| Issue 1640: | LDAP floods log for gerrit-only users | |
| 3 people starred this issue and may be notified of changes. | Back to list |
Affected Version:
2.5
What steps will reproduce the problem?
1. create a gerrit only (non-interactive) user
2. watch error log
3.
What is the expected output? What do you see instead?
full backtrace for each connect if user is not found in ldap
from the log:
[2012-11-02 09:12:30,734] WARN com.google.gerrit.server.auth.ldap.LdapGroupBackend : Cannot lookup membershipsOf jenkins in LDAP
java.util.concurrent.ExecutionException: com.google.gerrit.server.account.AccountException: No such user:jenkins
at com.google.common.util.concurrent.AbstractFuture$Sync.getValue(AbstractFuture.java:289)
at com.google.common.util.concurrent.AbstractFuture$Sync.get(AbstractFuture.java:276)
at com.google.common.util.concurrent.AbstractFuture.get(AbstractFuture.java:111)
at com.google.common.util.concurrent.Uninterruptibles.getUninterruptibly(Uninterruptibles.java:132)
at com.google.common.cache.LocalCache$Segment.getAndRecordStats(LocalCache.java:2403)
at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2373)
at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2335)
at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2250)
at com.google.common.cache.LocalCache.get(LocalCache.java:3985)
at com.google.common.cache.LocalCache.getOrLoad(LocalCache.java:3989)
at com.google.common.cache.LocalCache$LocalLoadingCache.get(LocalCache.java:4873)
at com.google.gerrit.server.auth.ldap.LdapGroupBackend.membershipsOf(LdapGroupBackend.java:175)
at com.google.gerrit.server.account.UniversalGroupBackend$UniversalGroupMembership.<init>(UniversalGroupBackend.java:104)
at com.google.gerrit.server.account.UniversalGroupBackend$UniversalGroupMembership.<init>(UniversalGroupBackend.java:97)
at com.google.gerrit.server.account.UniversalGroupBackend.membershipsOf(UniversalGroupBackend.java:94)
at com.google.gerrit.server.IdentifiedUser.getEffectiveGroups(IdentifiedUser.java:265)
at com.google.gerrit.server.project.ProjectControl.match(ProjectControl.java:403)
at com.google.gerrit.server.project.ProjectControl.match(ProjectControl.java:396)
at com.google.gerrit.server.project.ProjectControl.canPerformOnAnyRef(ProjectControl.java:336)
at com.google.gerrit.server.project.ProjectControl.isVisible(ProjectControl.java:189)
at com.google.gerrit.server.project.ProjectControl$Factory.validateFor(ProjectControl.java:99)
at com.google.gerrit.server.args4j.ProjectControlHandler.parseArguments(ProjectControlHandler.java:74)
at org.kohsuke.args4j.CmdLineParser.parseArgument(CmdLineParser.java:435)
at com.google.gerrit.util.cli.CmdLineParser.parseArgument(CmdLineParser.java:209)
at com.google.gerrit.sshd.BaseCommand.parseCommandLine(BaseCommand.java:190)
at com.google.gerrit.sshd.BaseCommand.parseCommandLine(BaseCommand.java:173)
at com.google.gerrit.sshd.AbstractGitCommand$1.executeParseCommand(AbstractGitCommand.java:67)
at com.google.gerrit.sshd.BaseCommand$TaskThunk.run(BaseCommand.java:425)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334)
at java.util.concurrent.FutureTask.run(FutureTask.java:166)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:178)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:292)
at com.google.gerrit.server.git.WorkQueue$Task.run(WorkQueue.java:337)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
at java.lang.Thread.run(Thread.java:722)
Caused by: com.google.gerrit.server.account.AccountException: No such user:jenkins
at com.google.gerrit.server.auth.ldap.Helper.findAccount(Helper.java:147)
at com.google.gerrit.server.auth.ldap.Helper.queryForGroups(Helper.java:168)
at com.google.gerrit.server.auth.ldap.LdapRealm$MemberLoader.load(LdapRealm.java:312)
at com.google.gerrit.server.auth.ldap.LdapRealm$MemberLoader.load(LdapRealm.java:300)
at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3584)
at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2372)
... 31 mor
Please provide any additional information below.
Jan 4, 2013
Project Member
#1
edwin.ke...@gmail.com
Jan 9, 2013
Looking at the LdapGroupBackend code this can only happen if a 'gerrit:' scheme is assigned to the user. Non-interactive users don't have a 'gerrit:' scheme assigned and hence this error should not occur for them. Can you please check for your non-interactive user in the table ACCOUNT_EXTERNAL_IDS if it has a 'gerrit:' scheme assigned and my assumption is correct? If yes, how did you create your non-interactive user?
