Anonymous Clone over SSH not working?

710 views
Skip to first unread message

Kyle Smith

unread,
Jul 17, 2012, 5:05:52 PM7/17/12
to repo-d...@googlegroups.com
Hey guys; I've got a Gerrit 2.4.2 (LDAP, mysql) install running with a Jenkins slavemaster doing the verification work. Problem is that the slaves are unable to clone into Gerrit's Git repo. I'm fairly certain the issue lies in my permission structure, but I don't understand how. 

As I understand, the Anonymous group needs to have READ permissions on refs/heads/* and refs/tags/* in either the project permissions or (with lower authority), All-Projects. However, when I set these permissions, I am unable to clone anonymously?

Project hello-world:
Reference:
refs/heads/*
Read
 
Reference:
refs/tags/*
Read
 


Project All-Projects
Global Capabilities
Administrate Server
 
Reference:
refs/*
Read
 
 
Forge Author Identity
 
Reference:
refs/for/refs/*
Read
 
Push
 
Reference:
refs/heads/*
Read
 
Label Code-Review
  
  
Label Verified
  
Submit
 
Reference:
refs/meta/config
Read
 
 

As you can see, Anon has read permissions on everything I could think to give, but I'm still running into "Permission denied (publickey)." when I try to clone into the repo? What in the world am I missing? Thanks for your time!

-Kyle Smith

Shawn Pearce

unread,
Jul 17, 2012, 5:08:54 PM7/17/12
to Kyle Smith, repo-d...@googlegroups.com
On Tue, Jul 17, 2012 at 2:05 PM, Kyle Smith <kyle.sm...@gmail.com> wrote:
Hey guys; I've got a Gerrit 2.4.2 (LDAP, mysql) install running with a Jenkins slavemaster doing the verification work. Problem is that the slaves are unable to clone into Gerrit's Git repo. I'm fairly certain the issue lies in my permission structure, but I don't understand how. 

As I understand, the Anonymous group needs to have READ permissions on refs/heads/* and refs/tags/* in either the project permissions or (with lower authority), All-Projects. However, when I set these permissions, I am unable to clone anonymously?
... 
As you can see, Anon has read permissions on everything I could think to give, but I'm still running into "Permission denied (publickey)." when I try to clone into the repo? What in the world am I missing? 

You cannot connect anonymously over SSH. The client must authenticate with a public key. You aren't even getting authenticated, let alone getting to check if you have access to the repositories. 

Kyle Smith

unread,
Jul 17, 2012, 5:17:18 PM7/17/12
to repo-d...@googlegroups.com, Kyle Smith
Hrm, that poses an interesting problem. Gerrit is configured to employ the company's Active Directory servers, which we cannot add users to arbitrarily. I assume the best option in this case is to create a user via command-line with an ssh keypair that I can copy to all current and future slaves? 

Shawn Pearce

unread,
Jul 17, 2012, 5:38:58 PM7/17/12
to Kyle Smith, repo-d...@googlegroups.com
On Tue, Jul 17, 2012 at 2:17 PM, Kyle Smith <kyle.sm...@gmail.com> wrote:
Hrm, that poses an interesting problem. Gerrit is configured to employ the company's Active Directory servers, which we cannot add users to arbitrarily. I assume the best option in this case is to create a user via command-line with an ssh keypair that I can copy to all current and future slaves? 

Yes.

Welch, Ronald P (US SSA)

unread,
Jul 18, 2012, 8:05:04 AM7/18/12
to Kyle Smith, Shawn Pearce, repo-d...@googlegroups.com
Kyle,

I have a similar situation with multiple "slaves" and LDAP
authentication against an (essentially) read-only LDAP. As
you suggest, creating users exist in Gerrit that do not exit
in LDAP for the slaves is the way to go. But, one issue I found
is that, ideally, I would like to have all of the slaves
send email to my email address when there are, for example,
build failures. But Gerrit requires each user to have a unique
email address, so the "slaves" cannot all have my (or the same)
email address.  Just something to note.

Ron
----------=-=-=-=-=-=-=-=-========oOo========-=-=-=-=-=-=-=-=----------
mailto:Ronald....@baesystems.com                Phone:(607)206-8718
BAE SYSTEMS                       1701 North Street, Endicott, NY 13760
----------=-=-=-=-=-=-=-=-===================-=-=-=-=-=-=-=-=----------

Shawn Pearce

unread,
Jul 18, 2012, 10:21:02 AM7/18/12
to Welch, Ronald P (US SSA), Kyle Smith, repo-d...@googlegroups.com
On Wed, Jul 18, 2012 at 5:05 AM, Welch, Ronald P (US SSA) <ronald....@baesystems.com> wrote:
I have a similar situation with multiple "slaves" and LDAP
authentication against an (essentially) read-only LDAP. As
you suggest, creating users exist in Gerrit that do not exit
in LDAP for the slaves is the way to go. But, one issue I found
is that, ideally, I would like to have all of the slaves
send email to my email address when there are, for example,
build failures. But Gerrit requires each user to have a unique
email address, so the "slaves" cannot all have my (or the same)
email address.  Just something to note.

Why can't the slaves share the same account? You can register multiple public keys in the account_ssh_keys table for the slave user. Or transfer the private half of the key to each slave machine by copying it over scp.

A slave account doesn't need an email address registered with Gerrit. It can still send email, the server sends using its own address. Accounts only need an email address in Gerrit if you want to push new commits and verify the author or committer address in the commit, or if the account wants to receive email sent by Gerrit.

Welch, Ronald P (US SSA)

unread,
Jul 18, 2012, 10:39:28 AM7/18/12
to Shawn Pearce, Kyle Smith, repo-d...@googlegroups.com
You are correct Shawn (of course). It is not a big deal and in fact 
we have things set the way you suggest. I was just tripped me up 
slightly by the email uniqueness thing, which I did realize existed, 
when initially setting up the accounts. Anyway, thanks for 
clarifying things.

----------=-=-=-=-=-=-=-=-========oOo========-=-=-=-=-=-=-=-=----------
mailto:Ronald....@baesystems.com                Phone:(607)206-8718
BAE SYSTEMS                       1701 North Street, Endicott, NY 13760
----------=-=-=-=-=-=-=-=-===================-=-=-=-=-=-=-=-=----------

Reply all
Reply to author
Forward
0 new messages