New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Gerrit 2.16.x only allows an email to exist in a single ExternalID #123
Comments
I wonder if this format change is a general problem in Gerrit core. There is also this thread on dev maling list, reporting similar problem after migrating to recent gerrit version: [1]. |
Back in 2.14, I opened a bug with gerrit about a similar issue (failure modifying All-Users refs/meta/external-ids if an email was duplicated: https://bugs.chromium.org/p/gerrit/issues/detail?id=9001&q=reporter%3Azifnab%40zifnab06.net). From that, and the commit that added the code I linked above, it appears intentional (GerritCodeReview/gerrit@15545de). |
As you pointed out in: [1], there seems to be only two workarounds:
[1] https://bugs.chromium.org/p/gerrit/issues/detail?id=9001 |
@zifnab06 You can try patching your user database, see #124 (comment). |
I'm facing the same problems when migrating the plugin version and gerrit to 3.0.0. Could you advice on which of the two workarounds would be more future proof? |
I would definitely suggest to patch the database prior to migration to 2.15. If you haver already migrated then you can use the script provided here: [1]. [1] #124 (comment) |
I'm doing a migration from 2.13 to 3.0.0 going thru all the intermediate steps. I'm not doing it on the live server, so I can test/rollback if I have problems. What did you mean by:
Patch the NoteDB or the ReviewDB ? How would you patch the DB ? using the script on issue 124 Thanks ... |
I would assume, that it is much easier to fix the database. If would need to prefix the id with specific prefix. Example: old id: "106504818271694337285", new id: "google-oauth:106504818271694337285". Of course you need a new plugin version, that already supports new external id format. Once you completed this conversion in the database, you could migrate to 2.15 and the account speific tables are migrated to NoteDb with already correc external id format. |
Which would be your suggestion to update the entries the NoteDB database? Thanks for your support. |
You only need to upgrade oauth-plugin once, from older version, that doesn't require prefix, to a newer version that does require prefix for external if format. |
Sorry @davido, but I'm really stuck with this. Would you have a hint on how to update the database before migrating to 2.15 ? |
Connect per Say you have this table:
And say you have these rows:
Now, we would like to prefix the ids with some specific prefix, say 'prefix-', then we could do this update:
Now the content is:
|
@davido Thanks!
The lower() = upper() part is to select only those rows that have the oauth value which is only a number, without any letters. |
Good news: thanks @lucamilanesio this is now fixed: [1]. I will close this issue, when: [1] is merged. |
Hi!
We're running the 2.16 plugin from the releases page with Gerrit 2.16.2. Users are stored in NoteDB.
2.16.x only allows an email address to be attached to a single external ID: https://github.com/GerritCodeReview/gerrit/blob/stable-2.16/java/com/google/gerrit/server/account/AccountManager.java#L367-L374
When a user signs in that has a non-prefixed externalId entry (ie, "10000XXXX" instead of "google-oauth:10000XXXX"), the following shows up in logs and the user is redirected to a forbidden page:
An external id is still created for the user without an email, however they're redirected to a forbidden page when they log in.
So, given a user with the following external id block in All-Users.git's refs/meta/external-ids:
gerrit creates an external ID, without an email:
and the user is redirected to
https://review.lineageos.org/oauth?state=<snip>&code=<snip>scope=email+profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email
wiht a "Forbidden" message.I'm also able to reproduce this on a clean installation by removing the "google-oauth:" prefix on an account, moving the external-id file to the correct spot, pushing it, and trying to sign in again, even in an incognito session.
Relevant configuration block (note: the same thing happens without fix-legacy-user-id, the new ExternalID just isn't created)
Is there a way to mass migrate users to the new format with NoteDB? Or possibly another workaround that doesn't involve changing ~5300 files in NoteDB?
Thanks!
The text was updated successfully, but these errors were encountered: