null email error when adding an ssh key for some saml users
276 views
Skip to first unread message
euph...@gmail.com
Mar 18, 2021, 3:50:13 AM3/18/21
to Repo and Gerrit Discussion
We're running Gerrit 3.3.2 (after a recent upgrade), and are using SAML for authentication, with Okta for the auth provider. We've discovered that we can no longer add ssh keys to a couple of service accounts, and I believe this was working before the upgrade to 3.3.2 (it may have also been broken in 3.2.7; we were only running that briefly as a stepping stone from 3.1 to 3.3.2). When I try to add an ssh key to one of the affected accounts, I get a popup with this error:
"An error occurred
Error 500 (Server Error): Internal server error
Endpoint: /accounts/self/sshkeys"
Looking in error_log, I see this:
[2021-03-18T00:25:14.661-07:00] [HTTP POST /accounts/self/sshkeys (svc-es-ldap from 10.58.0.234)] ERROR com.google.gerrit.httpd.restapi.RestApiServlet : Error in POST /accounts/self/sshkeys: NullPointerException
java.lang.NullPointerException: Null email
<with a lengthy backtrace -- I've included the entire backtrace at the end of this email>
Clearly it has a problem with something about this account's email address. When I look at this account's settings, in the profile section the Email field is blank. However, when I look in the "Email Addresses" section of settings, I see the account's email address is correct and listed as the only address. Where is the Email field in the Profile supposed to get populated from, and how can I correct it? I tried using the ssh command gerrit set-account --add-email, but it errored out with "fatal: realm does not allow adding emails". I looked through refs/meta/external-ids in All-Users, but the offending accounts look pretty much the same as my own with respect to how the email address appears (domain name changed to avoid annoying our security group):
Historically, we started with LDAP against our AD server for authentication, then moved to using SAML with Okta. When I look at the account in Okta, I see the account has the correct email address in its attributes. When I look at the AD account, I see that it also has the correct email address listed. I would not be surprised if the account did not have an email address in the AD account metadata when we first used it with Gerrit (before changing to SAML/Okta).
What do I need to do to get this account's email address to show up in its Profile in the Email field? I suspect that's caused by the same missing metadata as the error when adding an ssh key.
I haven't seen a similar issue with any of our normal user accounts, just a couple of service accounts. When I log into Gerrit with my own account, my Email field in my Profile has my email address, and I can still add ssh keys.
thanks,
--Andrew
[2021-03-18T00:25:14.661-07:00] [HTTP POST /accounts/self/sshkeys (svc-es-ldap from 10.58.0.234)] ERROR com.google.gerrit.httpd.restapi.RestApiServlet : Error in POST /accounts/self/sshkeys: NullPointerException
java.lang.NullPointerException: Null email
at com.google.gerrit.entities.AutoValue_Address.<init>(AutoValue_Address.java:18)
at com.google.gerrit.entities.Address.create(Address.java:61)
at com.google.gerrit.entities.Address.create(Address.java:57)
at com.google.gerrit.server.mail.send.AddKeySender.init(AddKeySender.java:71)
at com.google.gerrit.server.mail.send.OutgoingEmail.send(OutgoingEmail.java:115)
at com.google.gerrit.server.restapi.account.AddSshKey.apply(AddSshKey.java:109)
at com.google.gerrit.server.restapi.account.AddSshKey.apply(AddSshKey.java:84)
at com.google.gerrit.server.restapi.account.AddSshKey.apply(AddSshKey.java:52)
at com.google.gerrit.httpd.restapi.RestApiServlet.lambda$invokeRestCollectionModifyViewWithRetry$10(RestApiServlet.java:867)
at com.github.rholder.retry.AttemptTimeLimiters$NoAttemptTimeLimit.call(AttemptTimeLimiters.java:78)
at com.github.rholder.retry.Retryer.call(Retryer.java:160)
at com.google.gerrit.server.update.RetryHelper.executeWithTimeoutCount(RetryHelper.java:561)
at com.google.gerrit.server.update.RetryHelper.execute(RetryHelper.java:504)
at com.google.gerrit.server.update.RetryableAction.call(RetryableAction.java:172)
at com.google.gerrit.httpd.restapi.RestApiServlet.invokeRestEndpointWithRetry(RestApiServlet.java:892)
at com.google.gerrit.httpd.restapi.RestApiServlet.invokeRestCollectionModifyViewWithRetry(RestApiServlet.java:862)
at com.google.gerrit.httpd.restapi.RestApiServlet.service(RestApiServlet.java:563)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
at com.google.inject.servlet.ServletDefinition.doServiceImpl(ServletDefinition.java:290)
at com.google.inject.servlet.ServletDefinition.doService(ServletDefinition.java:280)
at com.google.inject.servlet.ServletDefinition.service(ServletDefinition.java:184)
at com.google.inject.servlet.ManagedServletPipeline.service(ManagedServletPipeline.java:89)
at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:85)
