Automating Gerrit Ssh Keys


#1

Ohai,

I find myself in a bit of a dependency cycle. I want to be able to automate the creation of accounts and running of gerrit commands over ssh. In the simplest case, I want to automate the creation of a non-interactive Jenkins user, but that’s just a specific example of a general requirement.

As far as I can tell, there are three ways to get ssh keys for Gerrit users into Gerrit:

  1. Upload them via the web interface
  2. Supply them via the gerrit create-account command
  3. Stick them directly in the database and flush the cache

I have issues with all 3:

  1. This just really sucks. Sure I can automate it, but… really?
  2. This has a dependency problem - you need a user with an ssh key in the first place
  3. This is a bit nasty, and so far I haven’t found a way to flush the cache without using the ssh command, so has the same dependency issue

Have any of you chefs solved this?

S.


Stephen Nelson-Smith
@LordCope
http://www.agilesysadmin.net


#2

Hi Stephen,

I’m having nearly the same problem and I want to solve it during the
weekend. Or: I have solved it in a way before that I don’t like to
implement a second time now again.

In addition to the possibilities there are some more:
4) Use the REST API, however that might be a chicken-egg problem again:
How do you authenticate against that?

  1. Use the suexec [1] / peer_keys mechanism [2]
    In [3], I’m doing some black magic (with my early Ruby knowledge) to
    create a SSH keypair and place its pubkey in the file etc/peer_keys
    (without a leading ssh-(rsa|dsa)). Using that key, you can log into
    Gerrit as user “Gerrit Code Review”. (*)
    However, that’s what bothers me, you can only impersonate other users
    this way - so you can’t directly issue a "gerrit create-account"
    command, but have to specify the email address of the Gerrit user (that
    needs to be an admin) as whom you want to act. And yes… welcome
    chicken-egg problem - how to create that user?

So I’m about to post problem that to the list that probably fits even
better than this one (repo-discuss [4]).
While I can issue like show-caches, I get a “Not Signed In” Exception,
as soon as I issue e.g. a flush-caches or create-user without a suexec
impersonation. Yes… that makes it hard to automatize and I see no
reason, why it would be bad to allow me issuing such commands, when I
have the power to impersonate any user.

If anybody else knows better than we both here do, I’m happy to hear
from you. Otherwise I try to post it to repo-discuss hopefully still
tonight.

Yours
Steffen

(*) While I was just setting up a VM with that recipe, I noticed that
the peer_keys file is empty. I have to check that…

[1] https://gerrit-review.googlesource.com/Documentation/cmd-suexec.html
[2]
https://gerrit-review.googlesource.com/Documentation/config-gerrit.html#_file_code_etc_peer_keys_code
Please note that the example is AFAIK wrong. You shouldn’t use
ssh_host_rsa_key, but generate a new key pair instead
[3]
https://github.com/TYPO3-cookbooks/gerrit/blob/master/recipes/peer_keys.rb
[4] https://groups.google.com/forum/#!forum/repo-discuss

On 09/01/14 19:35, Stephen Nelson-Smith wrote:

Ohai,

I find myself in a bit of a dependency cycle. I want to be able to automate the creation of accounts and running of gerrit commands over ssh. In the simplest case, I want to automate the creation of a non-interactive Jenkins user, but that’s just a specific example of a general requirement.

As far as I can tell, there are three ways to get ssh keys for Gerrit users into Gerrit:

  1. Upload them via the web interface
  2. Supply them via the gerrit create-account command
  3. Stick them directly in the database and flush the cache

I have issues with all 3:

  1. This just really sucks. Sure I can automate it, but… really?
  2. This has a dependency problem - you need a user with an ssh key in the first place
  3. This is a bit nasty, and so far I haven’t found a way to flush the cache without using the ssh command, so has the same dependency issue

Have any of you chefs solved this?

S.


