My Blog: Google authentication for Gerrit and Jenkins -

Google authentication for Gerrit and Jenkins -

jenkins , gerrit have both plugins openid 2.0, api has been deprecated google may 19 2014 (https://developers.google.com/accounts/docs/openid) making impossible new installation utilize , existing installations must migrate oauth2.0(opendid connect). when trying utilize openid 2.0 error message "error 400: openid auth request contains unregistered domain".

the gerrit team aware of problem no solution of yet: https://code.google.com/p/gerrit/issues/detail?id=2677

not sure jenkins.

update 2014/11/05: coming here first place read on below. hans-zandbelt feedback. incorporated in updated version. setup uses suggested improvements , uses mod_rewrite redirect gerrit logout url right place. note instead of using non-domain part of email email used unmodified. means if happen have existing setup need alter username mappings.

for jenkins following:

move ${jenkins_home}/users/youruser ${jenkins_home}/users/youruser@yourdomain open ${jenkins_home}/config.xml search "youruser" , replace youruser@yourdomain

for gerrit:

either on machine (change gerrit_home on machine):

open sql database 1 of 2 methods below:

[recommended] either through gerrit command available through ssh:

ssh gerrit.revault.ch gerrit gsql

or on machine (change gerrit_home on machine):

export gerrit_home=/var/gerrit_home pushd ${gerrit_home} java -cp $(find . -name "h2*.jar") org.h2.tools.shell -url "jdbc:h2:file:${gerrit_home}/db/reviewdb;ifexists=true"

show external

select * account_external_ids;

the external ids map business relationship different usernames, emails etc.

the ones prefixed username: e.g. username:test@example.com ssh / git login names the ones prefixed gerrit: e.g. gerrit:test@example.com used web interface

for given account_id can add together new mappings existing users using sql: e.g.

insert account_external_ids values(1000032, null,null, 'username:test@example.com'); insert account_external_ids values(1000032, null,null, 'gerrit:test@example.com');

solution

you can utilize apache reverse proxy handling authentication you:

gerrit

assuming have installed gerrit , listening on address 10.10.10.10:8080. have configure gerrit utilize basic authentication, [auth] section in ${gerrit_installation}/etc/gerrit.config should this:

[gerrit]         basepath = git         canonicalweburl = http://gerrit.example.com [database]         type = h2         database = db/reviewdb [index]         type = lucene [auth]         type = http         emailformat = {0}@example.com         httpheader =  x-forwarded-user [sendemail]         smtpserver = localhost [container]         user = gerrit         javahome = /usr/lib/jvm/java-8-oracle/jre [sshd]         listenaddress = 10.10.10.10:2222 [httpd]         listenurl = http://10.10.10.10:8080/ [cache]         directory = cache

the username in header x-forwarded-user. that's how apache forwards username gerrit.

on apache utilize mod_auth_openidc has back upwards oauth2. farther info , illustration docs refer https://github.com/pingidentity/mod_auth_openidc. on recent ubuntu installation looks this:

sudo aptitude install libjansson-dev apache2 apache2-dev libcurl4-openssl-dev build-essential autoconf libhiredis-dev  git clone https://github.com/pingidentity/mod_auth_openidc.git cd mod_auth_openidc ./autogen.sh  ./configure  create sudo  create install  sudo a2enmod auth_openidc sudo a2enmod proxy sudo a2enmod proxy_http sudo a2enmod headers sudo a2enmod rewrite

you need add together site configuration e.g. gerrit.conf similar 1 below (you want tls, too) /etc/apache2/sites-available , activate with:

sudo a2ensite gerrit.conf

the file /etc/apache2/sites-available/gerrit.conf looks this:

<virtualhost *:80> servername gerrit.example.com serveradmin webmaster@localhost documentroot /var/www/html errorlog ${apache_log_dir}/error.log customlog ${apache_log_dir}/access.log combined  oidcprovidermetadataurl https://accounts.google.com/.well-known/openid-configuration oidcclientid <from api console> oidcclientsecret <from api console>  oidcscope "openid email profile" oidcredirecturi http://gerrit.example.com/oauth2callback oidccryptopassphrase <generate long random passphrase here, no sure if used>  oidcsessioninactivitytimeout 600  oidccookiepath /  oidcauthrequestparams hd=example.com oidcremoteuserclaim email oidcauthnheader x-forwarded-user  rewriteengine on #loglevel alert rewrite:trace2 rewriterule ^/logout$ /oauth2callback?logout=http://gerrit.example.com/ [r]  proxypass /  http://gerrit.example.com:8080/ nocanon proxypassreverse / http://gerrit.example.com:8080/ proxyrequests     off allowencodedslashes nodecode   <proxy http://gerrit.example.com:8080/*> #  add together rewrites here if necessary </proxy>  <location />    authtype openid-connect    require claim hd:example.com    require valid-user </location>  </virtualhost>

in order parameters oidcclientid , oidcclientsecret go api console under https://console.developers.google.com/project. credentials in context of project if haven't 1 create project first. e.g. example-it-authentication

on project go apis & auth:

under apis activate google+ api. under credentials, oauth create new client id. fill in oidcclientid , oidcclientsecret in apache config (e.g. gerrit.conf) under consent screen fill in email , product name (you error if don't)

service apache2 restart

you should done!

jenkins

assuming have installed jenkins , listening on 10.10.10.11:8080.

for jenkins configuration identical. need install , activate reverse proxy auth plugin http://wiki.jenkins-ci.org/display/jenkins/reverse+proxy+auth+plugin. under configure global security check "http header reverse proxy" radio.

the default values correspond configuration below. need create credentials matching jenkins hostname in api console https://console.developers.google.com/project. study them config before (e.g. jenkins.conf). should all.

<virtualhost *:80> servername jenkins.example.com serveradmin webmaster@localhost documentroot /var/www/html errorlog ${apache_log_dir}/error.log customlog ${apache_log_dir}/access.log combined  oidcprovidermetadataurl https://accounts.google.com/.well-known/openid-configuration oidcclientid <from api console> oidcclientsecret <from api console>  oidcscope "openid email profile" oidcredirecturi http://jenkins.example.com/oauth2callback oidccryptopassphrase <generate long random passphrase here, no sure if used>  oidcsessioninactivitytimeout 600  oidccookiepath /  oidcauthrequestparams hd=example.com oidcremoteuserclaim email oidcauthnheader x-forwarded-user  proxypass /  http://jenkins.example.com:8080/ nocanon proxypassreverse / http://jenkins.example.com:8080/ proxyrequests     off allowencodedslashes nodecode  <proxy http://jenkins.example.com:8080/*> #  add together rewrites here if necessary </proxy>  <location />    authtype openid-connect    require claim hd:example.com    require valid-user </location>  <location ~ "^/(cli|jnlpjars|subversion|whoami|computer/[^/]+/slave-agent.jnlp|tcpslaveagentlistener)">  satisfy  allow  </location>  </virtualhost>

currently there doesn't seem back upwards groups in mod_auth_openidc. if need groups can install ldap stores them (but isn't want since using google auth) or wait until supported mod_auth_openidc.

jenkins google-oauth gerrit google-openid mod-auth-openidc

My Blog

Sunday, 15 August 2010

Google authentication for Gerrit and Jenkins -

No comments:

Post a Comment