_members).

Yours
Steffen

[Maicon Kist]

Hi Steffen,

I was not checking the password. I only changed the authentication script to always confirm the user.

But I manage to solve this, now I'm using the .htpasswd file.

But I'm stuck in the second problem. In  this tutorial, the author creates a group and configure its permission in the web page.

But for me the "Access" tab is not visible. I'm able to create new groups, but no to change its permission.

Do you know how to solve this ?

Thanks

[Edwin Kempin]

2013/1/16 Maicon Kist <maico...@gmail.com>

Hi Steffen,

I was not checking the password. I only changed the authentication script to always confirm the user.

But I manage to solve this, now I'm using the .htpasswd file.

But I'm stuck in the second problem. In  this tutorial, the author creates a group and configure its permission in the web page.

But for me the "Access" tab is not visible. I'm able to create new groups, but no to change its permission.

The permissions for groups are assigned on the projects. Go to a project and find the "Access" tab there.
 

[Maicon Kist]

Hi Edwin,

the "Access" tab has only the "Edit" option available. Clicking on it,  the only thing that can be changed is the "Commit Message" and the "Add Reference"

Thanks,

[Maicon Kist]

Got it \o/

I I added a "Label Code-Review" after clicking in "Edit" button and put the group responsible for reviewing the commits.

Thanks Edwin

[David Maul]

Steffen,

I have found your post to be very useful, in conjunction with looking at your gerrit site. I wonder if you could show me the other relevant parts of your httpd.conf file (it seems you are using AuthType Form?) and perhaps your gerrit.config? 

I am struggling with how the username/password, once input by the user, ends up as stdin for your php script.  Any help would be appreciated.  If you don't use AuthType Form, what are other ways for the username to be taken from the user?

Thank you.

[Steffen Gebert]

Hi David,

I've updated the gist to include the PHP file.
We are not using AuthType Form. We use AuthType Basic together with an external auth provider. That's why you get a usual browser-dialog when hitting https://review.typo3.org/login/.

> AddExternalAuth typo3org-auth /var/gerrit/scripts/typo3org-authentication.php
> SetExternalAuthMethod typo3org-auth pipe
>
> <Location "/login/">
> AuthType Basic
> AuthName "Review System - Please log in with your typo3.org username and passwords."
> AuthBasicProvider external
> AuthExternal typo3org-auth
> Require valid-user
> </Location>

Hope this helps.

Steffen

> --

> --
> To unsubscribe, email repo-discuss...@googlegroups.com
> More info at http://groups.google.com/group/repo-discuss?hl=en
>

> ---
> You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[David Maul]

Thanks.  I do not see any documentation for AddExternalAuth or AuthBasicProvider external, and my httpd will not start with those directives in the conf file.  Perhaps you are running a different version of http than I am. 

I need to keep reading.  My initial goal was to have the same SSH key (that allowed users to push to git) also to authenticate themselves.  Failing that, I would like to use the browser login dialog, but I cannot get it to appear.

[David Maul]

Ok, my distro does not support the external authentication provider...no problem, I can get the username/password dialog to appear now, but after I have authenticated, it sends me to gerrit page only as Anonymous Coward. My username is exactly the same as the one I could "Become" before (when using the unauthenticated approach: auth.type=DEVELOPMENT_BECOME_ANY_ACCOUNT).  My plan now was for Apache (having authenticated me) to tell gerrit, "yes that is him, and you already know him, so let him proceed as that user" but instead I am only Anonymous Coward.  HELP?  Why is the authenticated user name not being passed?

Thank you so much in advance for any help you are willing to provide.

Dave

On Thursday, March 17, 2016 at 10:00:52 AM UTC-4, Steffen Gebert wrote:

[Steffen Gebert]

Hi David,

maybe, you just have to enable the module authnz_external IIRC (package is libapache2-mod-authnz-external on debian).

Did you read through the "HTTP Basic/Digest Authentication" [1] docs? Did you set auth.type to HTTP?
Then, Apache should tell the authenticated name to Gerrit (resp. Gerrit should honor it).

Yours
Steffen


[1] https://gerrit-documentation.storage.googleapis.com/Documentation/2.12.2/config-sso.html#_http_basic_digest_authentication

[David Maul]

I am running on fedora 17, and Gerrit 2.5-rc. (Both very old.) 

I believe I am compliant with 

[1] https://gerrit-documentation.storage.googleapis.com/Documentation/2.12.2/config-sso.html#_http_basic_digest_authentication 

The authnz module is not in the Apache 2.4.4 distribution I have.  But it is available at:

 https://lists.fedoraproject.org/pipermail/package-announce/2012-May/080769.html

I am merely trying to use passwd file auth for now; I might eventually move to corporate LDAP or SSO, but neither is available to me at this time.  Perhaps my troubles are due to old versions of software I am running.  I am able to enter username/password in browser dialog box, but when ProxyPass sends it to gerrit on port 8080, it sees me as Anonymous Coward, not as the username I authenticated with.

[David Maul]

Steffen,

When one of your users logs in for the first time (on typo3) does he land at gerrit as Anonymous Coward?  That is still what is happening to me.  The HTTP header (in Fiddler) shows:

No Proxy-Authorization Header is present.

Authorization Header is present: Basic RGF2ZU1hdWw6Zm9v

Decoded Username:Password= DaveMaul:foo

...so it appears that the authentication succeeded and is being relayed to Gerrit (along with the password which should be irrelevant). However, Gerrit is seemingly ignoring the username, unless I need to do something with Settings after I am seen as Anonymous Coward, to convince it who I really am.  In this case "DaveMaul" is already known to Gerrit as a user (left over from our initial configuration which was using http.auth=DEVELOPMENT_BECOME_ANY_ACCOUNT)

I tried to see this working on your site, but of course I do not have valid credentials there.

Regards,  Dave

[Andreas Sewe]

Hi,

> ...so it appears that the authentication succeeded and is being relayed
> to Gerrit (along with the password which should be irrelevant). However,
> Gerrit is seemingly ignoring the username, unless I need to do something
> with Settings after I am seen as Anonymous Coward, to convince it who I
> really am. In this case "DaveMaul" is already known to Gerrit as a user
> (left over from our initial configuration which was using
> http.auth=DEVELOPMENT_BECOME_ANY_ACCOUNT)

I also had this problem recently. The root cause is that your DaveMaul
user created while DEVELOPMENT_BECOME_ANY_ACCOUNT was active does not
have an external_id of "gerrit:DaveMaul" in the account_external_ids
database table.

Apparently, Gerrit tries to match your Authorization header of
"DaveMaul" against an existing user, doesn't find any, and then decides
to create a new use named "DaveMaul" -- which also fails.

If you have gsql access, you can just do the following:

ssh -p 29418 USERNAME@HOST gerrit gsql

On the GSQL prompt:

SELECT * FROM account_external_ids;

Note the account_id of the existing DaveMail, update and verify:

INSERT INTO account_external_ids VALUES(ACCOUNT_ID, NULL, NULL,
'gerrit:DaveMaul');
SELECT * FROM account_external_ids;
\q

Hope this helps,

Andreas

--
Codetrails GmbH
The knowledge transfer company

Robert-Bosch-Str. 7, 64293 Darmstadt
Phone: +49-6151-276-7092
Mobile: +49-170-811-3791
http://www.codetrails.com/

Managing Director: Dr. Marcel Bruch
Handelsregister: Darmstadt HRB 91940

[David Maul]

perfect!    Thank you so much for the help.