Stephen Nelson-Smith
@LordCope
http://www.agilesysadmin.net


#3

I jammed the admin in the database directly. Then the api after.
On Jan 9, 2014 10:35 AM, “Stephen Nelson-Smith” <
stephen@atalanta-systems.com> wrote:

Ohai,

I find myself in a bit of a dependency cycle. I want to be able to
automate the creation of accounts and running of gerrit commands over ssh.
In the simplest case, I want to automate the creation of a non-interactive
Jenkins user, but that’s just a specific example of a general requirement.

As far as I can tell, there are three ways to get ssh keys for Gerrit
users into Gerrit:

  1. Upload them via the web interface
  2. Supply them via the gerrit create-account command
  3. Stick them directly in the database and flush the cache

I have issues with all 3:

  1. This just really sucks. Sure I can automate it, but… really?
  2. This has a dependency problem - you need a user with an ssh key in the
    first place
  3. This is a bit nasty, and so far I haven’t found a way to flush the
    cache without using the ssh command, so has the same dependency issue

Have any of you chefs solved this?

S.


Stephen Nelson-Smith
@LordCope
http://www.agilesysadmin.net


#4

If anybody else knows better than we both here do, I’m happy to hear
from you. Otherwise I try to post it to repo-discuss hopefully still
tonight.

The moment, when you google sth. and find your own post :smiley:
https://groups.google.com/forum/#!msg/repo-discuss/BrapgsIvibI/7ntUuO6gTpwJ
So I’ve posted that problem already more than a year ago, but did some
other mistake back then. So I will continue in that thread.

Steffen

On 09/01/14 21:41, Steffen Gebert wrote:

Hi Stephen,

I’m having nearly the same problem and I want to solve it during the
weekend. Or: I have solved it in a way before that I don’t like to
implement a second time now again.

In addition to the possibilities there are some more:
4) Use the REST API, however that might be a chicken-egg problem again:
How do you authenticate against that?

  1. Use the suexec [1] / peer_keys mechanism [2]
    In [3], I’m doing some black magic (with my early Ruby knowledge) to
    create a SSH keypair and place its pubkey in the file etc/peer_keys
    (without a leading ssh-(rsa|dsa)). Using that key, you can log into
    Gerrit as user “Gerrit Code Review”. (*)
    However, that’s what bothers me, you can only impersonate other users
    this way - so you can’t directly issue a "gerrit create-account"
    command, but have to specify the email address of the Gerrit user (that
    needs to be an admin) as whom you want to act. And yes… welcome
    chicken-egg problem - how to create that user?

So I’m about to post problem that to the list that probably fits even
better than this one (repo-discuss [4]).
While I can issue like show-caches, I get a “Not Signed In” Exception,
as soon as I issue e.g. a flush-caches or create-user without a suexec
impersonation. Yes… that makes it hard to automatize and I see no
reason, why it would be bad to allow me issuing such commands, when I
have the power to impersonate any user.

If anybody else knows better than we both here do, I’m happy to hear
from you. Otherwise I try to post it to repo-discuss hopefully still
tonight.

Yours
Steffen


#5

i faced similar issues with jenkins plugin installation (auth enabled),
whether to use the config files or use the api. i am using multiple
stages/chef runs to do this.

altering the underlying config store (database, or xml files) will work as
long as Chef controls the credentials for those config stores.

On Thu, Jan 9, 2014 at 12:44 PM, Adam Jacob adam@opscode.com wrote:

I jammed the admin in the database directly. Then the api after.
On Jan 9, 2014 10:35 AM, “Stephen Nelson-Smith” <
stephen@atalanta-systems.com> wrote:

Ohai,

I find myself in a bit of a dependency cycle. I want to be able to
automate the creation of accounts and running of gerrit commands over ssh.
In the simplest case, I want to automate the creation of a non-interactive
Jenkins user, but that’s just a specific example of a general requirement.

