Unauthorized for REST API

[Nigel Babu]

Hello,

I've been noticing that our build user constantly gets Unauthorized if I try to have it use the REST API on Jenkins. I've verified that I cannot do a curl request for any endpoint with that user as well. Anyone have suggestions of where I should look for issues?

--

nigelb

[Nigel Babu]

For what it's worth, this works:

curl --user nigelbabu:<password> https://gerrit-server/a/accounts/self/detail
curl -u nigelbabu:<password> -H 'X-Gerrit-RunAs:build' https://gerrit-server/a/accounts/self/detail

This doesn't work:
curl --user build:<password> https://gerrit-server/a/accounts/self/detail

--

nigelb

[David Pursehouse]

On Tue, Jun 14, 2016 at 1:38 PM Nigel Babu <nig...@redhat.com> wrote:

For what it's worth, this works:

curl --user nigelbabu:<password> https://gerrit-server/a/accounts/self/detail
curl -u nigelbabu:<password> -H 'X-Gerrit-RunAs:build' https://gerrit-server/a/accounts/self/detail

This doesn't work:
curl --user build:<password> https://gerrit-server/a/accounts/self/detail

Does the "build" user have an HTTP password set?

 

[Nigel Babu]

Yep. I tried setting a new password and that didn't help either.

--

nigelb

[luca.mi...@gmail.com]

Have you tried logging in to Gerrit WebUI as build?

Sent from my iPhone

--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Nigel Babu]

build is a bot user and we have github authentication. Is there a way to sign in as the build user in this case at all?

I do notice this in the gerrit error logs: http://dpaste.com/325X3RD

--

nigelb

[Luca Milanesio]

If you cannot login as build because it was already used previously ... there is no way you can execute any REST-API.

Luca.

[Nigel Babu]

Thanks Luca,

I tried creating a new user from the command-line and ran into a similar problem. The only thing that works is if I get another entry in the account_external_ids table with a row that has `gerrit:build` in external_ids column. Is this intentional?

--

nigelb

[Luca Milanesio]

Creating users from the command line *would not* create real users on your Auth backend and thus would never work.

The users created from the command line are meant to be used for batch automation and can only login via SSH keys AFAIK.

Luca.

[Edwin Kempin]

On Tue, Jun 14, 2016 at 10:32 AM, Luca Milanesio <luca.mi...@gmail.com> wrote:

Creating users from the command line *would not* create real users on your Auth backend and thus would never work.

The users created from the command line are meant to be used for batch automation and can only login via SSH keys AFAIK.

Have a look at [1] :-)

[1] https://gerrit-review.googlesource.com/56031

[Luca Milanesio]

I thought Nigel was using GitHub authentication and not LDAP.

Enabling the gitBasicAuth = true may have an impact on how existing users are connecting at the moment: not sure if that would work but it's worth trying :-)

Luca.

[Edwin Kempin]

On Tue, Jun 14, 2016 at 10:43 AM, Luca Milanesio <luca.mi...@gmail.com> wrote:

I thought Nigel was using GitHub authentication and not LDAP.

Enabling the gitBasicAuth = true may have an impact on how existing users are connecting at the moment: not sure if that would work but it's worth trying :-)

Yeah, no idea if this works with GitHub authentication...

[Nigel Babu]

No luck with gitBasicAuth = true. This feels like a bug to me. Service users should ideally be able to access the REST API (for instance if you have Jenkins Trigger which works best with access to REST API). Is this worth filing a bug about?

[Luca Milanesio]

Not really a bug :-) gitBasicAuth has been designed to work with LDAP ... which I see is not your case.

Let's put differently: if *that worked* it would have been a bug :-D

Luca.

[Nigel Babu]

Okay, so this means service users cannot access REST api when using Github authentication. Correct?

--

nigelb

[Luca Milanesio]

Nope, they can ... but they have to be valid GitHub users :-)

Your RedHat colleagues working on the OpenStack platform are already using GerritHub.io and have lots of Jenkins jobs associated to them:

https://review.gerrithub.io/#/admin/projects/?filter=redhat-openstack%252F

It is definitely a supported use-case.

Luca.

[Nigel Babu]

Ah!

I'll go around to creating new build users on github and corresponding gerrit users. Thank you, again, for jumping in and helping :)

--

nigelb