Page MenuHomePhabricator
Create Task
Maniphest T225308

Users with a different name in the cn field compared to uid field cannot use http auth
Open, Stalled, Needs TriagePublic
Actions

Description

As noticed with @mmodell when he tried to T220653. it wouldn't let him use both "20after4" and "twentyafterfour" as a username for auth over http. This is because his shell name and cn name are different.

E.g

uid: twentyafterfour
cn: 20after4

To use auth over http, you must use a username, @mmodell username in gerrit is twentyafterfour, so when he tried using it, it was failing to find him in ldap as it was using the cn field to search.

We should find a way to allow users who have a different shell name to the cn field, to be able to auth.

Details

ProjectBranchLines +/-Subject
operations/puppetproduction+1 -1gerrit: Re-enable the use of HTTP auth tokens
operations/puppetproduction+1 -1gerrit: Re-enable the use of HTTP auth tokens
Customize query in gerrit

Related Objects

Event Timeline

Paladox created this task.Jun 7 2019, 3:33 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 7 2019, 3:33 PM
thcipriani added a subscriber: thcipriani.Jun 7 2019, 4:03 PM

This is due to gerrit using cn as the UI login (internally in gerrit this is the gerrit schema), while using uid as the ssh/api login (internally in gerrit this is the username schema).

web UI login

  1. gerrit checks your provided username against usernames in the gerrit schema
  2. if a user is found it searches LDAP cn entry that matches.

ssh/rest api login

  1. gerrit checks your provided username against usernames in the username schema
  2. if a user is found it searches LDAP cn entry that matches.

The trouble is that gerrit stores uid in the username schema and then uses that (in the case of ssh or http api auth) to search for cn which is not going to work unless your shell name and wikitech username are the same.

It seems like we should have used uid as the login name for the UI in the first place; however, switching our login query to point to uid seems like a really very Bad Idea™, so not sure how to fix this :\

mmodell added a comment.Jun 7 2019, 6:06 PM

@thcipriani: the fix is turning on http passwords.

mmodell added a comment.Jun 7 2019, 6:13 PM

Rather, if we set auth.gitBasicAuthPolicy = "HTTP_LDAP" then I could work around the problem by setting an http password like I did before that option got taken away.

mmodell mentioned this in T220653: Branch REL1_33 for MediaWiki and deployed extensions.Jun 7 2019, 6:15 PM
mmodell added a parent task: T220653: Branch REL1_33 for MediaWiki and deployed extensions.
thcipriani added a comment.Jun 7 2019, 6:25 PM
In T225308#5243509, @mmodell wrote:

@thcipriani: the fix is turning on http passwords.

Will be doing that once a few security patches applied (that is T218750: Re-enable use of Gerrit HTTP token to push patchsets).

Doesn't fix the problem that we can't use LDAP login for the http api if your cn is different than your uid. It does provide a workaround which I guess will have to be good enough.

Reedy removed a parent task: T220653: Branch REL1_33 for MediaWiki and deployed extensions.Jun 7 2019, 7:06 PM
bd808 added a subscriber: bd808.Jun 7 2019, 7:30 PM

cn !== uid for most of our Developer accounts as far as I know. We encourage cn to be a person's full name (or at least given name + family name) and uid's have other constraints including ASCII alphanumeric charset restrictions.

Paladox mentioned this in T224390: Gerrit perfsite bot is flaky.Jun 11 2019, 11:17 AM
thcipriani mentioned this in T224996: Gerrit repo scoring/ores/editquality not mirroring.Jun 11 2019, 7:21 PM
gerritbot added a comment.Jun 24 2019, 8:21 PM

Change 518811 had a related patch set uploaded (by Thcipriani; owner: Thcipriani):
[operations/puppet@production] gerrit: Re-enable the use of HTTP auth tokens

https://gerrit.wikimedia.org/r/518811

gerritbot added a project: Patch-For-Review.Jun 24 2019, 8:21 PM
gerritbot added a comment.Jun 24 2019, 8:30 PM

Change 518811 merged by CDanis:
[operations/puppet@production] gerrit: Re-enable the use of HTTP auth tokens

https://gerrit.wikimedia.org/r/518811

Maintenance_bot removed a project: Patch-For-Review.Jun 24 2019, 9:10 PM
thcipriani changed the task status from Open to Stalled.Jun 24 2019, 9:47 PM
In T225308#5243509, @mmodell wrote:

@thcipriani: the fix is turning on http passwords.

Done.

Setting this task to "Stalled" since fixing it means a careful rebuild of the users git repo in gerrit and now we have a work around deployed.

gerritbot added a comment.Aug 2 2019, 4:17 PM

Change 527596 had a related patch set uploaded (by Paladox; owner: Thcipriani):
[operations/puppet@production] gerrit: Re-enable the use of HTTP auth tokens

https://gerrit.wikimedia.org/r/527596

gerritbot added a project: Patch-For-Review.Aug 2 2019, 4:17 PM
gerritbot added a comment.Aug 8 2019, 7:29 PM

Change 527596 merged by CDanis:
[operations/puppet@production] gerrit: Re-enable the use of HTTP auth tokens

https://gerrit.wikimedia.org/r/527596

Maintenance_bot removed a project: Patch-For-Review.Aug 8 2019, 8:10 PM
thcipriani mentioned this in T232661: Update k18 password in phab diffusion.Sep 11 2019, 10:14 PM
Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL