Closed GoogleCodeExporter closed 9 years ago
[deleted comment]
Hi , it would be good to change this from minor to major. As far as we can
tell, we can not authenticate with google at all on new instances of gerrit
using google auth provider.
Original comment by edward.r...@gmail.com
on 28 May 2014 at 4:28
Yup should be major, same issue with a new instance we made. Move to G+ Sign in
would be appreciated!
Original comment by sfera...@gmail.com
on 30 May 2014 at 3:22
Original comment by David.Os...@gmail.com
on 3 Jun 2014 at 8:34
This is definitely an issue, as yahoo openID works flawlessly, and I obviously
would rather have Google working.
Original comment by xlightwa...@gmail.com
on 4 Jul 2014 at 9:30
@xlightwa - I think you might have misunderstood the problem. Google have
DROPPED SUPPORT for OpenID for new client registrations. There is nothing the
Gerrit developers can do to restore that.
They are looking at alternative sign-in methods for Google, but OpenID won't be
restored.
Original comment by matt...@unsolvable.org
on 5 Jul 2014 at 6:24
Clarification on my desired outcome for closure on this issue.
As a gerrit administrator i would like to provide my end-users with
authentication method that uses a go-forward google supported authentication
provider. As it stands, i can not use gerrit with any google authentication
provider available.
Original comment by edward.r...@gmail.com
on 5 Jul 2014 at 11:31
Well if Google is out of commission, where can I find the documentation for a
successful GitHub Authentication? I have tried various options on Google and I
cannot seem to even have that work. The only luck I have had was with Yahoo.
Original comment by xlightwa...@gmail.com
on 16 Jul 2014 at 5:39
> where can I find the documentation for a successful GitHub Authentication?
GitHub does not support OpenID either. Gerrit 2.9 will add an authentication
method for GitHub, but 2.9 is not yet released, and likely there will be a few
limitations (e.g currently it doesn't work through a proxy - see
http://code.google.com/p/gerrit/issues/detail?id=2757)
> The only luck I have had was with Yahoo.
Yes, Gerrit authentication using OpenID works with any OpenID provider. Yahoo
is one (but not Google).
Original comment by matt...@unsolvable.org
on 17 Jul 2014 at 10:29
Workaround is to use other OpenID providers or use OAuth GitHub authentication
provider:
https://gerrit-review.googlesource.com/57570
Original comment by David.Os...@gmail.com
on 18 Jul 2014 at 7:00
> Gerrit 2.9 will add an authentication method for GitHub [...]
Nope, unfortunately: the change was rejected, so you would need to patch Gerrit
yourself:
* stable-2.8: [1]
* stable-2.9: [2]
[1] https://gerrit-review.googlesource.com/58670
[2] https://gerrit-review.googlesource.com/58010
Original comment by David.Os...@gmail.com
on 18 Jul 2014 at 7:05
>> Gerrit 2.9 will add an authentication method for GitHub [...]
> Nope, unfortunately: the change was rejected
It looks like the relevant change (in "Needs Code-Review" status at the time of
writing) is:
https://gerrit-review.googlesource.com/#/c/57570/
and you're right, that's on master only.
So I'm not sure when that means we will see it in an official release. Quite a
few people need this capability (following Google OpenID being removed), so
sooner would be great ...
Gerrit 2.9 has just been released, so that means waiting till either 2.9.1 (if
it can be cherry-picked there), or 2.10. Alternatively, as has been pointed
out, you can try and build it yourself.
Original comment by matt...@unsolvable.org
on 18 Jul 2014 at 12:15
>It looks like the relevant change (in "Needs Code-Review" status at the time
of writing) is:
>https://gerrit-review.googlesource.com/#/c/57570/
[...]
> Gerrit 2.9 has just been released, so that means waiting till either 2.9.1
(if it can be cherry-picked there), or 2.10.
This change missed 2.10 too. So it is probably only going to be available on
2.11.
Original comment by David.Os...@gmail.com
on 22 Jul 2014 at 1:03
> This change missed 2.10 too.
That's a real shame, I'm waiting on that change for a new Gerrit deployment.
A lot of good work has been done by Luca Milanesio and David Ostrovsky on this,
but this is a relatively complex change (see the patchset
https://gerrit-review.googlesource.com/#/c/57570/), and it's still is waiting
review.
Is there any chance of it making 2.10rc1 (even if in "experimental" status)?
Original comment by matt...@unsolvable.org
on 22 Jul 2014 at 1:16
Anyone know what the holdup on the review is?
