Groups keyboard shortcuts have been updated
Dismiss
See shortcuts
How to migrate Gerrit LDAP users to AWS Cognito oauth?
139 views
Skip to first unread message
ishan badgainya
Apr 3, 2025, 8:10:58 AMApr 3
to Repo and Gerrit Discussion
I have configured the AWS Cognito pool and OAUTH provider in my test Gerrit Setup.
However, when I create a Cognito user with username which already exists in Gerrit, the UI shows 'Forbidden' while logging in and the error_logs show the following -
When I create a new user in Cognito user pool, I can use that user to login to Gerrit.
However, when I create a Cognito user with username which already exists in Gerrit, the UI shows 'Forbidden' while logging in and the error_logs show the following -
Note:
I already have existing users in Gerrit which came via an AD LDAP server. I am trying to find a way to migrate existing LDAP users in Gerrit to Oauth Cognito.
error_log:
[2025-04-03T10:56:38.354Z] [HTTP GET /oauth?code=redacted&state=
redacted %3D (N/A from
redacted )] ERROR com.google.gerrit.httpd.auth.oauth.OAuthSession : Unable to authenticate user "com.google.gerrit.extensions.auth.oauth.OAuthUserInfo@6b8c76e9"
com.google.gerrit.server.account.AccountException: Cannot assign external ID "username: redacted " to account 100xxx0; external ID already in use.
at com.google.gerrit.server.account.AccountManager.create(AccountManager.java:313)
at com.google.gerrit.server.account.AccountManager.authenticate(AccountManager.java:152)
at com.google.gerrit.httpd.auth.oauth.OAuthSession.authenticateAndRedirect(OAuthSession.java:151)
at com.google.gerrit.httpd.auth.oauth.OAuthSession.login(OAuthSession.java:115)
at com.google.gerrit.httpd.auth.oauth.OAuthWebFilter.doFilter(OAuthWebFilter.java:105)
at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
at com.google.gerrit.httpd.RequireSslFilter.doFilter(RequireSslFilter.java:72)
at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
at com.google.gerrit.httpd.RunAsFilter.doFilter(RunAsFilter.java:120)
at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
at com.google.gerrit.httpd.SetThreadNameFilter.doFilter(SetThreadNameFilter.java:62)
at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
at com.google.gerrit.httpd.AllRequestFilter$FilterProxy$1.doFilter(AllRequestFilter.java:139)
at com.googlesource.gerrit.plugins.replication.pull.api.PullReplicationFilter.doFilter(PullReplicationFilter.java:139)
at com.google.gerrit.httpd.AllRequestFilter$FilterProxy$1.doFilter(AllRequestFilter.java:135)
at com.googlesource.gerrit.plugins.replication.pull.api.BearerAuthenticationFilter.doFilter(BearerAuthenticationFilter.java:101)
at com.google.gerrit.httpd.AllRequestFilter$FilterProxy$1.doFilter(AllRequestFilter.java:135)
at com.googlesource.gerrit.plugins.replication.pull.api.PullReplicationApiMetricsFilter.doFilter(PullReplicationApiMetricsFilter.java:51)
at com.google.gerrit.httpd.AllRequestFilter$FilterProxy$1.doFilter(AllRequestFilter.java:135)
at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:239)
at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:215)
at com.googlesource.gerrit.plugins.javamelody.GerritMonitoringFilter.doFilter(GerritMonitoringFilter.java:66)
at com.google.gerrit.httpd.AllRequestFilter$FilterProxy$1.doFilter(AllRequestFilter.java:135)
at com.google.gerrit.httpd.AllowRenderInFrameFilter.doFilter(AllowRenderInFrameFilter.java:56)
at com.google.gerrit.httpd.AllRequestFilter$FilterProxy$1.doFilter(AllRequestFilter.java:135)
at com.google.gerrit.httpd.AllRequestFilter$FilterProxy.doFilter(AllRequestFilter.java:141)
at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
at com.google.gerrit.httpd.RequestCleanupFilter.doFilter(RequestCleanupFilter.java:60)
at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
at com.google.gerrit.httpd.RequestMetricsFilter.doFilter(RequestMetricsFilter.java:92)
at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
at com.google.gerrit.httpd.RequestContextFilter.doFilter(RequestContextFilter.java:64)
at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
at com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:121)
at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:133)
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:548)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1624)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1435)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:501)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1594)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1350)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
at org.eclipse.jetty.server.Server.handle(Server.java:516)
at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:388)
at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:633)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:380)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:273)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129)
at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:375)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:773)
at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:905)
at java.base/java.lang.Thread.run(Thread.java:829)
com.google.gerrit.server.account.AccountException: Cannot assign external ID "username: redacted " to account 100xxx0; external ID already in use.
