Gerrit 3.13 service users
128 views
Skip to first unread message
Alon Bar-Lev
Jan 29, 2026, 5:12:10 PMJan 29
to Repo and Gerrit Discussion
Hi,
Auth tokens were introduced in Gerrit-3.13 which is a nice feature for interactive users.
What is the solution for service users?
How will bots authenticate to the system?
So far I used the serviceuser plugin.
Hopefully, this will be supported, as bot users are not part of the interactive authentication scheme,
I just upgraded and found serviceuser plugin is failing and is not listed in the plugin management.
Without this plugin installed bots succeed authentication which is nice as it gives me some grace time.
I succeeded in building the serviceuser master with gerrit master.
Too many issues building the serviceusers with gerrit stable-3.12.
Cherry-pick into gerrit stable-3.13 of 527882: Allow to add additional receivers to auth token expiry notifications[1] makes it build.
I applied the following simple patch, hopefully it is ok until I understand what is happening.
Regards,
Alon
---
diff --git
a/src/main/java/com/googlesource/gerrit/plugins/serviceuser/email/ServiceUserAuthTokenExpiryNotifier.java
b/src/main/java/com/googlesource/gerrit/plugins/serviceuser/email/ServiceUserAuthTokenExpiryNotifier.java
index dc2732b..c741829 100644
--- a/src/main/java/com/googlesource/gerrit/plugins/serviceuser/email/ServiceUserAuthTokenExpiryNotifier.java
+++ b/src/main/java/com/googlesource/gerrit/plugins/serviceuser/email/ServiceUserAuthTokenExpiryNotifier.java
@@ -153,7 +153,7 @@ public class ServiceUserAuthTokenExpiryNotifier implements Runnable {
.createOutgoingEmail(
AUTH_TOKEN_WILL_EXPIRE,
emailFactories.createAuthTokenWillExpireEmail(
- account, token, owners, authTokenSettingsUrl))
+ account, token))
.send();
}
}
index dc2732b..c741829 100644
--- a/src/main/java/com/googlesource/gerrit/plugins/serviceuser/email/ServiceUserAuthTokenExpiryNotifier.java
+++ b/src/main/java/com/googlesource/gerrit/plugins/serviceuser/email/ServiceUserAuthTokenExpiryNotifier.java
@@ -153,7 +153,7 @@ public class ServiceUserAuthTokenExpiryNotifier implements Runnable {
.createOutgoingEmail(
AUTH_TOKEN_WILL_EXPIRE,
emailFactories.createAuthTokenWillExpireEmail(
- account, token, owners, authTokenSettingsUrl))
+ account, token))
.send();
}
}
Alon Bar-Lev
Jan 29, 2026, 6:09:12 PMJan 29
to Repo and Gerrit Discussion
On Fri, 30 Jan 2026 at 00:11, Alon Bar-Lev <alon....@gmail.com> wrote:
Hi,Auth tokens were introduced in Gerrit-3.13 which is a nice feature for interactive users.What is the solution for service users?How will bots authenticate to the system?So far I used the serviceuser plugin.Hopefully, this will be supported, as bot users are not part of the interactive authentication scheme,I just upgraded and found serviceuser plugin is failing and is not listed in the plugin management.Without this plugin installed bots succeed authentication which is nice as it gives me some grace time.I succeeded in building the serviceuser master with gerrit master.Too many issues building the serviceusers with gerrit stable-3.12.Cherry-pick into gerrit stable-3.13 of 527882: Allow to add additional receivers to auth token expiry notifications[1] makes it build.I applied the following simple patch, hopefully it is ok until I understand what is happening.
OK, it is not working...
java.lang.IllegalArgumentException: cannot find the ServiceUserUpdated() method for com.google.gerrit.server.mail.template.ServiceUserUpdated
at com.google.template.soy.jbcsrc.shared.CompiledTemplates$TemplateData.getTemplateMethod(CompiledTemplates.java:498)
at com.google.template.soy.jbcsrc.shared.CompiledTemplates$TemplateData.getTemplateMethod(CompiledTemplates.java:498)
...
at com.googlesource.gerrit.plugins.serviceuser.email.ServiceUserUpdatedEmailDecorator.populateEmailContent(ServiceUserUpdatedEmailDecorator.java:163)
Caused by: java.lang.NoSuchMethodException: com.google.template.soy.jbcsrc.gen.com.google.gerrit.server.mail.template.ServiceUserUpdated()
at java.base/java.lang.Class.getDeclaredMethod(Class.java:2850)
at com.google.template.soy.jbcsrc.shared.CompiledTemplates$TemplateData.getTemplateMethod(CompiledTemplates.java:491)
at java.base/java.lang.Class.getDeclaredMethod(Class.java:2850)
at com.google.template.soy.jbcsrc.shared.CompiledTemplates$TemplateData.getTemplateMethod(CompiledTemplates.java:491)
I now see that the serviceuser was partially migrated as an intention to have the "new" tokens instead of the static tokens.
However, I do not see in gerrit.config an option to distinguish between the period and number a human user may have vs a service user may have.
The following should be per account "type" as otherwise I must revert to almost unlimited for all and we have not achieved anything by introducing expiration.
* auth.maxAuthTokenLifetime
* auth.maxAuthTokensPerAccount
* auth.maxAuthTokensPerAccount
Maybe I am missing something.
Is there any other alternative to integrate 3rd party applications into gerrit?
Alon Bar-Lev
Feb 8, 2026, 7:40:07 AMFeb 8
to Repo and Gerrit Discussion
Hi,
Bumping this up, how do you use service users (such as bot, ci) in gerrit-3.13?
Thanks,
Alon
Alon Bar-Lev
Feb 23, 2026, 3:18:26 AM (2 days ago) Feb 23
to Repo and Gerrit Discussion
Hello,
I am trying to figure out how people are using service users in Gerrit-3.13... Users for bots, CI and other tools.
So far I used the service user plugin, as this plugin is broken and I could not find anyone complaining, I am very curious if there is a method I've missed.
The strangest thing is that I have not gotten any response, maybe I am the only one that is using service users?
Thanks,
Alon
phil
Feb 23, 2026, 3:24:11 AM (2 days ago) Feb 23
to Repo and Gerrit Discussion
On Monday, February 23, 2026 at 10:18:26 AM UTC+2 Alon Bar-Lev wrote:
Hello,I am trying to figure out how people are using service users in Gerrit-3.13... Users for bots, CI and other tools.So far I used the service user plugin, as this plugin is broken and I could not find anyone complaining, I am very curious if there is a method I've missed.
The strangest thing is that I have not gotten any response, maybe I am the only one that is using service users?
I'm watching this at least, so +1 maybe? Still on older Gerrit version and relying on service users, would be nice to know if this functionality is going to be supported. Bots are important.
Luca Milanesio
Feb 23, 2026, 3:40:55 AM (2 days ago) Feb 23
to Repo and Gerrit Discussion, Luca Milanesio
Hi all,
I don’t see a lot of traction on this plugin: what is the use case that you cannot achieve with Gerrit functionality?
Gerrit has the concept of service users already, without the need for any additional plugins.
Maybe that’s why there isn’t much activity or maintenance on the service-user plugin.
HTH
Luca.
--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/repo-discuss/cae9f388-9293-421b-8919-f534537a10d0n%40googlegroups.com.
thomas....@gmail.com
Feb 23, 2026, 4:08:13 AM (2 days ago) Feb 23
to Repo and Gerrit Discussion
Hi,
sorry for the late response.
The serviceuser plugin fully supports auth tokens. I just noticed that the corresponding REST API endpoint is not documented and will fix that ASAP. We are using the plugin with auth tokens in production for quite a while now without issues.
On Monday, 23 February 2026 at 09:40:55 UTC+1 Luca Milanesio wrote:
Hi all,I don’t see a lot of traction on this plugin: what is the use case that you cannot achieve with Gerrit functionality?
It provides a self service for users to create technical users, including a UI. This is useful, if the used IDP (e.g. the OAuth provider) does not support that and if the more powerful CreateAccount capability should not be opened to a larger user base.
Best Regards,
Thomas
thomas....@gmail.com
Feb 23, 2026, 4:17:16 AM (2 days ago) Feb 23
to Repo and Gerrit Discussion
On Monday, 23 February 2026 at 10:08:13 UTC+1 thomas....@gmail.com wrote:
Hi,sorry for the late response.The serviceuser plugin fully supports auth tokens. I just noticed that the corresponding REST API endpoint is not documented and will fix that ASAP. We are using the plugin with auth tokens in production for quite a while now without issues.
We are running on master branch though. I will downport all changes regarding the auth tokens to 3.13.
Matthias Sohn
Feb 23, 2026, 4:19:05 AM (2 days ago) Feb 23
to thomas....@gmail.com, Repo and Gerrit Discussion
On Monday, 23 February 2026 at 10:08:13 UTC+1 thomas....@gmail.com wrote:Hi,sorry for the late response.The serviceuser plugin fully supports auth tokens. I just noticed that the corresponding REST API endpoint is not documented and will fix that ASAP. We are using the plugin with auth tokens in production for quite a while now without issues.We are running on master branch though. I will downport all changes regarding the auth tokens to 3.13.
I cherry-picked [1] to stable-3.13 here https://gerrit-review.googlesource.com/c/gerrit/+/555021
To view this discussion visit https://groups.google.com/d/msgid/repo-discuss/d1e73d6c-e300-4a29-b755-ecbb1c2f3264n%40googlegroups.com.
