Hi Stephen,
I'm having nearly the same problem and I want to solve it during the
weekend. Or: I have solved it in a way before that I don't like to
implement a second time now again.
In addition to the possibilities there are some more:
4) Use the REST API, however that might be a chicken-egg problem again:
How do you authenticate against that?
- Use the suexec [1] / peer_keys mechanism [2]
In [3], I'm doing some black magic (with my early Ruby knowledge) to
create a SSH keypair and place its pubkey in the file etc/peer_keys
(without a leading ssh-(rsa|dsa)). Using that key, you can log into
Gerrit as user "Gerrit Code Review". (*)
However, that's what bothers me, you can only impersonate other users
this way - so you can't directly issue a "gerrit create-account"
command, but have to specify the email address of the Gerrit user (that
needs to be an admin) as whom you want to act. And yes.. welcome
chicken-egg problem - how to create that user?
So I'm about to post problem that to the list that probably fits even
better than this one (repo-discuss [4]).
While I can issue like show-caches, I get a "Not Signed In" Exception,
as soon as I issue e.g. a flush-caches or create-user without a suexec
impersonation. Yes.. that makes it hard to automatize and I see no
reason, why it would be bad to allow me issuing such commands, when I
have the power to impersonate any user.
If anybody else knows better than we both here do, I'm happy to hear
from you. Otherwise I try to post it to repo-discuss hopefully still
tonight.
Yours
Steffen
(*) While I was just setting up a VM with that recipe, I noticed that
the peer_keys file is empty. I have to check that..
[1] suexec
[2]
Gerrit Code Review - Configuration
Please note that the example is AFAIK wrong. You shouldn't use
ssh_host_rsa_key, but generate a new key pair instead
[3]
https://github.com/TYPO3-cookbooks/gerrit/blob/master/recipes/peer_keys.rb
[4] Redirecting to Google Groups
On 09/01/14 19:35, Stephen Nelson-Smith wrote:
Ohai,
I find myself in a bit of a dependency cycle. I want to be able to automate the creation of accounts and running of gerrit commands over ssh. In the simplest case, I want to automate the creation of a non-interactive Jenkins user, but that's just a specific example of a general requirement.
As far as I can tell, there are three ways to get ssh keys for Gerrit users into Gerrit:
- Upload them via the web interface
- Supply them via the gerrit create-account command
- Stick them directly in the database and flush the cache
I have issues with all 3:
- This just really sucks. Sure I can automate it, but… really?
- This has a dependency problem - you need a user with an ssh key in the first place
- This is a bit nasty, and so far I haven't found a way to flush the cache without using the ssh command, so has the same dependency issue
Have any of you chefs solved this?
S.
--
Stephen Nelson-Smith
@LordCope
http://www.agilesysadmin.net