at com.google.gerrit.httpd.raw.StaticModule$PolyGerritFilter.doFilter(StaticModule.java:387)
at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
at com.google.gerrit.httpd.GetUserFilter.doFilter(GetUserFilter.java:92)
at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
at com.google.gerrit.httpd.RequireSslFilter.doFilter(RequireSslFilter.java:72)
at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
at com.google.gerrit.httpd.RunAsFilter.doFilter(RunAsFilter.java:120)
at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
at com.google.gerrit.httpd.SetThreadNameFilter.doFilter(SetThreadNameFilter.java:62)
at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
at com.google.gerrit.httpd.AllRequestFilter$FilterProxy$1.doFilter(AllRequestFilter.java:139)
at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:239)
at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:215)
at com.googlesource.gerrit.plugins.javamelody.GerritMonitoringFilter.doFilter(GerritMonitoringFilter.java:66)
at com.google.gerrit.httpd.AllRequestFilter$FilterProxy$1.doFilter(AllRequestFilter.java:135)
at com.google.gerrit.httpd.AllowRenderInFrameFilter.doFilter(AllowRenderInFrameFilter.java:56)
at com.google.gerrit.httpd.AllRequestFilter$FilterProxy$1.doFilter(AllRequestFilter.java:135)
at com.google.gerrit.httpd.AllRequestFilter$FilterProxy.doFilter(AllRequestFilter.java:141)
at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
at com.google.gerrit.httpd.RequestCleanupFilter.doFilter(RequestCleanupFilter.java:60)
at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
at com.google.gerrit.httpd.RequestMetricsFilter.doFilter(RequestMetricsFilter.java:57)
at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
at com.google.gerrit.httpd.RequestContextFilter.doFilter(RequestContextFilter.java:64)
at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
at com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:121)
at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:133)
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
at com.googlesource.gerrit.plugins.saml.SamlWebFilter.doFilter(SamlWebFilter.java:172)
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:548)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1624)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1435)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:501)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1594)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1350)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at org.eclipse.jetty.server.handler.RequestLogHandler.handle(RequestLogHandler.java:54)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
at org.eclipse.jetty.server.Server.handle(Server.java:516)
at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:388)
at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:633)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:380)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:273)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:540)
at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:395)
at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:161)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129)
at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:375)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:773)
at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:905)
at java.base/java.lang.Thread.run(Thread.java:834)
Luca Milanesio
Mar 18, 2021, 6:44:10 AM3/18/21
to Repo and Gerrit Discussion, Luca Milanesio, euph...@gmail.com
On 18 Mar 2021, at 07:50, euph...@gmail.com <euph...@gmail.com> wrote:We're running Gerrit 3.3.2 (after a recent upgrade), and are using SAML for authentication, with Okta for the auth provider. We've discovered that we can no longer add ssh keys to a couple of service accounts, and I believe this was working before the upgrade to 3.3.2 (it may have also been broken in 3.2.7; we were only running that briefly as a stepping stone from 3.1 to 3.3.2). When I try to add an ssh key to one of the affected accounts, I get a popup with this error:"An error occurredError 500 (Server Error): Internal server errorEndpoint: /accounts/self/sshkeys"Looking in error_log, I see this:[2021-03-18T00:25:14.661-07:00] [HTTP POST /accounts/self/sshkeys (svc-es-ldap from 10.58.0.234)] ERROR com.google.gerrit.httpd.restapi.RestApiServlet : Error in POST /accounts/self/sshkeys: NullPointerExceptionjava.lang.NullPointerException: Null email<with a lengthy backtrace -- I've included the entire backtrace at the end of this email>
This is a known issue (see [1]) which is fixed in stable-3.3.
If you would like to have an immediate fix, just download the release.war from the latest stable-3.3 branch on Gerrit-CI build at [2].
HTH
Luca.
--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/repo-discuss/a04135b4-f841-4a81-83bc-299dfa356c17n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages