- From: Steffen Gebert <
>
- To:
- Subject: [chef] Re: Automating Gerrit Ssh Keys
- Date: Thu, 09 Jan 2014 21:41:33 +0100
Hi Stephen,
I'm having nearly the same problem and I want to solve it during the
weekend. Or: I have solved it in a way before that I don't like to
implement a second time now again.
In addition to the possibilities there are some more:
4) Use the REST API, however that might be a chicken-egg problem again:
How do you authenticate against that?
5) Use the suexec [1] / peer_keys mechanism [2]
In [3], I'm doing some black magic (with my early Ruby knowledge) to
create a SSH keypair and place its pubkey in the file etc/peer_keys
(without a leading ssh-(rsa|dsa)). Using that key, you can log into
Gerrit as user "Gerrit Code Review". (*)
However, that's what bothers me, you can only impersonate other users
this way - so you can't directly issue a "gerrit create-account"
command, but have to specify the email address of the Gerrit user (that
needs to be an admin) as whom you want to act. And yes.. welcome
chicken-egg problem - how to create that user?
So I'm about to post problem that to the list that probably fits even
better than this one (repo-discuss [4]).
While I can issue like show-caches, I get a "Not Signed In" Exception,
as soon as I issue e.g. a flush-caches or create-user without a suexec
impersonation. Yes.. that makes it hard to automatize and I see no
reason, why it would be bad to allow me issuing such commands, when I
have the power to impersonate any user.
If anybody else knows better than we both here do, I'm happy to hear
from you. Otherwise I try to post it to repo-discuss hopefully still
tonight.
Yours
Steffen
--
(*) While I was just setting up a VM with that recipe, I noticed that
the peer_keys file is empty. I have to check that..
[1]
https://gerrit-review.googlesource.com/Documentation/cmd-suexec.html
[2]
https://gerrit-review.googlesource.com/Documentation/config-gerrit.html#_file_code_etc_peer_keys_code
Please note that the example is AFAIK wrong. You shouldn't use
ssh_host_rsa_key, but generate a new key pair instead
[3]
https://github.com/TYPO3-cookbooks/gerrit/blob/master/recipes/peer_keys.rb
[4]
https://groups.google.com/forum/#!forum/repo-discuss
On 09/01/14 19:35, Stephen Nelson-Smith wrote:
>
Ohai,
>
>
I find myself in a bit of a dependency cycle. I want to be able to
>
automate the creation of accounts and running of gerrit commands over ssh.
>
In the simplest case, I want to automate the creation of a non-interactive
>
Jenkins user, but that's just a specific example of a general requirement.
>
>
As far as I can tell, there are three ways to get ssh keys for Gerrit users
>
into Gerrit:
>
>
1) Upload them via the web interface
>
2) Supply them via the gerrit create-account command
>
3) Stick them directly in the database and flush the cache
>
>
I have issues with all 3:
>
>
1) This just really sucks. Sure I can automate it, but… really?
>
2) This has a dependency problem - you need a user with an ssh key in the
>
first place
>
3) This is a bit nasty, and so far I haven't found a way to flush the cache
>
without using the ssh command, so has the same dependency issue
>
>
Have any of you chefs solved this?
>
>
S.
>
>
--
>
Stephen Nelson-Smith
>
@LordCope
>
http://www.agilesysadmin.net
>
Archive powered by MHonArc 2.6.16.