Original comment by geer...@gmail.com
on 2 Sep 2014 at 10:18
If you need a workaround today:
http://stackoverflow.com/questions/26215409/google-authentication-for-gerrit-and
-jenkins
Original comment by m...@ukeller.ch
on 6 Oct 2014 at 11:48
This issue is a major showstopper for us as well. Preferably, Gerrit should at
least support an authentication scheme that doesn't rely on a third party.
Having OpenID and such available is nice. Having ONLY OpenID available is not,
and this situation is living proof of this.
Gerrit is a great piece of software, but in this situation we just can't use it.
Original comment by toumaltheorca@gmail.com
on 20 Oct 2014 at 1:22
Just as a note, Google will completely shut down OpenID 2.0 on April 20th 2015,
as per their timetable:
https://developers.google.com/+/api/auth-migration#timetable
Original comment by toumaltheorca@gmail.com
on 4 Dec 2014 at 4:53
I agree that "Gerrit should at least support an authentication scheme that
doesn't rely on a third party". Fortunately, it already does:
https://gerrit-review.googlesource.com/Documentation/config-gerrit.html#auth
Original comment by dborowitz@google.com
on 4 Dec 2014 at 8:16
FWIW we've been using v2.10-rc0 and then switched to builds from stable-2.10
branch with the github oauth plugin for a few months now.
Original comment by geer...@gmail.com
on 4 Dec 2014 at 9:50
@dborowitz er, the page you linked to appears to only list the now-disabled
"OpenID" method and various ways to set up an LDAP integration... so is LDAP
the only supported SSO method now? Will OpenID Connect/OAuth2 be supported
sometime before April 2015? At that point it sounds like existing installations
will stop working with Google, which is even worse than not being able to set
up new installations...
Original comment by rheyw...@google.com
on 6 Dec 2014 at 6:22
@dborowitz: That is sadly no solution. First of all, in new situations, LDAP is
not always available nor is it always possible to set up for various reasons.
If a software can't be deployed without the need for setting up a separate SSO
system, that software will simply not make the cut. I've had to drop Gerrit
from several projects because of this.
Existing projects that use gerrit extensively are also not helped by this.
Third, I wrote "Gerrit should at least support an authentication scheme that
doesn't rely on a third party", and you respond by saying that it does support
LDAP - which is a third party solution. Yes you can run your own, but it's
still a separate piece of software.
No. Pretty much every software out there with a user account system has the
ability to register new users and manage and authenticate them without needing
google, a separate LDAP server, or anything like that.
We're using Atlassian for various work-related projects now because of this.
And I'm facing the prospect of having to stop using Gerrit unless there's a
possibility to continue working with the current user accounts beyond the
OpenID shutdown.
Gerrit needs a new user registration form, a user management page, and perhaps
a password recovery form. Not just LDAP.
Original comment by toumaltheorca@gmail.com
on 6 Dec 2014 at 11:41
@toumaltheorca Some of the things you say are true, but there are more OpenID
providers than Google... http://openid.net/get-an-openid/
What do you suggest Gerrit use to provide "a new user registration form, a user
management page, and perhaps a password recovery form"?
Original comment by Mark.J.A...@gmail.com
on 7 Dec 2014 at 12:04
@Mark: Part of the problem is that OpenID itself is not exactly the most
popular technology out there. The other is that while integration is great to
have, it should be an option, not the *only* option.
What should gerrit use by default? Simple, its own user database. Gerrit
already stores most of that info, all it would need is a password for the web
frontend login, and an account management page.
As a good example of what I mean, take a look at Redmine: You can still use
external SSO with that, but by default it can just run using its own user
authentication and management. And it's really simple too, there's a
registration form and a management page for approving new user accounts. The
git stuff uses pubkeys anyway so nothing changes there. And best of all, with
Redmine, if any of the external authentication mechanisms goes away for some
reason, it's possible to switch to the internal authentication without having
to create new users or reassign project memberships.
Ideally, the same would be true for Gerrit: Google disabling OpenID should be
something we can deal with by just sending users their new gerrit password via
email after switching to the built-in authentication method.
Original comment by toumaltheorca@gmail.com
on 7 Dec 2014 at 12:59
@toumaltheorca Atlassian has the Crowd product, which supports being an OpenID
endpoint. We are doing that to migrate (some of) our users off of Google.
Original comment by pedah...@gmail.com
on 10 Dec 2014 at 12:49
@pedah... (name deobfuscation doesn't work for some reason)
Yeah we're aware of that. My problem is twofold: At work I wanted to deploy
Gerrit in an enclosed environment where each active service is a huge political
and administrative issue. Any software that's self-sufficient is a huge plus
there. Gerrit could not be used because it lacks user registration. I'd write a
patch myself, but I see that this has already been done, but the change is has
not been accepted into the official branch.
