My favorites | Sign in
Project Home Downloads Wiki Issues Source
New issue   Search
for
  Advanced search   Search tips   Subscriptions
Issue 3698: Upon a Gerrit installation the admin user can be created who doesn't have admin privileges
2 people starred this issue and may be notified of changes. Back to list
Status:  Submitted
Owner:  ----
Closed:  Nov 27


Sign in to add a comment
 
Reported by antonio....@wandisco.com, Nov 26, 2015
Affected Version: 2.11.x - 2.12

What steps will reproduce the problem?
1. Install Gerrit using as DB MySQL with master-master replication enabled
2. 100% of the times everything will go smoothly
3. But 40% of the times the automatic admin user so far created won't be able to create new projects (won't have admin privileges)

What is the expected output? What do you see instead?
Admin should be able to create a new project. Admin is not able. Cannot see any "Create new project" button.
Gerrit is *not* usable.

Please provide any additional information below.
The master-master replication is available for MySQL only if you use a MariaDB with Galera, or if you use Percona XtraDB cluster, all freely available. (But anyway the bug should be fixed regardless of this)
If you create a cluster of 3 or more nodes, the auto-increment columns in the database can preallocate the initial values, so that on one particular node it's not true that the first value will be 1.
So what can happen is that the Admin user is created with a fixed group id of 1, but the "Administrators" group can be created with an id of -- say -- 3. It doesn't match and the privileges are not applied to Admin.

In the initialisation code for Gerrit there is a little bug in the class com.google.gerrit.pgm.init.InitAdminUser

at line 97:

          AccountGroupMember m =
              new AccountGroupMember(new AccountGroupMember.Key(id,
                  new AccountGroup.Id(1)));  // <---------------------
          db.accountGroupMembers().insert(Collections.singleton(m));


it uses the fixed value of 1 when it should rely on the group in which the Administrator has been created, which happens in SchemaCreator.java:initSystemConfig()  (line 109).

Anyway after the installation has finished to fix the problem this is the SQL you need to execute:

update account_group_members set group_id=(select group_id from account_group_names where name='Administrators');

The situation is usually that the id of the admin user can be 3, and in the account_group_name the Administrators group can be created with an id which is not 1.


Nov 26, 2015
Project Member #1 david.pu...@sonymobile.com
Thanks for reporting this.  I've uploaded a patch:

https://gerrit-review.googlesource.com/#/c/72768/

but I don't have the necessary environment to fully test it.
Status: ChangeUnderReview
Nov 27, 2015
Project Member #2 ekem...@google.com
(No comment was entered for this change.)
Status: Submitted
Labels: FixedIn-2.11.6
Sign in to add a comment

Powered by Google Project Hosting