My favorites | Sign in
Project Home Downloads Wiki Issues Source
New issue   Search
for
  Advanced search   Search tips   Subscriptions
Issue 1640: LDAP floods log for gerrit-only users
3 people starred this issue and may be notified of changes. Back to list
Status:  Released
Owner:  ----
Closed:  Nov 2013


Sign in to add a comment
 
Reported by icee...@googlemail.com, Nov 2, 2012

Affected Version:
2.5

What steps will reproduce the problem?
1. create a gerrit only (non-interactive) user 
2. watch error log
3.

What is the expected output? What do you see instead?
full backtrace for each connect if user is not found in ldap
from the log:
[2012-11-02 09:12:30,734] WARN  com.google.gerrit.server.auth.ldap.LdapGroupBackend : Cannot lookup membershipsOf jenkins in LDAP
java.util.concurrent.ExecutionException: com.google.gerrit.server.account.AccountException: No such user:jenkins
        at com.google.common.util.concurrent.AbstractFuture$Sync.getValue(AbstractFuture.java:289)
        at com.google.common.util.concurrent.AbstractFuture$Sync.get(AbstractFuture.java:276)
        at com.google.common.util.concurrent.AbstractFuture.get(AbstractFuture.java:111)
        at com.google.common.util.concurrent.Uninterruptibles.getUninterruptibly(Uninterruptibles.java:132)
        at com.google.common.cache.LocalCache$Segment.getAndRecordStats(LocalCache.java:2403)
        at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2373)
        at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2335)
        at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2250)
        at com.google.common.cache.LocalCache.get(LocalCache.java:3985)
        at com.google.common.cache.LocalCache.getOrLoad(LocalCache.java:3989)
        at com.google.common.cache.LocalCache$LocalLoadingCache.get(LocalCache.java:4873)
        at com.google.gerrit.server.auth.ldap.LdapGroupBackend.membershipsOf(LdapGroupBackend.java:175)
        at com.google.gerrit.server.account.UniversalGroupBackend$UniversalGroupMembership.<init>(UniversalGroupBackend.java:104)
        at com.google.gerrit.server.account.UniversalGroupBackend$UniversalGroupMembership.<init>(UniversalGroupBackend.java:97)
        at com.google.gerrit.server.account.UniversalGroupBackend.membershipsOf(UniversalGroupBackend.java:94)
        at com.google.gerrit.server.IdentifiedUser.getEffectiveGroups(IdentifiedUser.java:265)
        at com.google.gerrit.server.project.ProjectControl.match(ProjectControl.java:403)
        at com.google.gerrit.server.project.ProjectControl.match(ProjectControl.java:396)
        at com.google.gerrit.server.project.ProjectControl.canPerformOnAnyRef(ProjectControl.java:336)
        at com.google.gerrit.server.project.ProjectControl.isVisible(ProjectControl.java:189)
        at com.google.gerrit.server.project.ProjectControl$Factory.validateFor(ProjectControl.java:99)
        at com.google.gerrit.server.args4j.ProjectControlHandler.parseArguments(ProjectControlHandler.java:74)
        at org.kohsuke.args4j.CmdLineParser.parseArgument(CmdLineParser.java:435)
        at com.google.gerrit.util.cli.CmdLineParser.parseArgument(CmdLineParser.java:209)
        at com.google.gerrit.sshd.BaseCommand.parseCommandLine(BaseCommand.java:190)
        at com.google.gerrit.sshd.BaseCommand.parseCommandLine(BaseCommand.java:173)
        at com.google.gerrit.sshd.AbstractGitCommand$1.executeParseCommand(AbstractGitCommand.java:67)
        at com.google.gerrit.sshd.BaseCommand$TaskThunk.run(BaseCommand.java:425)
        at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
        at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334)
        at java.util.concurrent.FutureTask.run(FutureTask.java:166)
        at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:178)
        at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:292)
        at com.google.gerrit.server.git.WorkQueue$Task.run(WorkQueue.java:337)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
        at java.lang.Thread.run(Thread.java:722)
Caused by: com.google.gerrit.server.account.AccountException: No such user:jenkins
        at com.google.gerrit.server.auth.ldap.Helper.findAccount(Helper.java:147)
        at com.google.gerrit.server.auth.ldap.Helper.queryForGroups(Helper.java:168)
        at com.google.gerrit.server.auth.ldap.LdapRealm$MemberLoader.load(LdapRealm.java:312)
        at com.google.gerrit.server.auth.ldap.LdapRealm$MemberLoader.load(LdapRealm.java:300)
        at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3584)
        at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2372)
        ... 31 mor