Second, I'm running several private projects with lots of contributors. It
would be perfect if we could just transition from OpenID to an internal account
system. For operating GIT this is already not an issue since it uses pubkey
auth, all Gerrit would need to add is a user/pass login method for the web
interface, a registration page, and perhaps a userlist with links to
accept/reject new registrations.
I really like Gerrit a lot, and I think this would be a big improvement.
Original comment by toumaltheorca@gmail.com
on 10 Dec 2014 at 3:27
I thought setting up Gerrit with ldap was painful in corporate environment but
now using google business emails service with no IT, I thought life will be
easier with default option of OpenID but its painful. When Gerrit will
introduce some method of user authentication, Don't mind which way something
which works like internal database of Gerrit? Its shame we are deprecating
OpenID2.0 without any solution beforehand.
Original comment by saj...@vocaliq.com
on 6 Jan 2015 at 11:47
@saj >> Its shame we are deprecating OpenID2.0
I think you might have misunderstood the problem.
Gerrit is not deprecating OpenID. Gerrit continues to support it.
Google have DROPPED SUPPORT for OpenID for new client registrations. There is
nothing the Gerrit developers can do to restore that.
Original comment by matt...@unsolvable.org
on 8 Jan 2015 at 10:50
@matt...@unsolvable.org
Well I understand problem, solution is to provide Gerrit's own database for
user as suggested here. When so many people use product its hard to just say we
are dropping support because third party doesn’t support it any more, you
have to provide alternative.
Original comment by saj...@vocaliq.com
on 13 Jan 2015 at 1:48
@saj
There's no support for anything that has been dropped in gerrit.
Your users depended on Google for an OpenID, they can instead depend on
something else. Or some more people can put their hand up to work on the code
under review. "you have to provide alternative" makes it sound like you've been
paying for both gerrit and OpenID, which I doubt you have been doing...
Original comment by Mark.J.A...@gmail.com
on 13 Jan 2015 at 2:07
Is there anything being done on OpenID Connect from Google which seems to be
the newer way of authenticating users? If so, can somebody point me in that
direction so I might be able to assist?
Original comment by bmad...@myvest.com
on 13 Jan 2015 at 7:19
I agree... OpenID 2.0 is not current, and while Google's abrupt dropping of
support is very inconvenient, OpenID Connect was introduced for valid reasons
and it seems that if this piece of integration is to remain it should support
the current release of the OpenID standard.
Original comment by m...@lark-it.com
on 13 Jan 2015 at 10:42
All identities in our organization are managed using google. So, migrating to
another openid provider would be a big problem / extra hustle. We would either
have to patch gerrit our self, and use out of tree version -- and switch to
another code review solution.
Given the presence of the patch - I really don't understand why it cannot be
merged into the product.
Original comment by i...@cloudlinux.com
on 17 Feb 2015 at 1:32
> So, migrating to another openid provider would be a big problem, [...]
> Given the presence of the patch - I really don't understand why it cannot be
merged into the product.
For one the mentioned patch is available as Gerrit GitHub plugin, for another
even merged into Gerrit core it wouldn't solve your problem: It would force
your user base to move to GitHub OAuth. I guess you are missing the point, that
GitHub OAuth Provider wouldn't enable your site to use Google OpenID Connect.
So wait until someone has implemented Google OpenID Connect provider in Gerrit,
switch to different provider or use HTTP auth scheme in combination with Apache
reverse proxy with installed and configured mod_auth_openidc module: [1].
[1]
http://stackoverflow.com/questions/26215409/google-authentication-for-gerrit-and
-jenkins
Original comment by David.Os...@gmail.com
on 17 Feb 2015 at 2:18
Google OAuth2 authentication provider for Gerrit is here: [1].
[1] https://github.com/davido/gerrit-google-oauth-provider
Original comment by David.Os...@gmail.com
on 24 Feb 2015 at 9:04
I've tried the change, it works quite well. Had to insert my G+ profile URL
into the field, it would be nice to just have the G+ button to sign-in. Thanks
for your work David, very much appreciated.
Original comment by tsu...@lagat.org
on 27 Feb 2015 at 9:06
> Had to insert my G+ profile URL into the field
Which field? When the OAuth extension point change [1] with the plugin [2] is
used, there is no input field anymore. Are you still on OpenID auth scheme?
Have you switched auth.type = OAUTH in gerrit.config?
[1] https://gerrit-review.googlesource.com/65101
[2] https://github.com/davido/gerrit-oauth-provider
Original comment by David.Os...@gmail.com
on 27 Feb 2015 at 9:58
[deleted comment]
[deleted comment]
> Currently gerrit complains with this for me:
>
j> avax.servlet.ServletException: OAuth service provider wasn't installed
That's correct. As explained in this thread [1] on dev ML, the OAuth providers
are supplied by plugins. So what is happened now, no OAuth providers/plugins
were installed on your site, so Gerrit cannot operate and refuses to start.