Status:
AwaitingInformation
Jan 9, 2013
You are correct, there is a gerrit: scheme attached. The account was probably created via the ssh command on a 2.1 install (but thats one year back now). Probably I treid to attach another email to this user (again via the command line).
Jan 9, 2013
Thanks for the fast feedback. As far as I know the 'gerrit:' scheme is used for the LDAP usernames hence the warning makes sense, if a user having the 'gerrit:' scheme assigned cannot be found in LDAP. Non-interactive users should not have this scheme assigned (otherwise they are not non-interactive anymore). When you now create a new non-interactive user with the 'create-account' SSH command the created user will not have the 'gerrit:' scheme assigned. So you might try to solve this problem by removing the 'gerrit:' scheme for your non-interactive users, but I can't tell how to keep the additional e-mail-addresses. I still agree that the warning should be logged without stacktrace.
Status:
New
Jan 11, 2013
I can now confirm that deleting the gerrit: scheme entry from the db fixes this error. So it probably was a mis-configuration.
Nov 18, 2013
https://gerrit-review.googlesource.com/51851 may provide an acceptable workaround for this. It logs as a warning that the user wasn't found, but catches the missing account exception so that we don't fill up the logs with backtraces. :) Note that I did *not* change the login case -- that will still throw the full backtrace (but that's more likely to be an error condition).
Nov 18, 2013
(No comment was entered for this change.)
Status:
Submitted
Labels: FixedIn-2.6
Dec 9, 2013
(No comment was entered for this change.)
Labels:
-FixedIn-2.6 FixedIn-2.8
Dec 9, 2013
(No comment was entered for this change.)
Status:
Released
Apr 18, 2014
I have the same issue. My log: [2014-04-18 16:15:14,614] WARN com.google.gerrit.server.auth.ldap.LdapGroupBackend : Cannot lookup membershipsOf XXXX in LDAP java.util.concurrent.ExecutionException: javax.naming.CommunicationException: corp.abc.com:636 [Root exception is java.net.ConnectException: Connection timed out] at com.google.common.util.concurrent.AbstractFuture$Sync.getValue(AbstractFuture.java:299) at com.google.common.util.concurrent.AbstractFuture$Sync.get(AbstractFuture.java:286) at com.google.common.util.concurrent.AbstractFuture.get(AbstractFuture.java:116) at com.google.common.util.concurrent.Uninterruptibles.getUninterruptibly(Uninterruptibles.java:135) at com.google.common.cache.LocalCache$LoadingValueReference.waitForValue(LocalCache.java:3552) at com.google.common.cache.LocalCache$Segment.waitForLoadingValue(LocalCache.java:2298) at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2187) at com.google.common.cache.LocalCache.get(LocalCache.java:3932) at com.google.common.cache.LocalCache.getOrLoad(LocalCache.java:3936) at com.google.common.cache.LocalCache$LocalLoadingCache.get(LocalCache.java:4806) at com.google.gerrit.server.auth.ldap.LdapGroupBackend.membershipsOf(LdapGroupBackend.java:190) at com.google.gerrit.server.account.UniversalGroupBackend$UniversalGroupMembership.<init>(UniversalGroupBackend.java:105) at com.google.gerrit.server.account.UniversalGroupBackend$UniversalGroupMembership.<init>(UniversalGroupBackend.java:98) at com.google.gerrit.server.account.UniversalGroupBackend.membershipsOf(UniversalGroupBackend.java:95) at com.google.gerrit.server.IdentifiedUser.getEffectiveGroups(IdentifiedUser.java:286) at com.google.gerrit.server.account.CapabilityControl.access(CapabilityControl.java:257) at com.google.gerrit.server.account.CapabilityControl.getRange(CapabilityControl.java:218) at com.google.gerrit.server.query.change.QueryProcessor.<init>(QueryProcessor.java:135) at sun.reflect.GeneratedConstructorAccessor198.newInstance(Unknown Source) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:534) at com.google.inject.internal.DefaultConstructionProxyFactory$2.newInstance(DefaultConstructionProxyFactory.java:86) at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:108) at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:88) at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:269) at com.google.inject.internal.SingleParameterInjector.inject(SingleParameterInjector.java:38) at com.google.inject.internal.SingleParameterInjector.getAll(SingleParameterInjector.java:62) at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:107) at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:88) at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:269) at com.google.inject.internal.InjectorImpl$3$1.call(InjectorImpl.java:1005) at com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:1051) at com.google.inject.internal.InjectorImpl$3.get(InjectorImpl.java:1001) at com.google.gerrit.server.change.ChangesCollection.list(ChangesCollection.java:62) at com.google.gerrit.server.change.ChangesCollection.list(ChangesCollection.java:38) at com.google.gerrit.httpd.restapi.RestApiServlet.service(RestApiServlet.java:211) at javax.servlet.http.HttpServlet.service(HttpServlet.java:722) at com.google.inject.servlet.ServletDefinition.doServiceImpl(ServletDefinition.java:278) at com.google.inject.servlet.ServletDefinition.doService(ServletDefinition.java:268) at