Please provide any additional information below.

Jan 4, 2013
Project Member #1 edwin.ke...@gmail.com
 Issue 1705  has been merged into this issue.
Jan 9, 2013
Project Member #2 edwin.ke...@gmail.com
Looking at the LdapGroupBackend code this can only happen if a 'gerrit:' scheme is assigned to the user. Non-interactive users don't have a 'gerrit:' scheme assigned and hence this error should not occur for them.

Can you please check for your non-interactive user in the table ACCOUNT_EXTERNAL_IDS if it has a 'gerrit:' scheme assigned and my assumption is correct? If yes, how did you create your non-interactive user?

Status: AwaitingInformation
Jan 9, 2013
#3 icee...@googlemail.com
You are correct, there is a gerrit: scheme attached. 
The account was probably created via the ssh command on a 2.1 install (but thats one year back now). Probably I treid to attach another email to this user (again via the command line).
Jan 9, 2013
Project Member #4 edwin.ke...@gmail.com
Thanks for the fast feedback. As far as I know the 'gerrit:' scheme is used for the LDAP usernames hence the warning makes sense, if a user having the 'gerrit:' scheme assigned cannot be found in LDAP.

Non-interactive users should not have this scheme assigned (otherwise they are not non-interactive anymore). When you now create a new non-interactive user with the 'create-account' SSH command the created user will not have the 'gerrit:' scheme assigned.

So you might try to solve this problem by removing the 'gerrit:' scheme for your non-interactive users, but I can't tell how to keep the additional e-mail-addresses.

I still agree that the warning should be logged without stacktrace.


Status: New
Jan 11, 2013
#5 icee...@googlemail.com
I can now confirm that deleting  the gerrit: scheme  entry from the db fixes this error.

So it probably was a mis-configuration.


Nov 18, 2013
Project Member #6 dougk....@gmail.com
https://gerrit-review.googlesource.com/51851 may provide an acceptable workaround for this.  It logs as a warning that the user wasn't found, but catches the missing account exception so that we don't fill up the logs with backtraces. :)  Note that I did *not* change the login case -- that will still throw the full backtrace (but that's more likely to be an error condition).
Nov 18, 2013
#7 sop@google.com
(No comment was entered for this change.)
Status: Submitted
Labels: FixedIn-2.6
Dec 9, 2013
Project Member #8 david.pu...@sonymobile.com
(No comment was entered for this change.)
Labels: -FixedIn-2.6 FixedIn-2.8
Dec 9, 2013
Project Member #9 david.pu...@sonymobile.com
(No comment was entered for this change.)
Status: Released
Apr 18, 2014
#10 sam.x...@lookout.com
I have the same issue.  My log:


[2014-04-18 16:15:14,614] WARN  com.google.gerrit.server.auth.ldap.LdapGroupBackend : Cannot lookup membershipsOf XXXX in LDAP
java.util.concurrent.ExecutionException: javax.naming.CommunicationException: corp.abc.com:636 [Root exception is java.net.ConnectException: Connection timed out]
	at com.google.common.util.concurrent.AbstractFuture$Sync.getValue(AbstractFuture.java:299)
	at com.google.common.util.concurrent.AbstractFuture$Sync.get(AbstractFuture.java:286)
	at com.google.common.util.concurrent.AbstractFuture.get(AbstractFuture.java:116)
	at com.google.common.util.concurrent.Uninterruptibles.getUninterruptibly(Uninterruptibles.java:135)
	at com.google.common.cache.LocalCache$LoadingValueReference.waitForValue(LocalCache.java:3552)
	at com.google.common.cache.LocalCache$Segment.waitForLoadingValue(LocalCache.java:2298)
	at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2187)
	at com.google.common.cache.LocalCache.get(LocalCache.java:3932)
	at com.google.common.cache.LocalCache.getOrLoad(LocalCache.java:3936)
	at com.google.common.cache.LocalCache$LocalLoadingCache.get(LocalCache.java:4806)
	at com.google.gerrit.server.auth.ldap.LdapGroupBackend.membershipsOf(LdapGroupBackend.java:190)
	at com.google.gerrit.server.account.UniversalGroupBackend$UniversalGroupMembership.<init>(UniversalGroupBackend.java:105)
	at com.google.gerrit.server.account.UniversalGroupBackend$UniversalGroupMembership.<init>(UniversalGroupBackend.java:98)
	at com.google.gerrit.server.account.UniversalGroupBackend.membershipsOf(UniversalGroupBackend.java:95)
	at com.google.gerrit.server.IdentifiedUser.getEffectiveGroups(IdentifiedUser.java:286)
	at com.google.gerrit.server.account.CapabilityControl.access(CapabilityControl.java:257)
	at com.google.gerrit.server.account.CapabilityControl.getRange(CapabilityControl.java:218)
	at com.google.gerrit.server.query.change.QueryProcessor.<init>(QueryProcessor.java:135)
	at sun.reflect.GeneratedConstructorAccessor198.newInstance(Unknown Source)
	at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
	at java.lang.reflect.Constructor.newInstance(Constructor.java:534)
	at com.google.inject.internal.DefaultConstructionProxyFactory$2.newInstance(DefaultConstructionProxyFactory.java:86)
	at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:108)
	at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:88)
	at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:269)
	at com.google.inject.internal.SingleParameterInjector.inject(SingleParameterInjector.java:38)
	at com.google.inject.internal.SingleParameterInjector.getAll(SingleParameterInjector.java:62)
	at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:107)
	at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:88)
	at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:269)
	at com.google.inject.internal.InjectorImpl$3$1.call(InjectorImpl.java:1005)
	at com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:1051)
	at com.google.inject.internal.InjectorImpl$3.get(InjectorImpl.java:1001)
	at com.google.gerrit.server.change.ChangesCollection.list(ChangesCollection.java:62)
	at com.google.gerrit.server.change.ChangesCollection.list(ChangesCollection.java:38)
	at com.google.gerrit.httpd.restapi.RestApiServlet.service(RestApiServlet.java:211)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
	at com.google.inject.servlet.ServletDefinition.doServiceImpl(ServletDefinition.java:278)
	at com.google.inject.servlet.ServletDefinition.doService(ServletDefinition.java:268)
	at com.google.inject.servlet.ServletDefinition.service(ServletDefinition.java:180)
	at com.google.inject.servlet.ManagedServletPipeline.service(ManagedServletPipeline.java:93)
	at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:85)
	at com.google.gwtexpui.server.CacheControlFilter.doFilter(CacheControlFilter.java:70)
	at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
	at com.google.gerrit.httpd.RunAsFilter.doFilter(RunAsFilter.java:113)
	at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
	at com.google.gerrit.httpd.RequireSslFilter.doFilter(RequireSslFilter.java:68)
	at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
	at com.google.gerrit.httpd.AllRequestFilter$FilterProxy$1.doFilter(AllRequestFilter.java:64)
	at com.google.gerrit.httpd.AllRequestFilter$FilterProxy.doFilter(AllRequestFilter.java:57)
	at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
	at com.google.gerrit.httpd.RequestContextFilter.doFilter(RequestContextFilter.java:75)
	at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
	at com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:120)
