Fixed
Status Update
Comments
mo...@gmail.com <mo...@gmail.com> #2
[Empty comment from Monorail migration]
br...@google.com <br...@google.com> #3
[Empty comment from Monorail migration]
dm...@gmail.com <dm...@gmail.com> #4
Gerrit was using following regexp in gerrit.config:
[commentlink "ph"]
match = "([Bb]ug|[Ii]ssue)\\s*#?(\\d+)"
link =https://bugs.chromium.org/p/gerrit/issues/detail?id=$2
\\s matches \n and \r so \\s* will match a lot of new lines
[ \\t]*\\r\\n?[ \\t]* matches just one new line
[commentlink "ph"]
match = "([Bb]ug|[Ii]ssue)\\s*#?(\\d+)"
link =
\\s matches \n and \r so \\s* will match a lot of new lines
[ \\t]*\\r\\n?[ \\t]* matches just one new line
da...@gmail.com <da...@gmail.com> #5
[Empty comment from Monorail migration]
lu...@gmail.com <lu...@gmail.com> #6
[Empty comment from Monorail migration]
lu...@gmail.com <lu...@gmail.com> #7
Edits were made to reflect the following in Monorail: auto-CCs.
dm...@gmail.com <dm...@gmail.com> #8
Thanks a lot for looking into it.
I've sent private email to brohlfs, but did not hear back.
I've sent private email to brohlfs, but did not hear back.
lu...@gmail.com <lu...@gmail.com> #9
There are two good news:
1. I was able to reproduce the problem, using the sample Gerrit / LDAP setup described athttps://github.com/gerritcodereview/docker-gerrit
2. I was able to update the permission by copying the CURL operation done by the browser on another group and change the group name to the ldap one
It is a PolyGerrit issue because it looks like the GUI does not even try to perform any update when it sees a group with the name 'ldap/something.with.a.dot'.
The backend works fine, and the group is added.
See below a sample CURL you can use in the meantime:
curl -X POST --data-binary '{"add":{"refs/*":{"permissions":{"read":{"rules":{"ldap:cn=something.with.a.dot,dc=example,dc=org":{"action":"ALLOW","added":true}}}}}},"remove":{}}' 'http://mygerrit/a/projects/myproject/access '
1. I was able to reproduce the problem, using the sample Gerrit / LDAP setup described at
2. I was able to update the permission by copying the CURL operation done by the browser on another group and change the group name to the ldap one
It is a PolyGerrit issue because it looks like the GUI does not even try to perform any update when it sees a group with the name 'ldap/something.with.a.dot'.
The backend works fine, and the group is added.
See below a sample CURL you can use in the meantime:
curl -X POST --data-binary '{"add":{"refs/*":{"permissions":{"read":{"rules":{"ldap:cn=something.with.a.dot,dc=example,dc=org":{"action":"ALLOW","added":true}}}}}},"remove":{}}' '
lu...@gmail.com <lu...@gmail.com> #10
[Monorail components: -Backend PolyGerrit]
lu...@gmail.com <lu...@gmail.com> #11
[Empty comment from Monorail migration]
lu...@gmail.com <lu...@gmail.com> #12
I'll try to reproduce it with Gerrit v2.16, so that the fix can be applied to the right version onwards.
lu...@gmail.com <lu...@gmail.com> #13
[Description Changed]
lu...@gmail.com <lu...@gmail.com> #14
Escalating to a P0 because it is a functional regression of the migration from GWT to PolyGerrit.
It applies from v2.16 onwards, since we declared PolyGerrit the official Gerrit GUI.
It applies from v2.16 onwards, since we declared PolyGerrit the official Gerrit GUI.
lu...@gmail.com <lu...@gmail.com> #15
See attached the docker-compose.yaml and gerrit.config/secure.config files for reproducing the problem with LDAP.
See the instructions athttps://github.com/gerritcodereview/docker-gerrit on how to login to LDAP and create users/groups.
See the instructions at
br...@google.com <br...@google.com> #16
[Empty comment from Monorail migration]
br...@google.com <br...@google.com> #17
Thanks Luca for helping with the LDAP setup. Worked for me. Found the bug. Here is the fix:
https://gerrit-review.googlesource.com/c/gerrit/+/251433
bu...@chops-service-accounts.iam.gserviceaccount.com <bu...@chops-service-accounts.iam.gserviceaccount.com> #18
The following revision refers to this bug:
https://gerrit.googlesource.com/gerrit.git/+/e63e387b8ca38b23191ac99c28a2ec413384d513
commit e63e387b8ca38b23191ac99c28a2ec413384d513
Author: Ben Rohlfs <brohlfs@google.com>
Date: Wed Jan 22 07:45:37 2020
Fix handling of LDAP groups that contain dots
Polymer's property path system has no way to handle dots in property
names, so using this.set() will result in splitting up the group name
into multiple path parts.
