Page MenuHomePhabricator

Users with a different name in the cn field compared to uid field cannot use http auth
Open, Stalled, Needs TriagePublic

Description

As noticed with @mmodell when he tried to T220653. it wouldn't let him use both "20after4" and "twentyafterfour" as a username for auth over http. This is because his shell name and cn name are different.

E.g

uid: twentyafterfour
cn: 20after4

To use auth over http, you must use a username, @mmodell username in gerrit is twentyafterfour, so when he tried using it, it was failing to find him in ldap as it was using the cn field to search.

We should find a way to allow users who have a different shell name to the cn field, to be able to auth.

Details

Related Gerrit Patches:
operations/puppet : productiongerrit: Re-enable the use of HTTP auth tokens
operations/puppet : productiongerrit: Re-enable the use of HTTP auth tokens

Event Timeline

Paladox created this task.Jun 7 2019, 3:33 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 7 2019, 3:33 PM

This is due to gerrit using cn as the UI login (internally in gerrit this is the gerrit schema), while using uid as the ssh/api login (internally in gerrit this is the username schema).

web UI login

  1. gerrit checks your provided username against usernames in the gerrit schema
  2. if a user is found it searches LDAP cn entry that matches.

ssh/rest api login

  1. gerrit checks your provided username against usernames in the username schema
  2. if a user is found it searches LDAP cn entry that matches.

The trouble is that gerrit stores uid in the username schema and then uses that (in the case of ssh or http api auth) to search for cn which is not going to work unless your shell name and wikitech username are the same.

It seems like we should have used uid as the login name for the UI in the first place; however, switching our login query to point to uid seems like a really very Bad Idea™, so not sure how to fix this :\

@thcipriani: the fix is turning on http passwords.

Rather, if we set auth.gitBasicAuthPolicy = "HTTP_LDAP" then I could work around the problem by setting an http password like I did before that option got taken away.

@thcipriani: the fix is turning on http passwords.

Will be doing that once a few security patches applied (that is T218750: Re-enable use of Gerrit HTTP token to push patchsets).

Doesn't fix the problem that we can't use LDAP login for the http api if your cn is different than your uid. It does provide a workaround which I guess will have to be good enough.

bd808 added a subscriber: bd808.Jun 7 2019, 7:30 PM

cn !== uid for most of our Developer accounts as far as I know. We encourage cn to be a person's full name (or at least given name + family name) and uid's have other constraints including ASCII alphanumeric charset restrictions.

Change 518811 had a related patch set uploaded (by Thcipriani; owner: Thcipriani):
[operations/puppet@production] gerrit: Re-enable the use of HTTP auth tokens

https://gerrit.wikimedia.org/r/518811

Change 518811 merged by CDanis:
[operations/puppet@production] gerrit: Re-enable the use of HTTP auth tokens

https://gerrit.wikimedia.org/r/518811

thcipriani changed the task status from Open to Stalled.Jun 24 2019, 9:47 PM

@thcipriani: the fix is turning on http passwords.

Done.

Setting this task to "Stalled" since fixing it means a careful rebuild of the users git repo in gerrit and now we have a work around deployed.

Change 527596 had a related patch set uploaded (by Paladox; owner: Thcipriani):
[operations/puppet@production] gerrit: Re-enable the use of HTTP auth tokens

https://gerrit.wikimedia.org/r/527596

Change 527596 merged by CDanis:
[operations/puppet@production] gerrit: Re-enable the use of HTTP auth tokens

https://gerrit.wikimedia.org/r/527596