What you need is to build gerrit-oauth-provider plugin, install it in your
$site_path/plugins and configure the provider(s).
I haven't provided any documentation yet, but what you basically need is go to
Google/GitHub development console, create new project, set up client-id and
client-secret, enable Google+ API, and add these lines to your gerrit.config:
[plugin "gerrit-oauth-provider-google-oauth"]
client-id = "foo"
client-secret = "bar"
callback = "http://localhost:8080/oauth"
[plugin "gerrit-oauth-provider-github-oauth"]
client-id = "baz"
client-secret = "qux"
callback = "http://localhost:8080/oauth"
If you don't need/want that your users can use GitHub OAuth provider as well,
just remove GH section.
Note: that all three options are mandatory for now, but i will optimize it and
make callback optional. It can be induced from gerrit.canonicalWebUrl that is
always available anyway.
[1] https://groups.google.com/d/topic/repo-discuss/K2U6WcWSCaE/discussion
Original comment by David.Os...@gmail.com
on 27 Feb 2015 at 10:40
Setting the plugin options in gerrit.config did the trick. Thanks!
Original comment by tsu...@lagat.org
on 27 Feb 2015 at 11:07
can you please tell me what this is? I would like to deepen
http://wdfshare.blogspot.com
Original comment by putuindr...@gmail.com
on 18 Mar 2015 at 12:42
Any idea when we will have this support in gerrit? Is there any version plan?
Original comment by and...@gherzan.ro
on 18 Mar 2015 at 8:11
I saw core support for oauth in just released 2.10.1. However, it still
requires a plugin, e.g., the one David created.
I had only partial success with the plugin. I couldn't convince gerrit to
create new account and was constantly getting exception that user name cannot
contain spaces (it is trying to use my real name). I saw that I would need to
create some entry manually, but I couldn't find any documentation about that...
:(
Original comment by caw...@gmail.com
on 18 Mar 2015 at 8:43
Thank you. If you succeed please shoot a message here so I can try it myself.
Original comment by and...@gherzan.ro
on 18 Mar 2015 at 8:47
>I saw core support for oauth in just released 2.10.1.
Yes.
>I couldn't convince gerrit to create new account and was constantly getting
exception.
Stack trace?
Also, make sure you are using the three changes that weren't merged yet.
And the most recent plugin version.
It was changed not to try to guess username anymore (it didn't work),
and allow user to assign the username instead. Aslo note, that linking
of new OAuth identity to existing OpenID account should just work.
Original comment by David.Os...@gmail.com
on 18 Mar 2015 at 8:52
Currently these changes are needed on top of 2.10.1 for
plugin to compile and work properly: [1],[2] and [3].
[1] https://gerrit-review.googlesource.com/66310
[2] https://gerrit-review.googlesource.com/66311
[3] https://gerrit-review.googlesource.com/66312
Original comment by David.Os...@gmail.com
on 18 Mar 2015 at 8:54
I have tried a few days ago and not sure about the latest version. I
definitely didn't use the latest patches.
I will try again soon and report my success (hopefully :)). And big thanks for
making this implementation!
Original comment by caw...@gmail.com
on 18 Mar 2015 at 8:56
Hi David,
I have successfully configured and tried out both google and github oauth
providers. There was a tiny glitch with github provider (I submitted a pull
request to your repo with a fix).
One function to consider in the future is ability to link other oauth
identities to the same gerrit account. It is already possible to do by
manually editing `account_external_ids` table, but having this in UI interface
could be better.
Original comment by caw...@gmail.com
on 21 Mar 2015 at 4:00
Thanks for the fix and Documentation, it was merged.
I removed callback configuration from gerrit config
and induced it from canonicalWebUrl and crewed it up
for GitHub.
>One function to consider in the future is ability to
>link other oauth identities to the same gerrit account.
Definitely.
Right now only automatic linking OAuth->OpenID works
for Googe accounts. But OpenID auth scheme allows that
throuh UI: Identities => Link another identity. My plan
is to support the same for OAUTH auth scheme.
One complication: In this pending change: [1] I added
support another important mode: Hybrid-OpenID+OAuth
auth scheme. The linking must work there too, in both
directions.
[1] https://gerrit-review.googlesource.com/66313
Original comment by David.Os...@gmail.com
on 21 Mar 2015 at 6:39
Original issue reported on code.google.com by
tsu...@lagat.org
on 22 May 2014 at 8:43