Opened 6 years ago
Closed 3 years ago
#14884 closed bug (not reproducible)
Cannot sign into Gerrit - "Forbidden"
| Reported by: | iambrj | Owned by: | kallisti5 |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | Website/Gerrit | Version: | |
| Keywords: | gerrit, forbidden | Cc: | |
| Blocked By: | Blocking: | ||
| Platform: | All |
Description
When I try to sign into Gerrit, after I authenticate it with my Github, I get redirected to a page that says "Forbidden".
I have created a screencast which portrays this odd behavior.
Change History (19)
comment:1 by , 5 years ago
comment:2 by , 5 years ago
Interesting.. i'm not seeing any references to the error in gerrit (of course, they roll off quickly), but definitely see them in the http server logs:
# cat access.log access.log-20190811 | grep oauth | grep gerrit | awk '{ print $9 }' | sort | uniq -c | sort -nr
52 302
15 403
11 500
6 404
1 499
1 200
302 == successful, anything else is not. (keeping in mind some of that could be bots probing our server)
Could you try logging in again and posting it here? let's see if I can grab the logs quickly enough.
comment:4 by , 5 years ago
Done. And with the same result: "Forbidden".
The url is: https://review.haiku-os.org/oauth?code=(...)&state=(...)
comment:5 by , 5 years ago
ah ha:
2019-08-12 16:06:16,128] [HTTP-150] ERROR com.google.gerrit.httpd.auth.oauth.OAuthSession : Unable to authenticate user "com.google.gerrit.extensions.auth.oauth.OAuthUserInfo@7da783b3" com.google.gerrit.server.account.AccountException: Email 'simon@XXXX.net' in use by another account
Checking...
comment:6 by , 5 years ago
gerrit> select * from ACCOUNT_EXTERNAL_IDS where EMAIL_ADDRESS = 'simon@XXXX.net'; ACCOUNT_ID | EMAIL_ADDRESS | PASSWORD | EXTERNAL_ID -----------+---------------+----------+------------ (0 rows; 0 ms)
gerrit> select * from ACCOUNTS where PREFERRED_EMAIL = 'simon@XXXX.net'; REGISTERED_ON | FULL_NAME | PREFERRED_EMAIL | INACTIVE | STATUS | ACCOUNT_ID --------------+-----------+-----------------+----------+--------+----------- (0 rows; 1 ms)
Looks like it's wedged somewhere in NoteDB... still searching.
Here's what we've collected thus far to troubleshoot these kind of Gerrit issues: https://github.com/haiku/infrastructure/blob/master/docs/service/gerrit.md
comment:7 by , 5 years ago
You can push changes to the NoteDB if you want to edit an user. I did this to set the tab size to 4 spaces for default users, for example, as it is not possible to do this from the GUI. The default user is then copied to new users when they create an account (unfortunately the anonymous user has no stored settings, I created a Gerrit issue about it but there has not been much interest).
I think Gerrit will only allow you to change your own user, and maybe the default user if you have enough permissions on Gerrit.
comment:8 by , 5 years ago
Yeah, the big pain point here is "lack of searchability" I have no real way to "find other accounts with this email" without fetching, and checking out UID 1000000 - 2000000 and reading their user.properties file.
If the Gerrit CLI tools were better at user management, this wouldn't be an issue. TBH, given how Gerrit works with NoteDB i'm not even sure how to fix this. (I know you love Gerrit, and the workflow isn't *horrid*, but admin'ing it is a nightmare)
comment:9 by , 5 years ago
It occurs to me: My problems with Gerrit began only after I changed the email address on my Github profile. Does that offer any clues?
comment:11 by , 5 years ago
Replying to waddlesplash:
We've upgraded Gerrit a few times, any improvement here?
Nope, still facing the same issue -
follow-up: 15 comment:14 by , 5 years ago
iambrj, you apparently have two accounts:
- https://review.haiku-os.org/q/owner:iambrj (username: iambrj, currently not linked to any github account or email address)
- https://review.haiku-os.org/q/owner:brjhaiku%2540gmail.com (username: brjhaiku, currently linked to your github)
comment:15 by , 5 years ago
Replying to pulkomandy:
iambrj, you apparently have two accounts:
- https://review.haiku-os.org/q/owner:iambrj (username: iambrj, currently not linked to any github account or email address)
- https://review.haiku-os.org/q/owner:brjhaiku%2540gmail.com (username: brjhaiku, currently linked to your github)
Yes that is true, I had to create the second account brjhaiku (linked with github username brjhaiku) as my default github account iambrj was showing "Forbidden" making me unable to contribute, which is why I filed this bug in the first place.
comment:16 by , 3 years ago
@iambrj - ticket issue seems resolved. I logged into Haiku's Gerrit instance several times with haikuwebkit 1.8.1 without any 'visible' issue with user authentication.
Prewious issue closed: https://bugs.chromium.org/p/gerrit/issues/detail?id=12125
comment:17 by , 3 years ago
It is specific to some user accounts. It is not possible to test it if you don't have one of the affected accounts.
comment:18 by , 3 years ago
Upstream Gerrit issue was fixed and we have long since upgraded to the new version. Is this fully resolved then?
comment:19 by , 3 years ago
| Resolution: | → not reproducible |
|---|---|
| Status: | new → closed |
I think we can assume it is, we have not heard anyone else complaining about it for a long time. Closing as not reproductible for now.
I'm seeing this today as well. Refreshing the "Forbidden" page changes its message to "Server Error".
Anyone know what's going on?