As far as I can tell, there are three ways to get ssh keys for Gerrit
users into Gerrit:

  1. Upload them via the web interface
  2. Supply them via the gerrit create-account command
  3. Stick them directly in the database and flush the cache

I have issues with all 3:

  1. This just really sucks. Sure I can automate it, but… really?
  2. This has a dependency problem - you need a user with an ssh key in the
    first place
  3. This is a bit nasty, and so far I haven’t found a way to flush the
    cache without using the ssh command, so has the same dependency issue

Have any of you chefs solved this?

S.


Stephen Nelson-Smith
@LordCope
http://www.agilesysadmin.net


#6

What did you do about flushing cache? Maybe cache gets flushed if you
restart gerrit anyway…

On 9 January 2014 20:44, Adam Jacob adam@opscode.com wrote:

I jammed the admin in the database directly. Then the api after.
On Jan 9, 2014 10:35 AM, “Stephen Nelson-Smith” <
stephen@atalanta-systems.com> wrote:

Ohai,

I find myself in a bit of a dependency cycle. I want to be able to
automate the creation of accounts and running of gerrit commands over ssh.
In the simplest case, I want to automate the creation of a non-interactive
Jenkins user, but that’s just a specific example of a general requirement.

As far as I can tell, there are three ways to get ssh keys for Gerrit
users into Gerrit:

  1. Upload them via the web interface
  2. Supply them via the gerrit create-account command
  3. Stick them directly in the database and flush the cache

I have issues with all 3:

  1. This just really sucks. Sure I can automate it, but… really?
  2. This has a dependency problem - you need a user with an ssh key in the
    first place
  3. This is a bit nasty, and so far I haven’t found a way to flush the
    cache without using the ssh command, so has the same dependency issue

Have any of you chefs solved this?

S.


Stephen Nelson-Smith
@LordCope
http://www.agilesysadmin.net


Stephen Nelson-Smith,
Founder, Principal Consultant,
Atalanta Systems Ltd,
Web: http://agilesysadmin.net
Twitter: @lordcope
Skype: atalanta.systems
Direct: +44 (0) 1329 550203
Mobile: +44 (0) 7917 101919

Atalanta Systems: The Agile Infrastructure Enablers
http://atalanta-systems.com


#7

What did you do about flushing cache? Maybe cache gets flushed if you
restart gerrit anyway…

Sure, the caches are in-memory.

When setting up one user in the beginning this might be okay, but in
general, restarting over and over again is not practical.

Yours
Steffen

On 10/01/14 01:52, Stephen Nelson-Smith wrote:

What did you do about flushing cache? Maybe cache gets flushed if you
restart gerrit anyway…

On 9 January 2014 20:44, Adam Jacob adam@opscode.com wrote:

I jammed the admin in the database directly. Then the api after.
On Jan 9, 2014 10:35 AM, “Stephen Nelson-Smith” <
stephen@atalanta-systems.com> wrote:

Ohai,

I find myself in a bit of a dependency cycle. I want to be able to
automate the creation of accounts and running of gerrit commands over ssh.
In the simplest case, I want to automate the creation of a non-interactive
Jenkins user, but that’s just a specific example of a general requirement.

As far as I can tell, there are three ways to get ssh keys for Gerrit
users into Gerrit:

  1. Upload them via the web interface
  2. Supply them via the gerrit create-account command
  3. Stick them directly in the database and flush the cache

I have issues with all 3:

  1. This just really sucks. Sure I can automate it, but… really?
  2. This has a dependency problem - you need a user with an ssh key in the
    first place
  3. This is a bit nasty, and so far I haven’t found a way to flush the
    cache without using the ssh command, so has the same dependency issue

Have any of you chefs solved this?

S.


Stephen Nelson-Smith
@LordCope
http://www.agilesysadmin.net


#8

OK, so I’m jamming an admin user with a publicly into into the database.
But I’m missing a step. I can’t connect via ssh, and restarting gerrit
makes no difference. When I then upload a key manually, for a different
user, my admin key starts to work. I sense this is a cache flushing thing,
but short of diving into the code, I’m not sure. Any hints/experiences?

