Users with a different name in the cn field compared to uid field cannot use http auth
Closed, DeclinedPublic
Actions

Assigned To

None

Authored By

	Paladox
	Jun 7 2019, 3:33 PM

Description

As noticed with @mmodell when he tried to T220653. it wouldn't let him use both "20after4" and "twentyafterfour" as a username for auth over http. This is because his shell name (uid) and cn name are different in LDAP:

LDAP Field	Gerrit schema	Value
uid	username	twentyafterfour
cn	gerrit	20after4

To use authentication over HTTP, you must use a username, @mmodell username in Gerrit is twentyafterfour, so when he tried using it, it was failing to find him in LDAP as it was using the cn field to search.

We should find a way to allow users who have a different shell name to the cn field, to be able to authenticate.

Details

	Subject	Repo	Branch	Lines +/-
	gerrit: Re-enable the use of HTTP auth tokens	operations/puppet	production	+1 -1
	gerrit: Re-enable the use of HTTP auth tokens	operations/puppet	production	+1 -1

Customize query in gerrit

Related Objects

Mentioned In: T232661: Update k18 password in phab diffusion
T224996: Gerrit repo scoring/ores/editquality not mirroring
T224390: Gerrit perfsite bot is flaky
T220653: Branch REL1_33 for MediaWiki and deployed extensions
Mentioned Here: T218750: Re-enable use of Gerrit HTTP token to push patchsets
T220653: Branch REL1_33 for MediaWiki and deployed extensions

Event Timeline

Paladox created this task.Jun 7 2019, 3:33 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 7 2019, 3:33 PM

This is due to gerrit using cn as the UI login (internally in gerrit this is the gerrit schema), while using uid as the ssh/api login (internally in gerrit this is the username schema).

web UI login

gerrit checks your provided username against usernames in the gerrit schema
if a user is found it searches LDAP cn entry that matches.

ssh/rest api login

gerrit checks your provided username against usernames in the username schema
if a user is found it searches LDAP cn entry that matches.

The trouble is that gerrit stores uid in the username schema and then uses that (in the case of ssh or http api auth) to search for cn which is not going to work unless your shell name and wikitech username are the same.

It seems like we should have used uid as the login name for the UI in the first place; however, switching our login query to point to uid seems like a really very Bad Idea™, so not sure how to fix this :\

@thcipriani: the fix is turning on http passwords.

Rather, if we set auth.gitBasicAuthPolicy = "HTTP_LDAP" then I could work around the problem by setting an http password like I did before that option got taken away.

Code: /modules/gerrit/templates/gerrit.config.erb :7
Documentation: config-gerrit.html#auth.gitBasicAuthPolicy

• mmodell mentioned this in T220653: Branch REL1_33 for MediaWiki and deployed extensions.Jun 7 2019, 6:15 PM

• mmodell added a parent task: T220653: Branch REL1_33 for MediaWiki and deployed extensions.

In T225308#5243509, @mmodell wrote:

@thcipriani: the fix is turning on http passwords.

Will be doing that once a few security patches applied (that is T218750: Re-enable use of Gerrit HTTP token to push patchsets).

Doesn't fix the problem that we can't use LDAP login for the http api if your cn is different than your uid. It does provide a workaround which I guess will have to be good enough.

Reedy removed a parent task: T220653: Branch REL1_33 for MediaWiki and deployed extensions.Jun 7 2019, 7:06 PM

cn !== uid for most of our Developer accounts as far as I know. We encourage cn to be a person's full name (or at least given name + family name) and uid's have other constraints including ASCII alphanumeric charset restrictions.

Paladox mentioned this in T224390: Gerrit perfsite bot is flaky.Jun 11 2019, 11:17 AM

thcipriani mentioned this in T224996: Gerrit repo scoring/ores/editquality not mirroring.Jun 11 2019, 7:21 PM

Change 518811 had a related patch set uploaded (by Thcipriani; owner: Thcipriani):
[operations/puppet@production] gerrit: Re-enable the use of HTTP auth tokens

https://gerrit.wikimedia.org/r/518811

gerritbot added a project: Patch-For-Review.Jun 24 2019, 8:21 PM

Change 518811 merged by CDanis:
[operations/puppet@production] gerrit: Re-enable the use of HTTP auth tokens

https://gerrit.wikimedia.org/r/518811

Maintenance_bot removed a project: Patch-For-Review.Jun 24 2019, 9:10 PM

In T225308#5243509, @mmodell wrote:

@thcipriani: the fix is turning on http passwords.

Done.

Setting this task to "Stalled" since fixing it means a careful rebuild of the users git repo in gerrit and now we have a work around deployed.

Change 527596 had a related patch set uploaded (by Paladox; owner: Thcipriani):
[operations/puppet@production] gerrit: Re-enable the use of HTTP auth tokens

https://gerrit.wikimedia.org/r/527596

gerritbot added a project: Patch-For-Review.Aug 2 2019, 4:17 PM

Change 527596 merged by CDanis:
[operations/puppet@production] gerrit: Re-enable the use of HTTP auth tokens

https://gerrit.wikimedia.org/r/527596

Maintenance_bot removed a project: Patch-For-Review.Aug 8 2019, 8:10 PM

thcipriani mentioned this in T232661: Update k18 password in phab diffusion.Sep 11 2019, 10:14 PM

Can this task be resolved, or declined, or is there more to do here? (Asking as tasks shouldn't remain stalled for years.)

In T225308#8159399, @Aklapper wrote:

Can this task be resolved, or declined, or is there more to do here? (Asking as tasks shouldn't remain stalled for years.)

This problem seems pretty intractable (as evidenced by this being stalled for years). We have no plans to try to fix it.

hashar updated the task description. (Show Details)Feb 21 2024, 7:46 AM

Users with a different name in the cn field compared to uid field cannot use http authClosed, DeclinedPublicActions