davido / gerrit-oauth-provider

OAuth2 authentication provider for Gerrit Code Review. Please upload changes for review to: https://gerrit-review.googlesource.com/#/admin/projects/plugins/oauth
Apache License 2.0
141 stars 84 forks source link

Migration of Git users to Azure AD users #166

Closed Kapsztajn closed 2 years ago

Kapsztajn commented 2 years ago

Hello!

Firstly thanks Davido for this amazing provider. Im currently in proces of implementing Azure AD login to my different tools. As I'm using Gerrit I'm trying to also implement it there, but I found one issue which is stopping me. I have around 15 users in Gerrit which are using it daily, all of them have Azure AD account. When I login with users which did not have account before, new users is created, great! But when I tried to login with user which exist I got this error:

Unable to authenticate user "com.google.gerrit.extensions.auth.oauth.OAuthUserInfo@3bdcd754" com.google.gerrit.server.account.AccountException: Email 'example@email.com' in use by another account

So I change that user email, but then complete new user is created. It is not liked as I though it will do. Probably there is some identity difference, as I see normaly user have some identity like name.surname and Azure AD have whole identity number from Azure?

Do you know if there is a way to migrate user, or maybe manually swap their identity? I don't have much knowledge how to even change that identity cause Gerrit don't have any member UI...

davido commented 2 years ago

I see you have also asked this question on the mailing list: [1].

I am not sure I understand what you are trying to achieve. Also what Gerrit version are you using?

Im currently in proces of implementing Azure AD login to my different tools. As I'm using Gerrit I'm trying to also implement it there, but I found one issue which is stopping me.

What is your current auth type in Gerrit?

But when I tried to login with user which exist I got this error: Unable to authenticate user [...]

From what authentication scheme are you trying to migrate to OAuth2?

Have you also checked the FAQs.

And especially this and this issues?

[1] https://groups.google.com/g/repo-discuss/c/-TzewEt18ms

Kapsztajn commented 2 years ago

Hello, yes I also asked the question on Google group, did not know if you are still responsing here.

Also what Gerrit version are you using?

Im using Gerrit 3.4.0

What is your current auth type in Gerrit?

Currently:

[auth]
        type = HTTP

with this config in Apache:

        <Location /login/>
            AuthType Basic
            AuthName "Gerrit Code Review"
            AuthUserFile "/etc/apache2/.htpasswd_gerrit"
            Require valid-user
        </Location>

And the identity looks like this:

Identity   
  | example@email.com |
  |  gerrit:example_username |

Users is in .htpasswd_gerrit

After the switch to Azure AD it looks like this:

[auth]
    type = OAUTH
    gitBasicAuthPolicy = HTTP

with identity:

Identity |  
-- | --
  | example@email.com | azure-oauth:Object ID of AD user

Where is the Link Identity button? Will it link Azure AD auth account to HTTP auth user? I can do this manually too with all users but I dont really know how.

davido commented 2 years ago

Link identity is only supported with OpenID and OAuth auth schemes. Also combined scheme OpenID/OAuth supports linking user identity.

In your case, you would have to do manual migration.

In NoteDb external IDs are stored in the All-Users repository in a Git Notes branch called refs/meta/external-ids where the sha1 of the external ID is used as note name.

Kapsztajn commented 2 years ago

Hello Davido, thank you for direction how to do this. I managed to do this somehow, steps below if someone have same problem :)

Clone All-Users repo: git clone "https://gerrit.example.com/a/All-Users"

Add rights to Admin group:

[capability]
    accessDatabase = group Administrators
[access "refs/meta/*"]
    push = +force group Administrators
    forgeAuthor = group Administrators
    forgeCommitter = group Administrators

Go to All-Users folder which you clone and do some git magic:

git fetch origin refs/meta/external-ids:refs/meta/external-ids
git checkout refs/meta/external-ids

Get new user ID via Rest API or user can tell you his ID and search it:

git grep -e 1000023

Edit file which you searched and changed accountId to the one you want to link with this externatId Push changed to repo:

git add -A
git commit --signoff
git push origin HEAD:refs/meta/external-ids