repo upload to gerrit : Permission denied (publickey) ...
1,968 views
Skip to first unread message
Darcy Watkins
Jan 23, 2014, 1:50:33 PM1/23/14
to repo-d...@googlegroups.com
Hello,
I am using 'repo' to manage a multiproject repository of a yocto based project with our own instance of a Gerrit review server.
I encountered the following issue:
After searching for following the usual advice about checking public keys on the gerrit server and verifying that they are all in good order, none of this helped at all.
Then I logged into the gerrit server and output logs/sshd_log, I noticed the following...
My workaround was to make sure that my username in my email matched my username on the gerrit server. For my case...
At my workplace I can internally use 'dwatkins' (unqualified) as email address, but my usual email userid for external email is 'darcy.watkins'. After the above change, 'repo upload' worked properly as expected.
Now I understand why everything worked ok when I evaluated the gerrit workflow on a single Linux box at home, but could never upload to gerrithub.io and ran into this difficulty when setting things up at work.
I have multiple 'personalities' such as 'darcy', 'dwatkins', 'darcy.watkins' and at some places even 'xstreamworship' which is my personal domain name (i.e. xstreamworship.com).
At home 'darcy' is my user ID on server and my personal email user ID is 'darcy' - all OK
At work 'dwatkins' is my user ID on workstation and servers but my email user ID is 'darcy.watkins' - difficulty, but able to workaround it since 'dwatkins' is ok for internal email.
When test driving gerithub.io, 'xstreamworship' is user ID on server, I have no email with 'xstreamworship' as the user ID - I never got it to work, but I think I could now if I lied to 'git'.
So the point of all this is that if you encounter issues related to identity using repo and gerrit and all else appears to be in order (i.e. your keys, etc), then you may want to check how your identity works out between the server and the client. I found this in the gerrit server's sshd_log, but not everyone has access to such a log file.
Is there a better way? I mean, people have multiple emails and identities that they use. Ideally, there would be a way to specify the user ID to use on the server independent of extracting it out of my email. It would be nice to store it in my global ~/.gitconfig but I could also live with a command line option to 'repo init' to set it on a per multiproject repo basis (although I would guess that a person could have different user IDs per review server that they could be dealing with).
I did find a workaround that works OK with our setup at work, but this may be something for the people looking into new features for 'repo' to look at.
Regards,
Darcy
I am using 'repo' to manage a multiproject repository of a yocto based project with our own instance of a Gerrit review server.
I encountered the following issue:
dwatkins@kihei:32bit repo_MG-os_test1 $ repo upload
Permission denied (publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
Permission denied (publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
----------------------------------------------------------------------
[FAILED] MG-os-base/ master (Upload failed)
[FAILED] meta-MG-os-bsp/ master (Upload failed)
dwatkins@kihei:32bit repo_MG-os_test1 $
Permission denied (publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
Permission denied (publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
----------------------------------------------------------------------
[FAILED] MG-os-base/ master (Upload failed)
[FAILED] meta-MG-os-bsp/ master (Upload failed)
dwatkins@kihei:32bit repo_MG-os_test1 $
After searching for following the usual advice about checking public keys on the gerrit server and verifying that they are all in good order, none of this helped at all.
Then I logged into the gerrit server and output logs/sshd_log, I noticed the following...
[2014-01-23 10:14:10,714 -0800] 9aa62690 darcy.watkins - AUTH FAILURE FROM 192.168.3.163 user-not-found
My workaround was to make sure that my username in my email matched my username on the gerrit server. For my case...
git config --global user.email dwatkins
At my workplace I can internally use 'dwatkins' (unqualified) as email address, but my usual email userid for external email is 'darcy.watkins'. After the above change, 'repo upload' worked properly as expected.
Now I understand why everything worked ok when I evaluated the gerrit workflow on a single Linux box at home, but could never upload to gerrithub.io and ran into this difficulty when setting things up at work.
I have multiple 'personalities' such as 'darcy', 'dwatkins', 'darcy.watkins' and at some places even 'xstreamworship' which is my personal domain name (i.e. xstreamworship.com).
At home 'darcy' is my user ID on server and my personal email user ID is 'darcy' - all OK
At work 'dwatkins' is my user ID on workstation and servers but my email user ID is 'darcy.watkins' - difficulty, but able to workaround it since 'dwatkins' is ok for internal email.