Tweaked the tests to expose this problem and added ample comments to the
code.
Bug:https://crbug.com/gerrit/11980
Change-Id: Ieffba1f3b102b560cdd6997881654c171d0439c9
[modify]https://gerrit.googlesource.com/gerrit.git/+/e63e387b8ca38b23191ac99c28a2ec413384d513/polygerrit-ui/app/elements/admin/gr-permission/gr-permission.js
[modify]https://gerrit.googlesource.com/gerrit.git/+/e63e387b8ca38b23191ac99c28a2ec413384d513/polygerrit-ui/app/elements/admin/gr-permission/gr-permission_test.html
commit e63e387b8ca38b23191ac99c28a2ec413384d513
Author: Ben Rohlfs <brohlfs@google.com>
Date: Wed Jan 22 07:45:37 2020
Fix handling of LDAP groups that contain dots
Polymer's property path system has no way to handle dots in property
names, so using this.set() will result in splitting up the group name
into multiple path parts.
Tweaked the tests to expose this problem and added ample comments to the
code.
Bug:
Change-Id: Ieffba1f3b102b560cdd6997881654c171d0439c9
[modify]
[modify]
bu...@chops-service-accounts.iam.gserviceaccount.com <bu...@chops-service-accounts.iam.gserviceaccount.com> #19
The following revision refers to this bug:
https://gerrit.googlesource.com/gerrit.git/+/4839f01dd37e305095c45ce35a59978aee729ffd
commit 4839f01dd37e305095c45ce35a59978aee729ffd
Author: Ben Rohlfs <brohlfs@google.com>
Date: Wed Jan 22 20:59:15 2020
Fix handling of LDAP groups that contain dots
Polymer's property path system has no way to handle dots in property
names, so using this.set() will result in splitting up the group name
into multiple path parts.
Tweaked the tests to expose this problem and added ample comments to the
code.
Bug:https://crbug.com/gerrit/11980
Change-Id: I96d6dfa50908ddafb4d0fa12d247d33444c36b4e
[modify]https://gerrit.googlesource.com/gerrit.git/+/4839f01dd37e305095c45ce35a59978aee729ffd/polygerrit-ui/app/elements/admin/gr-permission/gr-permission.js
[modify]https://gerrit.googlesource.com/gerrit.git/+/4839f01dd37e305095c45ce35a59978aee729ffd/polygerrit-ui/app/elements/admin/gr-permission/gr-permission_test.html
commit 4839f01dd37e305095c45ce35a59978aee729ffd
Author: Ben Rohlfs <brohlfs@google.com>
Date: Wed Jan 22 20:59:15 2020
Fix handling of LDAP groups that contain dots
Polymer's property path system has no way to handle dots in property
names, so using this.set() will result in splitting up the group name
into multiple path parts.
Tweaked the tests to expose this problem and added ample comments to the
code.
Bug:
Change-Id: I96d6dfa50908ddafb4d0fa12d247d33444c36b4e
[modify]
[modify]
bu...@chops-service-accounts.iam.gserviceaccount.com <bu...@chops-service-accounts.iam.gserviceaccount.com> #20
The following revision refers to this bug:
https://gerrit.googlesource.com/gerrit.git/+/4839f01dd37e305095c45ce35a59978aee729ffd
commit 4839f01dd37e305095c45ce35a59978aee729ffd
Author: Ben Rohlfs <brohlfs@google.com>
Date: Wed Jan 22 20:59:15 2020
Fix handling of LDAP groups that contain dots
Polymer's property path system has no way to handle dots in property
names, so using this.set() will result in splitting up the group name
into multiple path parts.
Tweaked the tests to expose this problem and added ample comments to the
code.
Bug:https://crbug.com/gerrit/11980
Change-Id: I96d6dfa50908ddafb4d0fa12d247d33444c36b4e
[modify]https://gerrit.googlesource.com/gerrit.git/+/4839f01dd37e305095c45ce35a59978aee729ffd/polygerrit-ui/app/elements/admin/gr-permission/gr-permission.js
[modify]https://gerrit.googlesource.com/gerrit.git/+/4839f01dd37e305095c45ce35a59978aee729ffd/polygerrit-ui/app/elements/admin/gr-permission/gr-permission_test.html
commit 4839f01dd37e305095c45ce35a59978aee729ffd
Author: Ben Rohlfs <brohlfs@google.com>
Date: Wed Jan 22 20:59:15 2020
Fix handling of LDAP groups that contain dots
Polymer's property path system has no way to handle dots in property
names, so using this.set() will result in splitting up the group name
into multiple path parts.
Tweaked the tests to expose this problem and added ample comments to the
code.
Bug:
Change-Id: I96d6dfa50908ddafb4d0fa12d247d33444c36b4e
[modify]
[modify]
bu...@chops-service-accounts.iam.gserviceaccount.com <bu...@chops-service-accounts.iam.gserviceaccount.com> #21
The following revision refers to this bug:
https://gerrit.googlesource.com/gerrit.git/+/4839f01dd37e305095c45ce35a59978aee729ffd
commit 4839f01dd37e305095c45ce35a59978aee729ffd
Author: Ben Rohlfs <brohlfs@google.com>
Date: Wed Jan 22 20:59:15 2020
Fix handling of LDAP groups that contain dots
Polymer's property path system has no way to handle dots in property
names, so using this.set() will result in splitting up the group name
into multiple path parts.
Tweaked the tests to expose this problem and added ample comments to the
code.
Bug:https://crbug.com/gerrit/11980
Change-Id: I96d6dfa50908ddafb4d0fa12d247d33444c36b4e
[modify]https://gerrit.googlesource.com/gerrit.git/+/4839f01dd37e305095c45ce35a59978aee729ffd/polygerrit-ui/app/elements/admin/gr-permission/gr-permission.js
[modify]https://gerrit.googlesource.com/gerrit.git/+/4839f01dd37e305095c45ce35a59978aee729ffd/polygerrit-ui/app/elements/admin/gr-permission/gr-permission_test.html
commit 4839f01dd37e305095c45ce35a59978aee729ffd
Author: Ben Rohlfs <brohlfs@google.com>
Date: Wed Jan 22 20:59:15 2020
Fix handling of LDAP groups that contain dots
Polymer's property path system has no way to handle dots in property
names, so using this.set() will result in splitting up the group name
into multiple path parts.
Tweaked the tests to expose this problem and added ample comments to the
code.
Bug:
Change-Id: I96d6dfa50908ddafb4d0fa12d247d33444c36b4e
[modify]
[modify]
ma...@gmail.com <ma...@gmail.com> #22
[Empty comment from Monorail migration]
da...@gmail.com <da...@gmail.com> #23
[Empty comment from Monorail migration]
da...@gmail.com <da...@gmail.com> #24
[Empty comment from Monorail migration]
da...@gmail.com <da...@gmail.com> #25
[Empty comment from Monorail migration]
da...@gmail.com <da...@gmail.com> #26
[Empty comment from Monorail migration]
br...@google.com <br...@google.com> #27
[Empty comment from Monorail migration]
th...@yahoo.com <th...@yahoo.com> #28
[Empty comment from Monorail migration]
lu...@gmail.com <lu...@gmail.com> #29
[Empty comment from Monorail migration]
ek...@google.com <ek...@google.com> #30
[Monorail components: Backend]
ek...@google.com <ek...@google.com> #31
[Monorail components: -LDAP]
is...@google.com <is...@google.com> #32
Edits were made to reflect the following in Monorail: auto-CCs.
Description
Affected Version: 2.16.x onwards (only PolyGerrit)
What steps will reproduce the problem?
1. Configure Gerrit for ldap authentication and confirm that users authenticate properly.
2. Navigate to Access tab for a Gerrit Project and click Edit
3. add a permission for an ldap group with dot (".") character in the name
! ldap name will autocomplete successfully
! autocompletion can be selected and text input will populate successfully
! permission will appear will appear in UI to be added successfully
What is the expected output?
"Save": Access changes will be saved
"Save for Review": New review will be started the change just made
What do you see instead?
Message pops up "No changes to save" and nothing further happens. There is no way to save this change or save for review either.
If you switch to GWT UI instead, you can add and save the permission successfully.
Please provide any additional information below.
* Users continue to authenticate via ldap just fine.
* Users can be added and removed to permissions just fine
* DLs can be added to gerrit groups and gerrit groups can be added to permissions just fine.
* legacy repos with these kinds of ldap groups already in the Access rules continue to work normally.
* We see occasional LDAP warnings e.g.
WARN com.google.gerrit.server.auth.ldap.LdapGroupBackend : Cannot query LDAP for groups matching requested name [CONTEXT PLUGIN="gerrit" ]
javax.naming.SizeLimitExceededException: [LDAP: error code 4 - Sizelimit Exceeded]; remaining name 'DC=amd,DC=com'
however, these warnings are avoidable and do not contribute to the issue from what we can tell.
* We see no other errors in the log that would indicate how to proceed.
* We have tried different variations of accountBase, groupBase, accountPattern, groupPattern, but only one accountBase allowed ldap authentication to continue working without error (and only with default patterns), so we are sticking with that.
* As stated above, our existing repos (imported from Gerrit 2.15.6) make extensive use of these ldap groups and they continue to function correctly. We are just unable to write new permissions using them in Gerrit 3.