Opened 6 years ago

Closed 3 years ago

#14884 closed bug (not reproducible)

Cannot sign into Gerrit - "Forbidden"

Reported by: iambrj Owned by: kallisti5
Priority: normal Milestone:
Component: Website/Gerrit Version:
Keywords: gerrit, forbidden Cc:
Blocked By: Blocking:
Platform: All

Description

When I try to sign into Gerrit, after I authenticate it with my Github, I get redirected to a page that says "Forbidden".

I have created a screencast which portrays this odd behavior.

Change History (19)

comment:1 by simonsouth, 5 years ago

I'm seeing this today as well. Refreshing the "Forbidden" page changes its message to "Server Error".

Anyone know what's going on?

comment:2 by kallisti5, 5 years ago

Interesting.. i'm not seeing any references to the error in gerrit (of course, they roll off quickly), but definitely see them in the http server logs:

# cat access.log access.log-20190811 | grep oauth | grep gerrit | awk '{ print $9 }' | sort | uniq -c | sort -nr
     52 302
     15 403
     11 500
      6 404
      1 499
      1 200

302 == successful, anything else is not. (keeping in mind some of that could be bots probing our server)

Could you try logging in again and posting it here? let's see if I can grab the logs quickly enough.

comment:3 by simonsouth, 5 years ago

Sure, I'll do that right now.

comment:4 by simonsouth, 5 years ago

Done. And with the same result: "Forbidden".

The url is: https://review.haiku-os.org/oauth?code=(...)&state=(...)

comment:5 by kallisti5, 5 years ago

ah ha:

2019-08-12 16:06:16,128] [HTTP-150] ERROR com.google.gerrit.httpd.auth.oauth.OAuthSession : Unable to authenticate user "com.google.gerrit.extensions.auth.oauth.OAuthUserInfo@7da783b3"
com.google.gerrit.server.account.AccountException: Email 'simon@XXXX.net' in use by another account
]]]

Checking...
Version 0, edited 5 years ago by kallisti5 (next)

comment:6 by kallisti5, 5 years ago

gerrit> select * from ACCOUNT_EXTERNAL_IDS where EMAIL_ADDRESS = 'simon@XXXX.net';
 ACCOUNT_ID | EMAIL_ADDRESS | PASSWORD | EXTERNAL_ID
 -----------+---------------+----------+------------
(0 rows; 0 ms)
gerrit> select * from ACCOUNTS where PREFERRED_EMAIL = 'simon@XXXX.net';
 REGISTERED_ON | FULL_NAME | PREFERRED_EMAIL | INACTIVE | STATUS | ACCOUNT_ID
 --------------+-----------+-----------------+----------+--------+-----------
(0 rows; 1 ms)

Looks like it's wedged somewhere in NoteDB... still searching.

Here's what we've collected thus far to troubleshoot these kind of Gerrit issues: https://github.com/haiku/infrastructure/blob/master/docs/service/gerrit.md

Last edited 5 years ago by kallisti5 (previous) (diff)

comment:7 by pulkomandy, 5 years ago

You can push changes to the NoteDB if you want to edit an user. I did this to set the tab size to 4 spaces for default users, for example, as it is not possible to do this from the GUI. The default user is then copied to new users when they create an account (unfortunately the anonymous user has no stored settings, I created a Gerrit issue about it but there has not been much interest).

I think Gerrit will only allow you to change your own user, and maybe the default user if you have enough permissions on Gerrit.

comment:8 by kallisti5, 5 years ago

Yeah, the big pain point here is "lack of searchability" I have no real way to "find other accounts with this email" without fetching, and checking out UID 1000000 - 2000000 and reading their user.properties file.

If the Gerrit CLI tools were better at user management, this wouldn't be an issue. TBH, given how Gerrit works with NoteDB i'm not even sure how to fix this. (I know you love Gerrit, and the workflow isn't *horrid*, but admin'ing it is a nightmare)

comment:9 by simonsouth, 5 years ago

It occurs to me: My problems with Gerrit began only after I changed the email address on my Github profile. Does that offer any clues?

comment:10 by waddlesplash, 5 years ago

We've upgraded Gerrit a few times, any improvement here?

in reply to:  10 comment:11 by iambrj, 5 years ago

Replying to waddlesplash:

We've upgraded Gerrit a few times, any improvement here?

Nope, still facing the same issue - https://imgur.com/a/ksSOsaU

comment:12 by kallisti5, 5 years ago

try now. We just found and reported a pretty big bug in gerrit.

https://bugs.chromium.org/p/gerrit/issues/detail?id=12125

comment:13 by iambrj, 5 years ago

Still facing the same issue :/

comment:14 by pulkomandy, 5 years ago

iambrj, you apparently have two accounts:

in reply to:  14 comment:15 by iambrj, 5 years ago

Replying to pulkomandy:

iambrj, you apparently have two accounts:

Yes that is true, I had to create the second account brjhaiku (linked with github username brjhaiku) as my default github account iambrj was showing "Forbidden" making me unable to contribute, which is why I filed this bug in the first place.

comment:16 by cocobean, 3 years ago

@iambrj - ticket issue seems resolved. I logged into Haiku's Gerrit instance several times with haikuwebkit 1.8.1 without any 'visible' issue with user authentication.

Prewious issue closed: https://bugs.chromium.org/p/gerrit/issues/detail?id=12125

Last edited 3 years ago by cocobean (previous) (diff)

comment:17 by pulkomandy, 3 years ago

It is specific to some user accounts. It is not possible to test it if you don't have one of the affected accounts.

comment:18 by waddlesplash, 3 years ago

Upstream Gerrit issue was fixed and we have long since upgraded to the new version. Is this fully resolved then?

comment:19 by pulkomandy, 3 years ago

Resolution: not reproducible
Status: newclosed

I think we can assume it is, we have not heard anyone else complaining about it for a long time. Closing as not reproductible for now.

Note: See TracTickets for help on using tickets.