On 9 January 2014 20:44, Adam Jacob adam@opscode.com wrote:

I jammed the admin in the database directly. Then the api after.
On Jan 9, 2014 10:35 AM, “Stephen Nelson-Smith” <
stephen@atalanta-systems.com> wrote:

Ohai,

I find myself in a bit of a dependency cycle. I want to be able to
automate the creation of accounts and running of gerrit commands over ssh.
In the simplest case, I want to automate the creation of a non-interactive
Jenkins user, but that’s just a specific example of a general requirement.

As far as I can tell, there are three ways to get ssh keys for Gerrit
users into Gerrit:

  1. Upload them via the web interface
  2. Supply them via the gerrit create-account command
  3. Stick them directly in the database and flush the cache

I have issues with all 3:

  1. This just really sucks. Sure I can automate it, but… really?
  2. This has a dependency problem - you need a user with an ssh key in the
    first place
  3. This is a bit nasty, and so far I haven’t found a way to flush the
    cache without using the ssh command, so has the same dependency issue

Have any of you chefs solved this?

S.


Stephen Nelson-Smith
@LordCope
http://www.agilesysadmin.net


Stephen Nelson-Smith,
Founder, Principal Consultant,
Atalanta Systems Ltd,
Web: http://agilesysadmin.net
Twitter: @lordcope
Skype: atalanta.systems
Direct: +44 (0) 1329 550203
Mobile: +44 (0) 7917 101919

Atalanta Systems: The Agile Infrastructure Enablers
http://atalanta-systems.com


#9

Hmm - ok, maybe I was mistaken. Fresh build and chef run, and all works,
repeatably.

On 20 January 2014 13:20, Stephen Nelson-Smith <stephen@atalanta-systems.com

wrote:

OK, so I’m jamming an admin user with a publicly into into the database.
But I’m missing a step. I can’t connect via ssh, and restarting gerrit
makes no difference. When I then upload a key manually, for a different
user, my admin key starts to work. I sense this is a cache flushing thing,
but short of diving into the code, I’m not sure. Any hints/experiences?

On 9 January 2014 20:44, Adam Jacob adam@opscode.com wrote:

I jammed the admin in the database directly. Then the api after.
On Jan 9, 2014 10:35 AM, “Stephen Nelson-Smith” <
stephen@atalanta-systems.com> wrote:

Ohai,

I find myself in a bit of a dependency cycle. I want to be able to
automate the creation of accounts and running of gerrit commands over ssh.
In the simplest case, I want to automate the creation of a non-interactive
Jenkins user, but that’s just a specific example of a general requirement.

As far as I can tell, there are three ways to get ssh keys for Gerrit
users into Gerrit:

  1. Upload them via the web interface
  2. Supply them via the gerrit create-account command
  3. Stick them directly in the database and flush the cache

I have issues with all 3:

  1. This just really sucks. Sure I can automate it, but… really?
  2. This has a dependency problem - you need a user with an ssh key in
    the first place
  3. This is a bit nasty, and so far I haven’t found a way to flush the
    cache without using the ssh command, so has the same dependency issue

Have any of you chefs solved this?

S.


Stephen Nelson-Smith
@LordCope
http://www.agilesysadmin.net


Stephen Nelson-Smith,
Founder, Principal Consultant,
Atalanta Systems Ltd,
Web: http://agilesysadmin.net
Twitter: @lordcope
Skype: atalanta.systems
Direct: +44 (0) 1329 550203
Mobile: +44 (0) 7917 101919

Atalanta Systems: The Agile Infrastructure Enablers
http://atalanta-systems.com


Stephen Nelson-Smith,
Founder, Principal Consultant,
Atalanta Systems Ltd,
Web: http://agilesysadmin.net
Twitter: @lordcope
Skype: atalanta.systems
Direct: +44 (0) 1329 550203
Mobile: +44 (0) 7917 101919

Atalanta Systems: The Agile Infrastructure Enablers
http://atalanta-systems.com