at com.google.gerrit.server.account.AccountManager.create(AccountManager.java:313)
at com.google.gerrit.server.account.AccountManager.authenticate(AccountManager.java:152)
at com.google.gerrit.httpd.auth.oauth.OAuthSession.authenticateAndRedirect(OAuthSession.java:151)
at com.google.gerrit.httpd.auth.oauth.OAuthSession.login(OAuthSession.java:115)
at com.google.gerrit.httpd.auth.oauth.OAuthWebFilter.doFilter(OAuthWebFilter.java:105)
at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
at com.google.gerrit.httpd.RequireSslFilter.doFilter(RequireSslFilter.java:72)
at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
at com.google.gerrit.httpd.RunAsFilter.doFilter(RunAsFilter.java:120)
at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
at com.google.gerrit.httpd.SetThreadNameFilter.doFilter(SetThreadNameFilter.java:62)
at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
at com.google.gerrit.httpd.AllRequestFilter$FilterProxy$1.doFilter(AllRequestFilter.java:139)
at com.googlesource.gerrit.plugins.replication.pull.api.PullReplicationFilter.doFilter(PullReplicationFilter.java:139)
at com.google.gerrit.httpd.AllRequestFilter$FilterProxy$1.doFilter(AllRequestFilter.java:135)
at com.googlesource.gerrit.plugins.replication.pull.api.BearerAuthenticationFilter.doFilter(BearerAuthenticationFilter.java:101)
at com.google.gerrit.httpd.AllRequestFilter$FilterProxy$1.doFilter(AllRequestFilter.java:135)
at com.googlesource.gerrit.plugins.replication.pull.api.PullReplicationApiMetricsFilter.doFilter(PullReplicationApiMetricsFilter.java:51)
at com.google.gerrit.httpd.AllRequestFilter$FilterProxy$1.doFilter(AllRequestFilter.java:135)
at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:239)
at net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:215)
at com.googlesource.gerrit.plugins.javamelody.GerritMonitoringFilter.doFilter(GerritMonitoringFilter.java:66)
at com.google.gerrit.httpd.AllRequestFilter$FilterProxy$1.doFilter(AllRequestFilter.java:135)
at com.google.gerrit.httpd.AllowRenderInFrameFilter.doFilter(AllowRenderInFrameFilter.java:56)
at com.google.gerrit.httpd.AllRequestFilter$FilterProxy$1.doFilter(AllRequestFilter.java:135)
at com.google.gerrit.httpd.AllRequestFilter$FilterProxy.doFilter(AllRequestFilter.java:141)
at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
at com.google.gerrit.httpd.RequestCleanupFilter.doFilter(RequestCleanupFilter.java:60)
at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
at com.google.gerrit.httpd.RequestMetricsFilter.doFilter(RequestMetricsFilter.java:92)
at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
at com.google.gerrit.httpd.RequestContextFilter.doFilter(RequestContextFilter.java:64)
at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
at com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:121)
at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:133)
at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193)
at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:548)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1624)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1435)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:501)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1594)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1350)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
at org.eclipse.jetty.server.Server.handle(Server.java:516)
at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:388)
at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:633)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:380)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:273)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:336)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:313)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:171)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:129)
at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:375)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:773)
at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:905)
at java.base/java.lang.Thread.run(Thread.java:829)
Gerrit.config-
[auth]
type = OAUTH
gitBasicAuthPolicy = HTTP
[plugin "gerrit-oauth-provider-cognito-oauth"]
root-url = https://ap-south-1<redacted>.amazoncognito.com
client-id = redacted
client-secret = redacted
type = OAUTH
gitBasicAuthPolicy = HTTP
[plugin "gerrit-oauth-provider-cognito-oauth"]
root-url = https://ap-south-1<redacted>.amazoncognito.com
client-id = redacted
client-secret = redacted
[httpd]
listenUrl = proxy-https://*:8086/
maxThreads = 5000
idleTimeout = 3600s
listenUrl = proxy-https://*:8086/
maxThreads = 5000
idleTimeout = 3600s
ishan badgainya
Apr 7, 2025, 12:59:46 AMApr 7
to Repo and Gerrit Discussion
I have checked and it looks like we need a similar fix for LDAP to Cognito migration -
gerrit/account: Reuse LDAP account ID when transitions to Google OAuth (350455) · Gerrit Code Review
Can someone help to do this?
lucamilanesio
Apr 14, 2025, 9:08:28 AMApr 14
to Repo and Gerrit Discussion
On Monday, April 7, 2025 at 5:59:46 AM UTC+1 ishan badgainya wrote:
I have checked and it looks like we need a similar fix for LDAP to Cognito migration - gerrit/account: Reuse LDAP account ID when transitions to Google OAuth (350455) · Gerrit Code ReviewCan someone help to do this?
Which Gerrit version are you using?
If the version is still supported (see [1]), have you raised a feature request?
You have two options here: the general support (see [2]) and the enterprise support (see [3]).
For raising a feature request, se [4].
HTH
Luca.
ishan badgainya
May 13, 2025, 8:44:49 AM (11 days ago) May 13
to Repo and Gerrit Discussion
Hi Luca,
To fix this issue I have raised a patch in oauth plugin.
However, I have not received any response from David on this patch.
Is there any other way I can get this patch reviewed and merged?
Luca Milanesio
May 13, 2025, 9:04:11 AM (11 days ago) May 13
to Repo and Gerrit Discussion, Luca Milanesio
On 13 May 2025, at 13:44, 'ishan badgainya' via Repo and Gerrit Discussion <repo-d...@googlegroups.com> wrote:Hi Luca,To fix this issue I have raised a patch in oauth plugin.However, I have not received any response from David on this patch.
Have you tried pinging David?
I’ve posted my comments in the meantime.
Luca.
--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/repo-discuss/eae2dcfa-2f29-4612-9945-a8edd295d961n%40googlegroups.com.
ishan
May 17, 2025, 1:38:23 AM (8 days ago) May 17
to Repo and Gerrit Discussion
Hi Luca,
Thanks for your review comments. I have addressed them all.
Yes, I have tried reaching out to David but got no response. (Discord)
Luca Milanesio
May 19, 2025, 8:31:36 AM (5 days ago) May 19
to Repo and Gerrit Discussion, Luca Milanesio
On 17 May 2025, at 06:38, ishan <isha...@gmail.com> wrote:Hi Luca,Thanks for your review comments. I have addressed them all.
I already receive notification when you mention me or add a review, there’s no point on pinging also the mailing list.
Thanks for the contribution, we’ll continue the review on gerrit-review.googlesource.com.
Luca.
To view this discussion visit https://groups.google.com/d/msgid/repo-discuss/4a753801-78af-496e-8344-f1c2879c2309n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages