Page MenuHomePhabricator
Create Task
Maniphest T417642

Rename gerrit2 Gerrit user to gerrit in the administrator group
Open, LowPublic
Actions

Description

As seen in T338470#11622962 the Gerrit administrator user will still be gerrit2 after we're done with the task. We should harmonize this to avoid future confusion.

In T338470#11622962, @ABran-WMF wrote:

For the sake of naming harmonization, we should probably also rename the gerrit2 administrator account which will become more and more confusing after we finish changing the system user

image.png (414×814 px, 35 KB)

@hashar wrote:
This is a Gerrit user account and is unrelated to the Unix user that got recently renamed from gerrit2 to gerrit (T338470). It is most probably an artifact of older Gerrit versions automatically creating an Admnistrator account based on the Unix name, but in practice they are disconnected.

From my comment on https://gerrit.wikimedia.org/r/c/operations/puppet/+/1243187/comments/d8bb063c_fec7bd19:

The hiera value is set to gerrit2:

hieradata/common/profile/gerrit.yaml
profile::gerrit::service_account: 'gerrit2'

That is used in:

modules/profile/manifests/gerrit.pp:
String $service_account = lookup('profile::gerrit::service_account', { 'default_value' => 'gerrit2' }),

And I stopped there. The variable is then used to craft ssh urls to port 29418 which are used to craft the configuration of the rename project plugin. It needs administrative rights in order to rename the repo, so that gerrit2 is indeed a different purpose :] Good catch, it should be left untouched for now.

We should create a new dedicated Service User for that purpose.

Related Objects
Search...

Event Timeline

ABran-WMF created this task.Tue, Feb 17, 2:14 PM
ABran-WMF triaged this task as Low priority.

mirroring priority from T338470: Rename gerrit2 unix user to gerrit and assign a fixed uid

Dzahn added a comment.Tue, Feb 17, 6:10 PM
In T338470#11622962, @ABran-WMF wrote:

rename the gerrit2 administrator account

This is not possible via web UI.

It would involve roughly:

  • git clone the special "All-Users" repo
  • fetch/checkout the "refs/meta/external-ids" branch
  • find the line like "[externalId "username:gerrit2"]"
  • edit the file and rename it to a SHA1 hash of itself. (echo -n "username:NewName" | sha1sum ?)
  • git commit and push to origin
  • re-index the accounts (ssh -p 29418 <host> gerrit index start accounts <account-id> ?)

Not sure if that's worth it.

Dzahn mentioned this in T338470: Rename gerrit2 unix user to gerrit and assign a fixed uid.Tue, Feb 17, 9:00 PM
ABran-WMF awarded a token.Wed, Feb 18, 9:54 AM
ABran-WMF moved this task from Incoming to Work in Progress on the collaboration-services board.Wed, Feb 18, 1:27 PM
hashar updated the task description. (Show Details)Wed, Feb 25, 5:49 PM
hashar updated the task description. (Show Details)
hashar added a comment.Wed, Feb 25, 5:54 PM

From T338470#11625057 :

For the Gerrit user, we do not rename users ever, that is asking for too many issues.

The gerrit2 Gerrit account is apparently solely used for the rename project plugin (which IIRC is broken/stalled/unused). I think I reused that account cause it had Administrator privileges and that was convenient for a quick test of that plugin.

We should create a new account for that purpose and add it as Service Users and grant it Administrator privileges and switch the rename plugin to using it.

Once that is done, I think we can disable the gerrit2 Gerrit account. I don't think it is used for anything (but that can be checked by looking at the logs/sshd_log).

Dzahn added a comment.Wed, Feb 25, 6:45 PM

I like this plan :) sounds good

ABran-WMF moved this task from Work in Progress to Backlog on the collaboration-services board.Tue, Mar 3, 9:32 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits