Opened 2 years ago

Last modified 18 months ago

#14884 new bug

Cannot sign into Gerrit - "Forbidden"

Reported by: iambrj Owned by: kallisti5
Priority: normal Milestone:
Component: Website/Gerrit Version:
Keywords: gerrit, forbidden Cc:
Blocked By: Blocking:
Platform: All


When I try to sign into Gerrit, after I authenticate it with my Github, I get redirected to a page that says "Forbidden".

I have created a screencast which portrays this odd behavior.

Change History (15)

comment:1 by simonsouth, 23 months ago

I'm seeing this today as well. Refreshing the "Forbidden" page changes its message to "Server Error".

Anyone know what's going on?

comment:2 by kallisti5, 23 months ago

Interesting.. i'm not seeing any references to the error in gerrit (of course, they roll off quickly), but definitely see them in the http server logs:

# cat access.log access.log-20190811 | grep oauth | grep gerrit | awk '{ print $9 }' | sort | uniq -c | sort -nr
     52 302
     15 403
     11 500
      6 404
      1 499
      1 200

302 == successful, anything else is not. (keeping in mind some of that could be bots probing our server)

Could you try logging in again and posting it here? let's see if I can grab the logs quickly enough.

comment:3 by simonsouth, 23 months ago

Sure, I'll do that right now.

comment:4 by simonsouth, 23 months ago

Done. And with the same result: "Forbidden".

The url is:

comment:5 by kallisti5, 23 months ago

ah ha:

2019-08-12 16:06:16,128] [HTTP-150] ERROR : Unable to authenticate user "" Email '' in use by another account


Last edited 23 months ago by kallisti5 (previous) (diff)

comment:6 by kallisti5, 23 months ago

gerrit> select * from ACCOUNT_EXTERNAL_IDS where EMAIL_ADDRESS = '';
(0 rows; 0 ms)
gerrit> select * from ACCOUNTS where PREFERRED_EMAIL = '';
(0 rows; 1 ms)

Looks like it's wedged somewhere in NoteDB... still searching.

Here's what we've collected thus far to troubleshoot these kind of Gerrit issues:

Last edited 23 months ago by kallisti5 (previous) (diff)

comment:7 by pulkomandy, 23 months ago

You can push changes to the NoteDB if you want to edit an user. I did this to set the tab size to 4 spaces for default users, for example, as it is not possible to do this from the GUI. The default user is then copied to new users when they create an account (unfortunately the anonymous user has no stored settings, I created a Gerrit issue about it but there has not been much interest).

I think Gerrit will only allow you to change your own user, and maybe the default user if you have enough permissions on Gerrit.

comment:8 by kallisti5, 23 months ago

Yeah, the big pain point here is "lack of searchability" I have no real way to "find other accounts with this email" without fetching, and checking out UID 1000000 - 2000000 and reading their file.

If the Gerrit CLI tools were better at user management, this wouldn't be an issue. TBH, given how Gerrit works with NoteDB i'm not even sure how to fix this. (I know you love Gerrit, and the workflow isn't *horrid*, but admin'ing it is a nightmare)

comment:9 by simonsouth, 22 months ago

It occurs to me: My problems with Gerrit began only after I changed the email address on my Github profile. Does that offer any clues?

comment:10 by waddlesplash, 18 months ago

We've upgraded Gerrit a few times, any improvement here?

in reply to:  10 comment:11 by iambrj, 18 months ago

Replying to waddlesplash:

We've upgraded Gerrit a few times, any improvement here?

Nope, still facing the same issue -

comment:12 by kallisti5, 18 months ago

try now. We just found and reported a pretty big bug in gerrit.

comment:13 by iambrj, 18 months ago

Still facing the same issue :/

comment:14 by pulkomandy, 18 months ago

iambrj, you apparently have two accounts:

in reply to:  14 comment:15 by iambrj, 18 months ago

Replying to pulkomandy:

iambrj, you apparently have two accounts:

Yes that is true, I had to create the second account brjhaiku (linked with github username brjhaiku) as my default github account iambrj was showing "Forbidden" making me unable to contribute, which is why I filed this bug in the first place.

Note: See TracTickets for help on using tickets.