com.google.inject.servlet.ServletDefinition.service(ServletDefinition.java:180) at com.google.inject.servlet.ManagedServletPipeline.service(ManagedServletPipeline.java:93) at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:85) at com.google.gwtexpui.server.CacheControlFilter.doFilter(CacheControlFilter.java:70) at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82) at com.google.gerrit.httpd.RunAsFilter.doFilter(RunAsFilter.java:113) at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82) at com.google.gerrit.httpd.RequireSslFilter.doFilter(RequireSslFilter.java:68) at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82) at com.google.gerrit.httpd.AllRequestFilter$FilterProxy$1.doFilter(AllRequestFilter.java:64) at com.google.gerrit.httpd.AllRequestFilter$FilterProxy.doFilter(AllRequestFilter.java:57) at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82) at com.google.gerrit.httpd.RequestContextFilter.doFilter(RequestContextFilter.java:75) at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82) at com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:120) at com.google.inject.servlet.GuiceFilter$1.call(GuiceFilter.java:132) at com.google.inject.servlet.GuiceFilter$1.call(GuiceFilter.java:129) at com.google.inject.servlet.GuiceFilter$Context.call(GuiceFilter.java:206) at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:129) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1307) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:453) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:229) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1072) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:382) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1006) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116) at org.eclipse.jetty.server.Server.handle(Server.java:365) at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:485) at org.eclipse.jetty.server.AbstractHttpConnection.headerComplete(AbstractHttpConnection.java:926) at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.headerComplete(AbstractHttpConnection.java:988) at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:635) at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235) at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82) at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:627) at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:51) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608) at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543) at java.lang.Thread.run(Thread.java:701) Caused by: javax.naming.CommunicationException: corp.abc.com:636 [Root exception is java.net.ConnectException: Connection timed out] at com.sun.jndi.ldap.Connection.<init>(Connection.java:213) at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:136) at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1598) at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2643) at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:306) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305) at javax.naming.InitialContext.init(InitialContext.java:240) at javax.naming.InitialContext.<init>(InitialContext.java:214) at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:99) at com.google.gerrit.server.auth.ldap.Helper.open(Helper.java:118) at com.google.gerrit.server.auth.ldap.LdapRealm$MemberLoader.load(LdapRealm.java:314) at com.google.gerrit.server.auth.ldap.LdapRealm$MemberLoader.load(LdapRealm.java:304) at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3522) at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2315) at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2278) at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2193) at com.google.common.cache.LocalCache.get(LocalCache.java:3932) at com.google.common.cache.LocalCache.getOrLoad(LocalCache.java:3936) at com.google.common.cache.LocalCache$LocalLoadingCache.get(LocalCache.java:4806) at com.google.gerrit.server.auth.ldap.LdapGroupBackend.membershipsOf(LdapGroupBackend.java:190) at com.google.gerrit.server.account.UniversalGroupBackend$UniversalGroupMembership.<init>(UniversalGroupBackend.java:105) at com.google.gerrit.server.account.UniversalGroupBackend$UniversalGroupMembership.<init>(UniversalGroupBackend.java:98) at com.google.gerrit.server.account.UniversalGroupBackend.membershipsOf(UniversalGroupBackend.java:95) at com.google.gerrit.server.IdentifiedUser.getEffectiveGroups(IdentifiedUser.java:286) at com.google.gerrit.server.account.CapabilityControl.access(CapabilityControl.java:257) at com.google.gerrit.server.account.CapabilityControl.canPerform(CapabilityControl.java:212) at com.google.gerrit.server.account.GetCapabilities.apply(GetCapabilities.java:92) at com.google.gerrit.server.account.GetCapabilities.apply(GetCapabilities.java:57) at com.google.gerrit.httpd.restapi.RestApiServlet.service(RestApiServlet.java:306)
May 16, 2014
Is there a date targeted for this fix?
May 16, 2014
Gerrit 2.6 fixed this partially -- it will still log a warning when a user's account can't be looked up in LDAP, but it won't print an entire stack trace.
May 16, 2014
Er, sorry, I said 2.6 -- misread, it's actually 2.8. |
|
| ► Sign in to add a comment |