When test driving gerithub.io, 'xstreamworship' is user ID on server, I have no email with 'xstreamworship' as the user ID - I never got it to work, but I think I could now if I lied to 'git'.
So the point of all this is that if you encounter issues related to identity using repo and gerrit and all else appears to be in order (i.e. your keys, etc), then you may want to check how your identity works out between the server and the client. I found this in the gerrit server's sshd_log, but not everyone has access to such a log file.
Is there a better way? I mean, people have multiple emails and identities that they use. Ideally, there would be a way to specify the user ID to use on the server independent of extracting it out of my email. It would be nice to store it in my global ~/.gitconfig but I could also live with a command line option to 'repo init' to set it on a per multiproject repo basis (although I would guess that a person could have different user IDs per review server that they could be dealing with).
I did find a workaround that works OK with our setup at work, but this may be something for the people looking into new features for 'repo' to look at.
Regards,
Darcy
David Pursehouse
Jan 23, 2014, 7:52:38 PM1/23/14
to Darcy Watkins, repo-d...@googlegroups.com
On 01/24/2014 03:50 AM, Darcy Watkins wrote:
> Is there a better way? I mean, people have multiple emails and
> identities that they use. Ideally, there would be a way to specify the
> user ID to use on the server independent of extracting it out of my
> email. It would be nice to store it in my global ~/.gitconfig but I
> could also live with a command line option to 'repo init' to set it on a
> per multiproject repo basis (although I would guess that a person could
> have different user IDs per review server that they could be dealing with).
>
You can set `review.URL.username` in the global git config.
> Is there a better way? I mean, people have multiple emails and
> identities that they use. Ideally, there would be a way to specify the
> user ID to use on the server independent of extracting it out of my
> email. It would be nice to store it in my global ~/.gitconfig but I
> could also live with a command line option to 'repo init' to set it on a
> per multiproject repo basis (although I would guess that a person could
> have different user IDs per review server that they could be dealing with).
>
From the documentation of the upload command:
Override the username used to connect to Gerrit Code Review.
By default the local part of the email address is used.
The URL must match the review URL listed in the manifest XML file,
or in the .git/config within the project. For example:
[remote "origin"]
url = git://git.example.com/project.git
review = http://review.example.com/
Darcy Watkins
Aug 22, 2017, 11:26:39 AM8/22/17
to Repo and Gerrit Discussion
Here are some tips related to this if you are using 'repo' with gerrithub.io with repos hosted on github.com, say for an open source project.
- All the comments related to working with your own gerrit server still apply in this case.
- The 'repo init ... --config-name' followed by your name and github userid has to be done when you first create the workspace (initial cloning time) as subsequent 'repo init' to change things won't synchronize everything and you will still get the errors I mentioned before. (In fact I think this applies to your own gerrit servers too).
- If you have multiple gerrit servers, each having different user IDs, there is no workaround. You will have to pick one to use 'repo upload' with and then manually 'git push ...' to any others. I suggest that you set the gerrit server of your project as the primary and then manually push to others that you may contribute upstream to. If you are lucky enough to have the same userid at all the gerrit sites, then I think you are OK. It seems to only care about the userid in the email address (i.e. up to the '@'). In fact, for email address, you can simply specify the userid without the @domain ...).
- In your repo manifest, set the remote definitions to point to github.com (not to github.com/youruserid). Put youruserid as part of the path to the GIT repo in the project name element of the repo manifest. (Otherwise you get unusual errors). This only applies to the projects that you setup gerrithub.io as review server. The review attribute of the project only accepts the host name (i.e. doesn't allow a sub-path such as to your space on github).
- works (userid in examples is 'myhub')
- <remote fetch="http://github.com" review="gerrithub.io" name="myhub"/>
- <project remote="myhub" name="myhub/myproject" revision="master" path="myproject">
- won't work
- <remote fetch="http://github.com/myhub" review="gerrithub.io/myhub" name="myhub"/>
- <project remote="myhub" name="myproject" revision="master" path="myproject">
- Also I notice that the 'extend-project' element cannot be used to override things on an existing project like revision, upstream or to add a review server (or even to add annotations). You have to 'remove-project' and then re add it. I guess 'extend-project' only works with a few select attributes. I gave up on it because it was frustrating. I had hoped to setup includes with all the elements for development on master branches and then use top level manifests with 'extend-project' elements to override to release version maintenance branches for such. But it didn't work. At least now I know why.
Reply all
Reply to author
Forward
0 new messages