My favorites | Sign in
Project Home Downloads Wiki Issues Source
New issue   Search
for
  Advanced search   Search tips   Subscriptions
Issue 2218: administrator has no rights to create/edit projects
6 people starred this issue and may be notified of changes. Back to list
Status:  New
Owner:  ----


Sign in to add a comment
 
Reported by rco...@gmail.com, Oct 29, 2013
************************************************************
***** NOTE: THIS BUG TRACKER IS FOR GERRIT CODE REVIEW *****
***** DO NOT SUBMIT BUGS FOR CHROME, ANDROID, INTERNAL *****
***** ISSUES WITH YOUR COMPANY'S GERRIT SETUP, ETC.    *****
***** THOSE ISSUE BELONG IN DIFFERENT ISSUE TRACKERS!  *****
************************************************************

Affected Version: 2.7

What steps will reproduce the problem?
1. install gerrit with auth.LDAP
2. manually add user account to accounts table for user who should have admin rights (because install process fails to do that)
3. log in and verify that user is in Administrators group, then look for the "Create new Project" link or try to edit the Access rights on an existing project.

What is the expected output? What do you see instead?
Expecting to have administrative rights of gerrit but instead have the same rights as a registered user.  Have no ability to edit the Access, Create projects and/or do whatever an administrator should be able to do.

Please provide any additional information below.
First time I installed gerrit, I used openID.  I logged in and was an Administrator.  I created new projects and everything seemed to work (although I can't verify that I saw the Edit button on the Access page for any project.)

Then I altered the gerrit.config to set it up for LDAP auth.  Gerrit seems to be able to bind using the username and password I specified but the groups I belong to aren't downloaded. See https://groups.google.com/forum/#!topic/repo-discuss/qaMb3FodJtA.

So, I purged my installation and started from scratch.  This time, I set it up to be LDAP from teh beginning.  This time, my user account was not set up to be an Adminstrator, so I did that manually (see https://code.google.com/p/gerrit/issues/detail?can=2&start=0&num=100&q=&colspec=ID%20Type%20Stars%20Milestone%20Status%20Priority%20Owner%20Summary&groupby=&sort=&id=1653).  After restarting gerrit and logging in, I verified that I was a global Administrator.  However, I have no administrative control over the system.

To fix the original installation that did not properly set itself up, I added my id to the account_group_members table and added the Administrator's UUID and ID to the system_config table.  I also added a record in accounts join table to set me as Project owner, in case that could do anything but it didn't.

If I had to guess, the fact that I am attempting to use LDAP groups is the problem:  I suspect that gerrit is not using the Db to check permissions and is instead using the LDAP group membership, which it is not able to successfully download.

I have independently verified that my accounts can bind to ldap and that my user is listed as a group member.  I have used ldapsearch with all the same settings as my gerrit.config is using:
[auth]
        type = LDAP
[ldap]
        server = ldap://***.***.ca
        username = CN=***,CN=Users,DC=***,DC=***,DC=ca
        accountBase = DC=***,DC=***,DC=ca
        groupBase = OU=Gerrit,OU=External,OU=***,DC=***,DC=***,DC=ca
        accountPattern = (&(objectClass=user)(sAMAccountName=${username}))
        accountScope = subtree
        accountFullName = displayName
        accountEmailAddress = mail
        accountSshUserName = ${sAMAccountName.toLowerCase}
        groupPattern = (&(objectClass=group)(cn=${groupname}))
        groupName = ${groupname}
        groupScope = One
        groupMemberPattern = (&(objectClass=group)(member=${dn}))
        localUsernameToLowerCase = true
        referral = follow

secure.config:
[ldap]
	password = ************



Oct 30, 2015
#1 bcodd...@gmail.com
Ran into this on gerrit-2.11.4.  The problem was my All-Projects.git repo was not getting initialized by the first user login due to some setup error.  That repository needs an initial commit containing /groups and /project.config files with the correct UUIDs set for Administrators on refs/meta/config.

The easies fix for me was to initialize a dummy site w/ standalone daemon, then clone that dummy site's All-Project.git repo, modify /groups, and push to the broken site's All-Project.git repo.
Sign in to add a comment

Powered by Google Project Hosting