	at com.google.inject.servlet.GuiceFilter$1.call(GuiceFilter.java:132)
	at com.google.inject.servlet.GuiceFilter$1.call(GuiceFilter.java:129)
	at com.google.inject.servlet.GuiceFilter$Context.call(GuiceFilter.java:206)
	at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:129)
	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1307)
	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:453)
	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:229)
	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1072)
	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:382)
	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193)
	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1006)
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
	at org.eclipse.jetty.server.Server.handle(Server.java:365)
	at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:485)
	at org.eclipse.jetty.server.AbstractHttpConnection.headerComplete(AbstractHttpConnection.java:926)
	at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.headerComplete(AbstractHttpConnection.java:988)
	at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:635)
	at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235)
	at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
	at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:627)
	at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:51)
	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
	at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
	at java.lang.Thread.run(Thread.java:701)
Caused by: javax.naming.CommunicationException: corp.abc.com:636 [Root exception is java.net.ConnectException: Connection timed out]
	at com.sun.jndi.ldap.Connection.<init>(Connection.java:213)
	at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:136)
	at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1598)
	at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2643)
	at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:306)
	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
	at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
	at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
	at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
	at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
	at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305)
	at javax.naming.InitialContext.init(InitialContext.java:240)
	at javax.naming.InitialContext.<init>(InitialContext.java:214)
	at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:99)
	at com.google.gerrit.server.auth.ldap.Helper.open(Helper.java:118)
	at com.google.gerrit.server.auth.ldap.LdapRealm$MemberLoader.load(LdapRealm.java:314)
	at com.google.gerrit.server.auth.ldap.LdapRealm$MemberLoader.load(LdapRealm.java:304)
	at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3522)
	at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2315)
	at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2278)
	at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2193)
	at com.google.common.cache.LocalCache.get(LocalCache.java:3932)
	at com.google.common.cache.LocalCache.getOrLoad(LocalCache.java:3936)
	at com.google.common.cache.LocalCache$LocalLoadingCache.get(LocalCache.java:4806)
	at com.google.gerrit.server.auth.ldap.LdapGroupBackend.membershipsOf(LdapGroupBackend.java:190)
	at com.google.gerrit.server.account.UniversalGroupBackend$UniversalGroupMembership.<init>(UniversalGroupBackend.java:105)
	at com.google.gerrit.server.account.UniversalGroupBackend$UniversalGroupMembership.<init>(UniversalGroupBackend.java:98)
	at com.google.gerrit.server.account.UniversalGroupBackend.membershipsOf(UniversalGroupBackend.java:95)
	at com.google.gerrit.server.IdentifiedUser.getEffectiveGroups(IdentifiedUser.java:286)
	at com.google.gerrit.server.account.CapabilityControl.access(CapabilityControl.java:257)
	at com.google.gerrit.server.account.CapabilityControl.canPerform(CapabilityControl.java:212)
	at com.google.gerrit.server.account.GetCapabilities.apply(GetCapabilities.java:92)
	at com.google.gerrit.server.account.GetCapabilities.apply(GetCapabilities.java:57)
	at com.google.gerrit.httpd.restapi.RestApiServlet.service(RestApiServlet.java:306)
May 16, 2014
#11 sam.x...@lookout.com
Is there a date targeted for this fix?
May 16, 2014
Project Member #12 dougk....@gmail.com
Gerrit 2.6 fixed this partially -- it will still log a warning when a user's account can't be looked up in LDAP, but it won't print an entire stack trace.
May 16, 2014
Project Member #13 dougk....@gmail.com
Er, sorry, I said 2.6 -- misread, it's actually 2.8.
Sign in to add a comment

Powered by Google Project Hosting