Alon Bar-Lev
Feb 23, 2026, 10:03:34 AM (2 days ago) Feb 23
to Matthias Sohn, thomas....@gmail.com, Repo and Gerrit Discussion
On Mon, 23 Feb 2026 at 11:19, Matthias Sohn <matthi...@gmail.com> wrote:
On Monday, 23 February 2026 at 10:08:13 UTC+1 thomas....@gmail.com wrote:Hi,sorry for the late response.The serviceuser plugin fully supports auth tokens. I just noticed that the corresponding REST API endpoint is not documented and will fix that ASAP. We are using the plugin with auth tokens in production for quite a while now without issues.We are running on master branch though. I will downport all changes regarding the auth tokens to 3.13.I cherry-picked [1] to stable-3.13 here https://gerrit-review.googlesource.com/c/gerrit/+/555021
Hi,
Thank you, hopefully in the next 3.13 everything will work.
However, this is not enough... :)
We need to set up different expiration times for interactive users and service users.
As far as I understand the current implementation sets a single maximum expiration constraint, which may be good for interactive users.
Let's say I would like to enforce a token expiration of 1 week for our users. However, this constraint should not be applied for service users.
Thanks,
Alon
To view this discussion visit https://groups.google.com/d/msgid/repo-discuss/CAKSZd3S93UrKJwSj8fTTKSsaNsDLnm%3DysAD%3DFTmLkVW-%2BCr1xA%40mail.gmail.com.
Luca Milanesio
Feb 23, 2026, 1:30:50 PM (2 days ago) Feb 23
to Repo and Gerrit Discussion, Luca Milanesio
On 23 Feb 2026, at 09:08, thomas....@gmail.com <thomas....@gmail.com> wrote:Hi,sorry for the late response.The serviceuser plugin fully supports auth tokens. I just noticed that the corresponding REST API endpoint is not documented and will fix that ASAP. We are using the plugin with auth tokens in production for quite a while now without issues.On Monday, 23 February 2026 at 09:40:55 UTC+1 Luca Milanesio wrote:Hi all,I don’t see a lot of traction on this plugin: what is the use case that you cannot achieve with Gerrit functionality?It provides a self service for users to create technical users, including a UI.
Gerrit allows to create service users without the need of this plugin.
This is useful, if the used IDP (e.g. the OAuth provider) does not support that
I am confused: service users live in Gerrit, not in the IDP.
and if the more powerful CreateAccount capability should not be opened to a larger user base.
Gotcha.
Luca.
To view this discussion visit https://groups.google.com/d/msgid/repo-discuss/d719b426-3807-4662-acc7-dc85ff67a9ccn%40googlegroups.com.
Alon Bar-Lev
Feb 23, 2026, 2:11:04 PM (2 days ago) Feb 23
to Luca Milanesio, Repo and Gerrit Discussion
On Mon, 23 Feb 2026 at 20:30 Luca Milanesio <luca.mi...@gmail.com> wrote:
On 23 Feb 2026, at 09:08, thomas....@gmail.com <thomas....@gmail.com> wrote:Hi,sorry for the late response.The serviceuser plugin fully supports auth tokens. I just noticed that the corresponding REST API endpoint is not documented and will fix that ASAP. We are using the plugin with auth tokens in production for quite a while now without issues.On Monday, 23 February 2026 at 09:40:55 UTC+1 Luca Milanesio wrote:Hi all,I don’t see a lot of traction on this plugin: what is the use case that you cannot achieve with Gerrit functionality?It provides a self service for users to create technical users, including a UI.Gerrit allows to create service users without the need of this plugin.
Hi,
Can you please describe how?
Thanks,
To view this discussion visit https://groups.google.com/d/msgid/repo-discuss/C8B39263-BB99-49FC-B8A6-BBA2BE83EC68%40gmail.com.
Luca Milanesio
Feb 23, 2026, 3:31:24 PM (2 days ago) Feb 23
to Repo and Gerrit Discussion, Luca Milanesio
> On 23 Feb 2026, at 19:10, Alon Bar-Lev <alon....@gmail.com> wrote:
>
>
>
> On Mon, 23 Feb 2026 at 20:30 Luca Milanesio <luca.mi...@gmail.com> wrote:
>
>
>> On 23 Feb 2026, at 09:08, thomas....@gmail.com <thomas....@gmail.com> wrote:
>>
>> Hi,
>>
>> sorry for the late response.
>>
>> The serviceuser plugin fully supports auth tokens. I just noticed that the corresponding REST API endpoint is not documented and will fix that ASAP. We are using the plugin with auth tokens in production for quite a while now without issues.
>>
>>
>> On Monday, 23 February 2026 at 09:40:55 UTC+1 Luca Milanesio wrote:
>> Hi all,
>>
>> I don’t see a lot of traction on this plugin: what is the use case that you cannot achieve with Gerrit functionality?
>>
>> It provides a self service for users to create technical users, including a UI.
>
> Gerrit allows to create service users without the need of this plugin.
>
> Hi,
> Can you please describe how?
HTH
Luca.
[1] https://gerrit-documentation.storage.googleapis.com/Documentation/3.13.3/cmd-create-account.html
Reply all
Reply to author
Forward
0 new messages