Gerrit 3.13 service users
37 views
Skip to first unread message
Alon Bar-Lev
Jan 29, 2026, 5:12:10 PM (6 days ago) Jan 29
to Repo and Gerrit Discussion
Hi,
Auth tokens were introduced in Gerrit-3.13 which is a nice feature for interactive users.
What is the solution for service users?
How will bots authenticate to the system?
So far I used the serviceuser plugin.
Hopefully, this will be supported, as bot users are not part of the interactive authentication scheme,
I just upgraded and found serviceuser plugin is failing and is not listed in the plugin management.
Without this plugin installed bots succeed authentication which is nice as it gives me some grace time.
I succeeded in building the serviceuser master with gerrit master.
Too many issues building the serviceusers with gerrit stable-3.12.
Cherry-pick into gerrit stable-3.13 of 527882: Allow to add additional receivers to auth token expiry notifications[1] makes it build.
I applied the following simple patch, hopefully it is ok until I understand what is happening.
Regards,
Alon
---
diff --git
a/src/main/java/com/googlesource/gerrit/plugins/serviceuser/email/ServiceUserAuthTokenExpiryNotifier.java
b/src/main/java/com/googlesource/gerrit/plugins/serviceuser/email/ServiceUserAuthTokenExpiryNotifier.java
index dc2732b..c741829 100644
--- a/src/main/java/com/googlesource/gerrit/plugins/serviceuser/email/ServiceUserAuthTokenExpiryNotifier.java
+++ b/src/main/java/com/googlesource/gerrit/plugins/serviceuser/email/ServiceUserAuthTokenExpiryNotifier.java
@@ -153,7 +153,7 @@ public class ServiceUserAuthTokenExpiryNotifier implements Runnable {
.createOutgoingEmail(
AUTH_TOKEN_WILL_EXPIRE,
emailFactories.createAuthTokenWillExpireEmail(
- account, token, owners, authTokenSettingsUrl))
+ account, token))
.send();
}
}
index dc2732b..c741829 100644
--- a/src/main/java/com/googlesource/gerrit/plugins/serviceuser/email/ServiceUserAuthTokenExpiryNotifier.java
+++ b/src/main/java/com/googlesource/gerrit/plugins/serviceuser/email/ServiceUserAuthTokenExpiryNotifier.java
@@ -153,7 +153,7 @@ public class ServiceUserAuthTokenExpiryNotifier implements Runnable {
.createOutgoingEmail(
AUTH_TOKEN_WILL_EXPIRE,
emailFactories.createAuthTokenWillExpireEmail(
- account, token, owners, authTokenSettingsUrl))
+ account, token))
.send();
}
}
Alon Bar-Lev
Jan 29, 2026, 6:09:12 PM (6 days ago) Jan 29
to Repo and Gerrit Discussion
On Fri, 30 Jan 2026 at 00:11, Alon Bar-Lev <alon....@gmail.com> wrote:
Hi,Auth tokens were introduced in Gerrit-3.13 which is a nice feature for interactive users.What is the solution for service users?How will bots authenticate to the system?So far I used the serviceuser plugin.Hopefully, this will be supported, as bot users are not part of the interactive authentication scheme,I just upgraded and found serviceuser plugin is failing and is not listed in the plugin management.Without this plugin installed bots succeed authentication which is nice as it gives me some grace time.I succeeded in building the serviceuser master with gerrit master.Too many issues building the serviceusers with gerrit stable-3.12.Cherry-pick into gerrit stable-3.13 of 527882: Allow to add additional receivers to auth token expiry notifications[1] makes it build.I applied the following simple patch, hopefully it is ok until I understand what is happening.
OK, it is not working...
java.lang.IllegalArgumentException: cannot find the ServiceUserUpdated() method for com.google.gerrit.server.mail.template.ServiceUserUpdated
at com.google.template.soy.jbcsrc.shared.CompiledTemplates$TemplateData.getTemplateMethod(CompiledTemplates.java:498)
at com.google.template.soy.jbcsrc.shared.CompiledTemplates$TemplateData.getTemplateMethod(CompiledTemplates.java:498)
...
at com.googlesource.gerrit.plugins.serviceuser.email.ServiceUserUpdatedEmailDecorator.populateEmailContent(ServiceUserUpdatedEmailDecorator.java:163)
Caused by: java.lang.NoSuchMethodException: com.google.template.soy.jbcsrc.gen.com.google.gerrit.server.mail.template.ServiceUserUpdated()
at java.base/java.lang.Class.getDeclaredMethod(Class.java:2850)
at com.google.template.soy.jbcsrc.shared.CompiledTemplates$TemplateData.getTemplateMethod(CompiledTemplates.java:491)
at java.base/java.lang.Class.getDeclaredMethod(Class.java:2850)
at com.google.template.soy.jbcsrc.shared.CompiledTemplates$TemplateData.getTemplateMethod(CompiledTemplates.java:491)
I now see that the serviceuser was partially migrated as an intention to have the "new" tokens instead of the static tokens.
However, I do not see in gerrit.config an option to distinguish between the period and number a human user may have vs a service user may have.
The following should be per account "type" as otherwise I must revert to almost unlimited for all and we have not achieved anything by introducing expiration.
* auth.maxAuthTokenLifetime
* auth.maxAuthTokensPerAccount
* auth.maxAuthTokensPerAccount
Maybe I am missing something.
Is there any other alternative to integrate 3rd party applications into gerrit?
Reply all
Reply to author
Forward
0 new messages