Issue 404: Option to enable automatic account creation on usernames first referenced over Gerrit SSH
Status:  Accepted
Owner: ----
Reported by di...@google.com, Jan 19, 2010
Currently to have a new user automatically created by Gerrit when using 
HTTP_AUTH is to have a browser open the Gerrit page while sending the 
username info with some HTTP request header. This works well. However it 
would be nice to also have similar behavior when a user is first referenced 
as a reviewer (or CC tho I'm not sure about CC) over Gerrit SSH with git 
receive-pack. Seems like it would be somewhat consistent over the 2 
protocols that way (but I understand that's probably impossible to do with 
other authentication types).

Jan 21, 2010
#1 sop@google.com
(No comment was entered for this change.)
Status: Accepted
Sep 10, 2010
Project Member #2 mf...@codeaurora.org
Hmmm, but how do you prevent any random user from claiming the ownership of this new account since no one ever logged in as that user before?
Sep 10, 2010
#3 di...@google.com
That's not an issue in my setup, I am using HTTP authentication, the web server establishes what user is connecting and sets a HTTP header when it forwards the HTTP request to Gerrit and Gerrit trusts that. But you raise a valid point for other setups, in those cases I guess once the user account is created only with SQL trickery can one give the user access back to it or something like that. Which is why it's very important for this to be a configurable option, disabled by default.
Sep 10, 2010
Project Member #4 mf...@codeaurora.org
Right, I see why the HTTP_AUTH works.  

Nasser and I have just been discussing allowing a user to merge two accounts anytime they attempt to register an email address with one account which is already registered to another account.  Perhaps that would be useful in this case?

Instead of specifying a non existing username for the user, simply allow an unregistered email address to be specified as a reviewer.  This unregistered address would cause a new account to be created (not sure if we actually want to allow sending an email to this person since that might be a SPAM vector).  Later to claim that account, a user would simply need to login via the web (creating a new separate account), register the email address as theirs (and get prompted to merge the two accounts), and finally merge the previous account with this email address to the new one they just created.

To simplify things, special code could potentially detect that the first account had zero activity (never had a login before) and seamlessly merge the accounts behind the scenes.

Sep 10, 2010
#5 di...@google.com
We are using Gerrit in a team that is used to another internal code review system (most of them also use that system for other projects at the same time with Gerrit). They are used to using username only code review and cc destinations (not a full email address). Requiring them to specify full email addresses in some cases (those missing accounts) but not for the others (how can they determine when they need email address and when not without try and failure?) and then asking them to deal with account merging issues adds more differences. I would rather not have this feature since asking them to go once on the web is much easier then the alternative. Also not sure how would the merging actually work with HTTP_AUTH setups, say a user is created for username@domain.com as used in a cc destination then the first time they go on the web they will get an account created having the same email username@domain.com which would conflict with the already created account for it, would they get prompted to merge it? I mean Gerrit fills out their email address automatically from LDAP, it's not something they enter.

I guess the root problem here is that Gerrit maintains its own user database. Our internal code review system doesn't do that (or if it does it, it's completely transparent and I'm never aware of it). We have LDAP for all accounts so it should be possible to have Gerrit automatically instantiate accounts both by web access and other references (review/cc) in the same way and users should not have to deal with these issues.

Thanks for looking into this.
Sep 10, 2010
Project Member #6 mf...@codeaurora.org
Yeah, if you use LDAP, then it would be easier.  It would be possible to actually create the account right away, as long as the referenced username exists in LDAP, gerrit should go ahead and create the account in gerrit.  Since it is LDAP, when then user attempts to log in for the first time, the account should simply already exist for them.  LDAP authentication will ensure that no other user can hijack the account then.
Sep 10, 2010
#7 di...@google.com
Yep, this is the feature I'm looking for, sorry if I wasn't clear in the original request :)
Sep 10, 2010
Project Member #8 mf...@codeaurora.org
Well, I am just starting to wrap my head around some of these different user ideas, so I was likely a bit dense up front. :)