New plugin: Login Redirect Plug-in
353 views
Skip to first unread message
Gustaf Lundh
Oct 25, 2018, 4:43:03 AM10/25/18
to Repo and Gerrit Discussion
A small plug-in that directs anonymous users to a login screen.
Description:
In Gerrit it is not very clear when you are browsing anonymously and a user may be confused over why their dashboard/changes are not listed or visible. By enforcing users to be logged in, this is a non-issue.
Background:
All our users are expected to belong to a certain LDAP-group. We previously enforced this using a reverse proxy, but that made it harder for users to use the REST-API (the http password especially). Also, we ended up with AD authentication in the reverse-proxy in addition to Gerrit. We wanted Gerrit to own the whole authentication and authorization chain.
If our users browse Gerrit anonymously, pretty much no project/change is visible to them. This plug-in redirects the anonymous users to the login screen, enforcing that the user must be a logged-in user to browse the UI. This minimizes confusion for our users and makes the user experience nicer (no need to find and click the "Login" link).
A while ago, I saw some stackoverflow question about this and figured that the plugin may benefit other Gerrit users.
If you think this is applicable to other installations, please create a repo ("login-redirect") on gerrit-review for the plugin.
/Gustaf
David Pursehouse
Oct 25, 2018, 5:13:25 AM10/25/18
to Gustaf Lundh, Repo and Gerrit Discussion
The group "plugins-login-redirect" has the Owner permission. You and Sven are members of that group.
--/Gustaf
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Gustaf Lundh
Oct 25, 2018, 5:36:38 AM10/25/18
to David Pursehouse, Repo and Gerrit Discussion
Thanks for handling it so quickly. The code is pushed.
/Gustaf
From: David Pursehouse <david.pu...@gmail.com>
Sent: Thursday, October 25, 2018 11:13 AM
To: Gustaf Lundh
Cc: Repo and Gerrit Discussion
Subject: Re: New plugin: Login Redirect Plug-in
Sent: Thursday, October 25, 2018 11:13 AM
To: Gustaf Lundh
Cc: Repo and Gerrit Discussion
Subject: Re: New plugin: Login Redirect Plug-in
David Howden
Oct 28, 2018, 12:27:49 AM10/28/18
to Repo and Gerrit Discussion
This is great!
Is it possible to also setup automated building for this plugin at gerrit-ci.gerritforge.com, or is there currently another source for downloading the built artefacts?
On Thursday, 25 October 2018 20:36:38 UTC+11, Gustaf Lundh wrote:
Thanks for handling it so quickly. The code is pushed.
/Gustaf
From: David Pursehouse <david.pu...@gmail.com>
Sent: Thursday, October 25, 2018 11:13 AM
To: Gustaf Lundh
Cc: Repo and Gerrit Discussion
Subject: Re: New plugin: Login Redirect Plug-in
On Thu, Oct 25, 2018 at 5:43 PM Gustaf Lundh <gustaf...@axis.com> wrote:
A small plug-in that directs anonymous users to a login screen.
Description:In Gerrit it is not very clear when you are browsing anonymously and a user may be confused over why their dashboard/changes are not listed or visible. By enforcing users to be logged in, this is a non-issue.
Background:All our users are expected to belong to a certain LDAP-group. We previously enforced this using a reverse proxy, but that made it harder for users to use the REST-API (the http password especially). Also, we ended up with AD authentication in the reverse-proxy in addition to Gerrit. We wanted Gerrit to own the whole authentication and authorization chain.
If our users browse Gerrit anonymously, pretty much no project/change is visible to them. This plug-in redirects the anonymous users to the login screen, enforcing that the user must be a logged-in user to browse the UI. This minimizes confusion for our users and makes the user experience nicer (no need to find and click the "Login" link).
A while ago, I saw some stackoverflow question about this and figured that the plugin may benefit other Gerrit users.
If you think this is applicable to other installations, please create a repo ("login-redirect") on gerrit-review for the plugin.
The group "plugins-login-redirect" has the Owner permission. You and Sven are members of that group.
--
/Gustaf
--
To unsubscribe, email repo-discus...@googlegroups.com
David Howden
Oct 30, 2018, 5:12:23 PM10/30/18
to repo-d...@googlegroups.com
Ok, so the built plugin is available from: https://gerrit-ci.gerritforge.com/job/plugin-login-redirect-bazel-master-master/
Unfortunately in my configuration it causes a redirect loop, so shelving for now. I suspect that it is not compatible with the OAuth plugin.
To unsubscribe, email repo-discuss...@googlegroups.com
Gustaf Lundh
Oct 30, 2018, 5:38:47 PM10/30/18
to Repo and Gerrit Discussion
That is a bit strange. We are not running OAuth, so that may indeed be the root cause.
Could you send me some typical URLs involved in the redirection loop so I get a chance to fix it?
/Gustaf
David Howden
Nov 1, 2018, 7:16:05 AM11/1/18
to gustaf...@axis.com, repo-d...@googlegroups.com
After a little experimentation, the plugin seems to work fine with OAuth for.
1. Completely logged out sessions (redirects to the oauth login page correctly)
2. Logged in sessions.
It doesn't work in the situation where the OAuth credentials have expired and need to be refreshed (in which case gerrit normally pops up a "Refresh Credentials" alert). It then starts a loop:
GERRIT_URL/login/ -> oauth provider (in this case google) -> GERRIT_URL/oauth?...
Hope this helps!
Best,
David.
Gustaf Lundh
Nov 1, 2018, 8:34:57 AM11/1/18
to David Howden, repo-d...@googlegroups.com
Thanks. Added "/oauth" to the whitelist:
https://gerrit-review.googlesource.com/c/plugins/login-redirect/+/202519
/Gustaf
From: David Howden <dho...@gmail.com>
Sent: Thursday, November 1, 2018 12:15 PM
To: Gustaf Lundh
Cc: repo-d...@googlegroups.com
Sent: Thursday, November 1, 2018 12:15 PM
To: Gustaf Lundh
Cc: repo-d...@googlegroups.com
David Howden
Nov 1, 2018, 4:00:45 PM11/1/18
to gustaf...@axis.com, repo-d...@googlegroups.com
Great, thanks! If I could +1 it, I would! :-)
James Hartig
Nov 15, 2018, 2:53:23 PM11/15/18
to dho...@gmail.com, gustaf...@axis.com, repo-d...@googlegroups.com
It looks like the /tools/hooks/commit-msg path needs to be excluded as well. When we try and curl the commit-msg hook when checking out a repo, its downloading a redirect page.
Thanks
Gustaf Lundh
Nov 16, 2018, 4:25:25 AM11/16/18
to Repo and Gerrit Discussion
On Thursday, November 15, 2018 at 8:53:23 PM UTC+1, James Hartig wrote:
It looks like the /tools/hooks/commit-msg path needs to be excluded as well. When we try and curl the commit-msg hook when checking out a repo, its downloading a redirect page.Thanks
Thanks for the report.
/Gustaf
Reply all
Reply to author
Forward
0 new messages