Gerrit 2.12 upgrade http Google OAuth - can't login

158 views
Skip to first unread message

Pete Blumenthal

unread,
Feb 24, 2016, 5:53:32 PM2/24/16
to Repo and Gerrit Discussion

I was on Gerrit 2.11 using reverse apache http proxy for Google OATH authentication.

 

Today, after upgrading to 2.12, users can no longer authenticate and their browser show “Server Error”.  Gerrit log shows:

 

[2016-02-24 17:16:13,629] [HTTP-55] WARN  org.eclipse.jetty.servlet.ServletHandler : /login/

java.lang.IllegalStateException: Username cannot be changed.

        at com.google.gerrit.server.account.ChangeUserName.call(ChangeUserName.java:78)

        at com.google.gerrit.server.account.AccountManager.update(AccountManager.java:188)

        at com.google.gerrit.server.account.AccountManager.authenticate(AccountManager.java:124)

        at com.google.gerrit.httpd.auth.container.HttpLoginServlet.doGet(HttpLoginServlet.java:119)

        at javax.servlet.http.HttpServlet.service(HttpServlet.java:622)

        at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)

        at com.google.inject.servlet.ServletDefinition.doServiceImpl(ServletDefinition.java:287)

        at com.google.inject.servlet.ServletDefinition.doService(ServletDefinition.java:277)

        at com.google.inject.servlet.ServletDefinition.service(ServletDefinition.java:182)

        at com.google.inject.servlet.ManagedServletPipeline.service(ManagedServletPipeline.java:91)

        at com.google.gerrit.httpd.GetUserFilter.doFilter(GetUserFilter.java:82)

        at com.google.gwtexpui.server.CacheControlFilter.doFilter(CacheControlFilter.java:73)

        at com.google.gerrit.httpd.RunAsFilter.doFilter(RunAsFilter.java:117)

        at com.google.gerrit.httpd.RequireSslFilter.doFilter(RequireSslFilter.java:68)

        at com.google.gerrit.httpd.AllRequestFilter$FilterProxy$1.doFilter(AllRequestFilter.java:136)

        at com.google.gerrit.httpd.AllRequestFilter$FilterProxy.doFilter(AllRequestFilter.java:105)

        at com.google.gerrit.httpd.RequestContextFilter.doFilter(RequestContextFilter.java:75)

        at com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:119)

        at com.google.inject.servlet.GuiceFilter$1.call(GuiceFilter.java:133)

        at com.google.inject.servlet.GuiceFilter$1.call(GuiceFilter.java:130)

        at com.google.inject.servlet.GuiceFilter$Context.call(GuiceFilter.java:203)

        at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:130)

        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)

        at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585)

        at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:221)

        at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)

        at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)

        at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)

        at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)

        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)

        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)

        at org.eclipse.jetty.server.Server.handle(Server.java:499)

        at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:310)

        at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)

        at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:540)

        at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)

        at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)

        at java.lang.Thread.run(Thread.java:745)

[2016-02-24 17:16:13,630] [HTTP-55] ERROR com.google.gerrit.pgm.http.jetty.HiddenErrorHandler : Error in GET /login/

java.lang.IllegalStateException: Username cannot be changed.

        at com.google.gerrit.server.account.ChangeUserName.call(ChangeUserName.java:78)

        at com.google.gerrit.server.account.AccountManager.update(AccountManager.java:188)

        at com.google.gerrit.server.account.AccountManager.authenticate(AccountManager.java:124)

        at com.google.gerrit.httpd.auth.container.HttpLoginServlet.doGet(HttpLoginServlet.java:119)

        at javax.servlet.http.HttpServlet.service(HttpServlet.java:622)

        at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)

        at com.google.inject.servlet.ServletDefinition.doServiceImpl(ServletDefinition.java:287)

        at com.google.inject.servlet.ServletDefinition.doService(ServletDefinition.java:277)

        at com.google.inject.servlet.ServletDefinition.service(ServletDefinition.java:182)

        at com.google.inject.servlet.ManagedServletPipeline.service(ManagedServletPipeline.java:91)

        at com.google.gerrit.httpd.GetUserFilter.doFilter(GetUserFilter.java:82)

        at com.google.gwtexpui.server.CacheControlFilter.doFilter(CacheControlFilter.java:73)

        at com.google.gerrit.httpd.RunAsFilter.doFilter(RunAsFilter.java:117)

        at com.google.gerrit.httpd.RequireSslFilter.doFilter(RequireSslFilter.java:68)

        at com.google.gerrit.httpd.AllRequestFilter$FilterProxy$1.doFilter(AllRequestFilter.java:136)

        at com.google.gerrit.httpd.AllRequestFilter$FilterProxy.doFilter(AllRequestFilter.java:105)

        at com.google.gerrit.httpd.RequestContextFilter.doFilter(RequestContextFilter.java:75)

        at com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:119)

        at com.google.inject.servlet.GuiceFilter$1.call(GuiceFilter.java:133)

        at com.google.inject.servlet.GuiceFilter$1.call(GuiceFilter.java:130)

        at com.google.inject.servlet.GuiceFilter$Context.call(GuiceFilter.java:203)

        at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:130)

        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)

        at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585)

        at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:221)

        at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)

        at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)

        at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)

        at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)

        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)

        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)

        at org.eclipse.jetty.server.Server.handle(Server.java:499)

        at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:310)

        at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)

        at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:540)

        at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)

        at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)

        at java.lang.Thread.run(Thread.java:745)

 

 

Any ideas how to resolve this? In gerrit all my user names do appear as lowercase, and I tried adding this to gerrit conf with no improvement:

 

auth.userNameToLowerCase = true

 

 

<gerrit.conf snipped:>

[auth]

        type = HTTP

        httpHeader = X-Forwarded-User

        userNameToLowerCase = true

[httpd]

        listenUrl = proxy-https://<hostname>:<port>/

 

  

idea?

thanks!

u...@revault.ch

unread,
Jun 1, 2016, 4:30:25 PM6/1/16
to Repo and Gerrit Discussion
Have you had a look at the the table account_external_ids?

You can inspect it through gsql:

ssh gerrit.example.com gerrit gsql
gerrit> select * from account_external_ids;

In my case I hat multiple entries starting with username: for the same account.
After clearing out the ones not necessary and after a

ssh gerrit.revault.ch gerrit flush-cashes

I could login again.

Krešimir Tonković

unread,
Jun 10, 2016, 8:59:55 AM6/10/16
to Repo and Gerrit Discussion
I had a different situation. We started using gerrit with openID and had usernames in a different format i.e. ktonkovic vs kresimir.tonkovic. After the upgrade to 2.12 it stopped working because now gerrit wants to update my username from ktonkovic to kresimir.tonkovic which is not allowed.

Changing the old username was not a palatable option for us because the they are used with ssh and we didn't want to edit git configs on all copies of the repo. we had locally (we have many).

My solution was to add new usernames to the table with the email format. So now for each user we have entries, e.g. one for ktonkovic and one for kresimir.tonkovic, pointing to the same user id. I was afarid gerrit would not like this, but it works without a problem so far.

Regards,
Kresimir 
Reply all
Reply to author
Forward
0 new messages