Issue 2269: USER_NAME_PATTERN doesn't permit '@' (commonly encounterd with kerberos "username@realm")
Status:  New
Owner: ----
Reported by thwalk...@gmail.com, Nov 21, 2013
Affected Version: Any (up to and including 2.8-rc2)

What steps will reproduce the problem?
1. configure new gerrit install with HTTP auth using a kerberized reverse proxy (possibly LDAP?)
2. confirm X-Forwarded-User "authorization" header that is passed to Gerrit contains a realm ("userid@realm")
3. account creation fails because the '@' fails the USER_NAME_PATTERN check in ChangeUserName.java

Is there a specific reason why the username/external username format is so restrictive?  While apache's kerberos support permits stripping of the realm, other webservers don't.  and that doesn't solve other interfaces (like kerberized ssh) into Gerrit which will not give you the option to strip realm.  I would expect that this would be a problem with some LDAP configurations as well.

FWIW, disabling the check and/or liberalizing the pattern it is checked against works quite well and doesn't appear to encounter any problems.

Full error output:

[2013-11-21 19:46:10,601] ERROR com.google.gerrit.server.account.AccountManager : Cannot assign user name "username@realm.com" to account 3; name does not conform.
[2013-11-21 19:46:10,604] ERROR com.google.gerrit.httpd.auth.container.HttpLoginServlet : Unable to authenticate user "username@realm.com"
com.google.gerrit.server.account.AccountUserNameException: Cannot assign user name "username@realm.com" to account 3; name does not conform.
        at com.google.gerrit.server.account.AccountManager.handleSettingUserNameFailure(AccountManager.java:375)
        at com.google.gerrit.server.account.AccountManager.create(AccountManager.java:324)
        at com.google.gerrit.server.account.AccountManager.authenticate(AccountManager.java:116)
        at com.google.gerrit.httpd.auth.container.HttpLoginServlet.doGet(HttpLoginServlet.java:121)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
        at com.google.inject.servlet.ServletDefinition.doServiceImpl(ServletDefinition.java:278)
        at com.google.inject.servlet.ServletDefinition.doService(ServletDefinition.java:268)
        at com.google.inject.servlet.ServletDefinition.service(ServletDefinition.java:180)
        at com.google.inject.servlet.ManagedServletPipeline.service(ManagedServletPipeline.java:93)
        at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:85)
        at com.google.gwtexpui.server.CacheControlFilter.doFilter(CacheControlFilter.java:70)
        at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
        at com.google.gerrit.httpd.RunAsFilter.doFilter(RunAsFilter.java:113)
        at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
        at com.google.gerrit.httpd.AllRequestFilter$FilterProxy$1.doFilter(AllRequestFilter.java:64)
        at com.google.gerrit.httpd.AllRequestFilter$FilterProxy.doFilter(AllRequestFilter.java:57)
        at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
        at com.google.gerrit.httpd.RequestContextFilter.doFilter(RequestContextFilter.java:75)
        at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)
        at com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:120)
        at com.google.inject.servlet.GuiceFilter$1.call(GuiceFilter.java:132)
        at com.google.inject.servlet.GuiceFilter$1.call(GuiceFilter.java:129)
        at com.google.inject.servlet.GuiceFilter$Context.call(GuiceFilter.java:206)
        at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:129)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1480)
        at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:517)
        at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:211)
        at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1097)
        at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:446)
        at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:175)
        at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1031)
        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:136)
        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
        at org.eclipse.jetty.server.Server.handle(Server.java:445)
        at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:269)
        at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:229)
        at org.eclipse.jetty.io.AbstractConnection$ReadCallback.run(AbstractConnection.java:358)
        at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:601)
        at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:532)
        at java.lang.Thread.run(Thread.java:744)
Caused by: com.google.gerrit.common.errors.InvalidUserNameException: Invalid user name.
        at com.google.gerrit.server.account.ChangeUserName.call(ChangeUserName.java:105)
        at com.google.gerrit.server.account.AccountManager.create(AccountManager.java:314)
        ... 39 more


Nov 21, 2013
#1 thwalk...@gmail.com
Ah, and forgot... other auth methods (OPENID) completely bypass the USER_NAME_PATTERN check and use characters in the external userid table that wouldn't pass the regex (at least ':?/' in OPENID's case).  This is because "who.getUserName() returns null near the end of create() in AccountManager.java, bypassing the changeUserName... bits.

Nov 24, 2014
#2 ricke...@uk.ibm.com
Is there any workaround for this issue?
I'm using http authentication from with an apache webserver, the users are expecting to log in using an email address, which naturally contains @, and I get this error from gerrit - is there any way to make this work?

Nov 2, 2015
#3 billinal...@gmail.com
I am still looking for a fix as well.  How can you "disabling the check and/or liberalizing the pattern"?  Is there a setting somewhere to do this?  Thanks in advance for any help on this.