Opened 6 months ago

Last modified 6 days ago

#14884 new bug

Cannot sign into Gerrit - "Forbidden"

Reported by: iambrj Owned by: kallisti5
Priority: normal Milestone:
Component: Website/Gerrit Version:
Keywords: gerrit, forbidden Cc:
Blocked By: Blocking:
Has a Patch: no Platform: All

Description

When I try to sign into Gerrit, after I authenticate it with my Github, I get redirected to a page that says "Forbidden".

I have created a screencast which portrays this odd behavior.

Change History (8)

comment:1 Changed 8 days ago by simonsouth

I'm seeing this today as well. Refreshing the "Forbidden" page changes its message to "Server Error".

Anyone know what's going on?

comment:2 Changed 7 days ago by kallisti5

Interesting.. i'm not seeing any references to the error in gerrit (of course, they roll off quickly), but definitely see them in the http server logs:

# cat access.log access.log-20190811 | grep oauth | grep gerrit | awk '{ print $9 }' | sort | uniq -c | sort -nr
     52 302
     15 403
     11 500
      6 404
      1 499
      1 200

302 == successful, anything else is not. (keeping in mind some of that could be bots probing our server)

Could you try logging in again and posting it here? let's see if I can grab the logs quickly enough.

comment:3 Changed 7 days ago by simonsouth

Sure, I'll do that right now.

comment:4 Changed 7 days ago by simonsouth

Done. And with the same result: "Forbidden".

The url is: https://review.haiku-os.org/oauth?code=(...)&state=(...)

comment:5 Changed 7 days ago by kallisti5

ah ha:

2019-08-12 16:06:16,128] [HTTP-150] ERROR com.google.gerrit.httpd.auth.oauth.OAuthSession : Unable to authenticate user "com.google.gerrit.extensions.auth.oauth.OAuthUserInfo@7da783b3"
com.google.gerrit.server.account.AccountException: Email 'simon@XXXX.net' in use by another account

Checking...

Last edited 7 days ago by kallisti5 (previous) (diff)

comment:6 Changed 7 days ago by kallisti5

gerrit> select * from ACCOUNT_EXTERNAL_IDS where EMAIL_ADDRESS = 'simon@XXXX.net';
 ACCOUNT_ID | EMAIL_ADDRESS | PASSWORD | EXTERNAL_ID
 -----------+---------------+----------+------------
(0 rows; 0 ms)
gerrit> select * from ACCOUNTS where PREFERRED_EMAIL = 'simon@XXXX.net';
 REGISTERED_ON | FULL_NAME | PREFERRED_EMAIL | INACTIVE | STATUS | ACCOUNT_ID
 --------------+-----------+-----------------+----------+--------+-----------
(0 rows; 1 ms)

Looks like it's wedged somewhere in NoteDB... still searching.

Here's what we've collected thus far to troubleshoot these kind of Gerrit issues: https://github.com/haiku/infrastructure/blob/master/docs/service/gerrit.md

Last edited 7 days ago by kallisti5 (previous) (diff)

comment:7 Changed 7 days ago by pulkomandy

You can push changes to the NoteDB if you want to edit an user. I did this to set the tab size to 4 spaces for default users, for example, as it is not possible to do this from the GUI. The default user is then copied to new users when they create an account (unfortunately the anonymous user has no stored settings, I created a Gerrit issue about it but there has not been much interest).

I think Gerrit will only allow you to change your own user, and maybe the default user if you have enough permissions on Gerrit.

comment:8 Changed 6 days ago by kallisti5

Yeah, the big pain point here is "lack of searchability" I have no real way to "find other accounts with this email" without fetching, and checking out UID 1000000 - 2000000 and reading their user.properties file.

If the Gerrit CLI tools were better at user management, this wouldn't be an issue. TBH, given how Gerrit works with NoteDB i'm not even sure how to fix this. (I know you love Gerrit, and the workflow isn't *horrid*, but admin'ing it is a nightmare)

Note: See TracTickets for help on using tickets.