[chef] Re: Automating Gerrit Ssh Keys

[Steffen Gebert < >]

Hi Stephen,

I'm having nearly the same problem and I want to solve it during the
weekend. Or: I have solved it in a way before that I don't like to
implement a second time now again.

In addition to the possibilities there are some more:
4) Use the REST API, however that might be a chicken-egg problem again:
How do you authenticate against that?

5) Use the suexec [1] / peer_keys mechanism [2]
In [3], I'm doing some black magic (with my early Ruby knowledge) to
create a SSH keypair and place its pubkey in the file etc/peer_keys
(without a leading ssh-(rsa|dsa)). Using that key, you can log into
Gerrit as user "Gerrit Code Review". (*)
However, that's what bothers me, you can only impersonate other users
this way - so you can't directly issue a "gerrit create-account"
command, but have to specify the email address of the Gerrit user (that
needs to be an admin) as whom you want to act. And yes.. welcome
chicken-egg problem - how to create that user?

So I'm about to post problem that to the list that probably fits even
better than this one (repo-discuss [4]).
While I can issue like show-caches, I get a "Not Signed In" Exception,
as soon as I issue e.g. a flush-caches or create-user without a suexec
impersonation. Yes.. that makes it hard to automatize and I see no
reason, why it would be bad to allow me issuing such commands, when I
have the power to impersonate any user.

If anybody else knows better than we both here do, I'm happy to hear
from you. Otherwise I try to post it to repo-discuss hopefully still
tonight.

Yours
Steffen
-- 
(*) While I was just setting up a VM with that recipe, I noticed that
the peer_keys file is empty. I have to check that..

[1] https://gerrit-review.googlesource.com/Documentation/cmd-suexec.html
[2]
https://gerrit-review.googlesource.com/Documentation/config-gerrit.html#_file_code_etc_peer_keys_code
Please note that the example is AFAIK wrong. You shouldn't use
ssh_host_rsa_key, but generate a new key pair instead
[3]
https://github.com/TYPO3-cookbooks/gerrit/blob/master/recipes/peer_keys.rb
[4] https://groups.google.com/forum/#!forum/repo-discuss

On 09/01/14 19:35, Stephen Nelson-Smith wrote:
> Ohai,
> 
> I find myself in a bit of a dependency cycle.  I want to be able to 
> automate the creation of accounts and running of gerrit commands over ssh.  
> In the simplest case, I want to automate the creation of a non-interactive 
> Jenkins user, but that's just a specific example of a general requirement.
> 
> As far as I can tell, there are three ways to get ssh keys for Gerrit users 
> into Gerrit:
> 
> 1) Upload them via the web interface
> 2) Supply them via the gerrit create-account command
> 3) Stick them directly in the database and flush the cache
> 
> I have issues with all 3:
> 
> 1) This just really sucks.  Sure I can automate it, but… really?
> 2) This has a dependency problem - you need a user with an ssh key in the 
> first place
> 3) This is a bit nasty, and so far I haven't found a way to flush the cache 
> without using the ssh command, so has the same dependency issue
> 
> Have any of you chefs solved this?
> 
> S.
> 
> -- 
> Stephen Nelson-Smith
> @LordCope
> http://www.agilesysadmin.net
>