issue setting up events-log plugin when Gerrit and Jenkins are proxy
621 views
Skip to first unread message
Åsmund Østvold
Jun 2, 2016, 4:08:09 PM6/2/16
to repo-discuss
Hi
I want Gerrit trigger plugin to utilize events-log plugin in Gerrit. I have one Gerrit and one Jenkins instance set up behind the same https proxy. The Proxy server and Gerrit instance is running on the same server. Jenkins is running on different server. Both Gerrit and Jenkins let the proxy handle the authentication to the LDAP. My proxy knowledge is limited. Do anybody similar have a working setup they can share?
My problem is how do I configure Jenkins/Gerrit/Proxy when Jenkins normally uses ssh to communicate with Gerrit to communicate with REST API to the events-log plugin?
I have done a tcpdump and analyzed it with wireshark and seen that the POST request uses port <ip.to.proxy.and.gerrit>:8080.
Any hint on a solution is much appreciated!
Regards,
Asmund
Gerrit is configured:
[auth]
type = HTTP_LDAP
logoutUrl = https://cod.no.corp.com/
[ldap]
server = ldaps://llgdevitldap.corp.com
accountBase = dc=corp,dc=com
groupBase = ou=groups,dc=corp,dc=com
accountEmailAddress = mail
The interesting parts from Apache proxy setup:
<VirtualHost *:443>
LimitRequestLine 18190
ServerName cod.no.corp.com:443
[...]
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"
KeepAliveTimeout 180
[...]
ProxyPass /gerrit/r/ http://localhost:8081/gerrit/r/ nocanon timeout=320 nocanon KeepAlive=On
<Location ~ /(jenkins|gerrit)/>
AuthType Basic
AuthName "NSN EDC CI Web Site: Login with uid"
AuthBasicProvider ldap
AuthLDAPUrl "ldaps://llgdevitldap.corp.com/dc=corp,dc=com?uid?sub"
authzldapauthoritative Off
Require ldap-group cn=sifsw,ou=groups,dc=corp,dc=com
Require ldap-group cn=sif,ou=groups,dc=corp,dc=com
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
</Location>
<Location /jenkins/>
ProxyPass http://trout.no.corp.com:8080/jenkins/ timeout=320 nocanon KeepAlive=On retry=2
ProxyPassReverse http://trout.no.corp.com:8080/jenkins/
RequestHeader unset X-Forwarded-User
RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule .* - [E=RU:%1,NS]
RequestHeader set X-Forwarded-User %{RU}e
</Location>
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
</VirtualHost>
I want Gerrit trigger plugin to utilize events-log plugin in Gerrit. I have one Gerrit and one Jenkins instance set up behind the same https proxy. The Proxy server and Gerrit instance is running on the same server. Jenkins is running on different server. Both Gerrit and Jenkins let the proxy handle the authentication to the LDAP. My proxy knowledge is limited. Do anybody similar have a working setup they can share?
My problem is how do I configure Jenkins/Gerrit/Proxy when Jenkins normally uses ssh to communicate with Gerrit to communicate with REST API to the events-log plugin?
I have done a tcpdump and analyzed it with wireshark and seen that the POST request uses port <ip.to.proxy.and.gerrit>:8080.
Any hint on a solution is much appreciated!
Regards,
Asmund
Gerrit is configured:
[auth]
type = HTTP_LDAP
logoutUrl = https://cod.no.corp.com/
[ldap]
server = ldaps://llgdevitldap.corp.com
accountBase = dc=corp,dc=com
groupBase = ou=groups,dc=corp,dc=com
accountEmailAddress = mail
The interesting parts from Apache proxy setup:
<VirtualHost *:443>
LimitRequestLine 18190
ServerName cod.no.corp.com:443
[...]
RequestHeader set X-Forwarded-Proto "https"
RequestHeader set X-Forwarded-Port "443"
KeepAliveTimeout 180
[...]
ProxyPass /gerrit/r/ http://localhost:8081/gerrit/r/ nocanon timeout=320 nocanon KeepAlive=On
<Location ~ /(jenkins|gerrit)/>
AuthType Basic
AuthName "NSN EDC CI Web Site: Login with uid"
AuthBasicProvider ldap
AuthLDAPUrl "ldaps://llgdevitldap.corp.com/dc=corp,dc=com?uid?sub"
authzldapauthoritative Off
Require ldap-group cn=sifsw,ou=groups,dc=corp,dc=com
Require ldap-group cn=sif,ou=groups,dc=corp,dc=com
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
</Location>
<Location /jenkins/>
ProxyPass http://trout.no.corp.com:8080/jenkins/ timeout=320 nocanon KeepAlive=On retry=2
ProxyPassReverse http://trout.no.corp.com:8080/jenkins/
RequestHeader unset X-Forwarded-User
RewriteEngine On
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule .* - [E=RU:%1,NS]
RequestHeader set X-Forwarded-User %{RU}e
</Location>
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
</VirtualHost>
Doug Kelly
Jun 27, 2016, 4:53:27 PM6/27/16
to Repo and Gerrit Discussion
The key thing I'm seeing in your Apache configuration is that you're using mod_authnz_ldap over the entire Gerrit UI. This pretty much breaks REST API interactions, since you've told Gerrit to do HTTP Basic auth, but the REST API depends on HTTP Digest -- so there's two competing auth schemes and it ends poorly. The fix for this is to only run the /login URL for Gerrit through mod_authnz_ldap. Gerrit will maintain a session for the users (and force them to log in through Apache again after session expiration), but the REST API will pass through to the Digest authentication scheme provided by Gerrit.
There's other ways to probably achieve the same outcome with some combination of Apache and Gerrit configurations, but this is the one I know for sure works.
--Doug
Reply all
Reply to author
Forward
0 new messages