My favorites | Sign in
Project Home Downloads Wiki Issues Source
New issue   Search
for
  Advanced search   Search tips   Subscriptions
Issue 2016: Flush caches after set-account
2 people starred this issue and may be notified of changes. Back to list
Status:  Released
Owner:  ----
Closed:  Jul 2013


Sign in to add a comment
 
Reported by builder....@gmail.com, Jul 16, 2013
Affected Version: 2.7rc2

I just spend about 90 minutes trying to figure out why my new ssh-key for a jenkins slave didn't work. 
What steps will reproduce the problem?

1. cat id_pub.rsa | ssh -p 29418 example.com gerrit set-account jenkins --add-ssh-key -
2. ssh -p 29418 jenkins@example.com gerrit ls-project (fails due to public key)
3. cat id_pub.rsa | ssh -p 29418 example.com gerrit set-account adminuser --add-ssh-key -
4. ssh -p 29418 adminuser@example.com gerrit ls-project (fails due to public key)
5. Add the key using the web interface for the admin user
6. ssh -p 29418 adminuser@example.com gerrit ls-project (success!)
7. Use gerrit gsql to verify keys in account_ssh_keys table, identical
8. Scratch head! Pull out hair :(
9. One hour plus later, ssh -p 29418 adminuser@example.com gerrit flush-caches
10. ssh -p 29418 jenkins@example.com gerrit ls-project (success!)

What is the expected output? What do you see instead?
1. After add-ssh-key I expect to be able to connect

To prevent further hair loss of fellow users I would expect the function of adding a ssh key via the UI and via the cmd line to work the same. Either the flush-caches should be automatic or a simple message like: "Use gerrit flush-caches for the change to take effect" to be displayed after using the set-account command.

Jul 17, 2013
#1 builder....@gmail.com
Actually, this might be more severe. When I remove the ssh key for a user using the command line tools this user is still able to perform actions on the repository until I flush the cache, still should not be allowed.
Jul 18, 2013
#2 builder....@gmail.com
I found the problem, I was going to push the change to Gerrit but that seems impossible..

Anyway, the problem is that the account does not contain the username, so when the cache is flushed with the username it is flushed for username null. See the below.

--- a/gerrit-sshd/src/main/java/com/google/gerrit/sshd/commands/SetAccountCommand.java
+++ b/gerrit-sshd/src/main/java/com/google/gerrit/sshd/commands/SetAccountCommand.java
@@ -133,14 +133,6 @@ final class SetAccountCommand extends BaseCommand {
   private void setAccount() throws OrmException, IOException, UnloggedFailure {

     final Account account = db.accounts().get(id);
-
-    ResultSet<AccountExternalId> ids = db.accountExternalIds().byAccount(id);
-    for (AccountExternalId extId : ids) {
-      if (extId.isScheme(AccountExternalId.SCHEME_USERNAME)) {
-        account.setUserName(extId.getSchemeRest());
-      }
-    }
-
     boolean accountUpdated = false;
     boolean sshKeysUpdated = false;
Jul 18, 2013
#3 builder....@gmail.com
Oops, that was the reverse patch, but I guess you can see what it was supposed to be.
Jul 18, 2013
#5 sop@google.com
(No comment was entered for this change.)
Status: Submitted
Labels: FixedIn-2.7
Sep 20, 2013
Project Member #6 edwin.ke...@gmail.com
(No comment was entered for this change.)
Status: Released
Sign in to add a comment

Powered by Google Project Hosting