| Issue 2269: | USER_NAME_PATTERN doesn't permit '@' (commonly encounterd with kerberos "username@realm") | |
| 1 person starred this issue and may be notified of changes. | Back to list |
Affected Version: Any (up to and including 2.8-rc2)
What steps will reproduce the problem?
1. configure new gerrit install with HTTP auth using a kerberized reverse proxy (possibly LDAP?)
2. confirm X-Forwarded-User "authorization" header that is passed to Gerrit contains a realm ("userid@realm")
3. account creation fails because the '@' fails the USER_NAME_PATTERN check in ChangeUserName.java
Is there a specific reason why the username/external username format is so restrictive? While apache's kerberos support permits stripping of the realm, other webservers don't. and that doesn't solve other interfaces (like kerberized ssh) into Gerrit which will not give you the option to strip realm. I would expect that this would be a problem with some LDAP configurations as well.
FWIW, disabling the check and/or liberalizing the pattern it is checked against works quite well and doesn't appear to encounter any problems.
Full error output:
[2013-11-21 19:46:10,601] ERROR com.google.gerrit.server.account.AccountManager : Cannot assign user name "username@realm.com" to account 3; name does not conform.
[2013-11-21 19:46:10,604] ERROR com.google.gerrit.httpd.auth.container.HttpLoginServlet : Unable to authenticate user "username@realm.com"
com.google.gerrit.server.account.AccountUserNameException: Cannot assign user name "username@realm.com" to account 3; name does not conform.
at com.google.gerrit.server.account.AccountManager.handleSettingUserNameFailure(AccountManager.java:375)
at com.google.gerrit.server.account.AccountManager.create(AccountManager.java:324)
at com.google.gerrit.server.account.AccountManager.authenticate(AccountManager.java:116)
at com.google.gerrit.httpd.auth.container.HttpLoginServlet.doGet(HttpLoginServlet.java:121)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at com.google.inject.servlet.ServletDefinition.doServiceImpl(ServletDefinition.java:278)
at com.google.inject.servlet.ServletDefinition.doService(ServletDefinition.java:268)
at com.google.inject.servlet.ServletDefinition.service(ServletDefinition.java:180)
at com.google.inject.servlet.ManagedServletPipeline.service(ManagedServletPipeline.java:93)
at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:85)
at com.google.gwtexpui.server.CacheControlFilter.doFilter(CacheControlFilter.java:70)
at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
at com.google.gerrit.httpd.RunAsFilter.doFilter(RunAsFilter.java:113)
at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
at com.google.gerrit.httpd.AllRequestFilter$FilterProxy$1.doFilter(AllRequestFilter.java:64)
at com.google.gerrit.httpd.AllRequestFilter$FilterProxy.doFilter(AllRequestFilter.java:57)
at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
at com.google.gerrit.httpd.RequestContextFilter.doFilter(RequestContextFilter.java:75)
at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
at com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:120)
at com.google.inject.servlet.GuiceFilter$1.call(GuiceFilter.java:132)
at com.google.inject.servlet.GuiceFilter$1.call(GuiceFilter.java:129)
at com.google.inject.servlet.GuiceFilter$Context.call(GuiceFilter.java:206)
at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:129)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1480)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:517)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:211)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1097)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:446)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:175)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1031)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:136)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
at org.eclipse.jetty.server.Server.handle(Server.java:445)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:269)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:229)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.run(AbstractConnection.java:358)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:601)
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:532)
at java.lang.Thread.run(Thread.java:744)
Caused by: com.google.gerrit.common.errors.InvalidUserNameException: Invalid user name.
at com.google.gerrit.server.account.ChangeUserName.call(ChangeUserName.java:105)
at com.google.gerrit.server.account.AccountManager.create(AccountManager.java:314)
... 39 more
Nov 21, 2013
#1
thwalk...@gmail.com
Nov 24, 2014
Is there any workaround for this issue? I'm using http authentication from with an apache webserver, the users are expecting to log in using an email address, which naturally contains @, and I get this error from gerrit - is there any way to make this work?
Nov 2, 2015
I am still looking for a fix as well. How can you "disabling the check and/or liberalizing the pattern"? Is there a setting somewhere to do this? Thanks in advance for any help on this. |
|
| ► Sign in to add a comment |