Creating a fake web user when LDAP authentication?

284 views
Skip to first unread message

Anthony Wong

unread,
Sep 6, 2012, 1:22:19 PM9/6/12
to repo-d...@googlegroups.com
Hi--
 
I'm validating web users with LDAP (ldap setup in gerrit.config), I've also created "fake" users to have various verifiers have different names "checkpatch_status", etc.
 
I would like to create a "fake" user to use the website, so that I can confirm whether I've made correct access control changes in the various nested permissions-only projects ... since some users can +2/-2 on some projects but not on others.
 
Is there a way to create a non-LDAP user account to access the website?
 
--Thanks,
Anthony

Shawn Pearce

unread,
Sep 7, 2012, 10:39:53 PM9/7/12
to Anthony Wong, repo-d...@googlegroups.com

Not easily. Perhaps the simplest thing is to make a fake user just like you normally do for SSH, then go edit the database by hand to set the password field for this user in account_external_ids table.

Once this is done, use the new REST API directly with HTTP digest author, e.g. "curl -n --digest http://localhost:8080/changes/?q=status:open+project:foo"

This only works with 2.5, for a 2.4 system this is nearly impossible to do from the web UI side. You can roughly to the same thing with SSH users using the query command, "ssh ... gerrit query status:open project:foo"

And of course there is "ssh ... gerrit ls-projects" and in 2.5 there is the /projects/ URL used to list projects in the web UI.

--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

Luca Milanesio

unread,
Sep 8, 2012, 3:32:55 AM9/8/12
to Shawn Pearce, Anthony Wong, repo-d...@googlegroups.com
This request is not new to me: often companies with LDAP integration need to have "local users" (not defined in LDAP) to be able to use Gerrit and login to Web UE.

For sure they need to be identified and restricted to avoid security breaches.

Since 2.5 their activity will be audited ;-)

Luca
---------
Sent from my iPhone
Luca Milanesio
Skype: lucamilanesio

Phil Hord

unread,
Dec 5, 2012, 3:39:52 PM12/5/12
to repo-d...@googlegroups.com, Anthony Wong
This doesn't seem to work at all for me.  I've set the user's password in the database, but I am not able to authenticate using anything but ldap.  Is there some config needed to enabled this?

P

Anthony Wong

unread,
Dec 7, 2012, 2:16:45 PM12/7/12
to repo-d...@googlegroups.com, Anthony Wong
I don't use "fake user" for GUI login, only to have meaningful names show up in review comments (which are submitted through the "gerrit review" command
Reply all
Reply to author
Forward
0 new messages