supply authentication to zuul's gerrit baseurl

Bug #1194992 reported by John Dewey
20
This bug affects 4 people
Affects Status Importance Assigned to Milestone
Zuul
In Progress
Undecided
Zang MingJie

Bug Description

We don't want to allow anonymous r/o access to our repos. To disable this,
we disabled the Anonynous user from refs/*. However, when doing this, prevents zuul from connecting to gerrit anonymously.

[gerrit]
baseurl=http://127.0.0.1:8181
server=127.0.0.1
user=jenkins
sshkey=/var/lib/zuul/ssh/id_rsa_jenkins

Was hoping we could allow user/pass options, so zuul can construct an authenticated URL to query gerrit.

John Dewey (retr0h)
description: updated
Revision history for this message
Jeremy Stanley (fungi) wrote :

It's worth noting that plaintext HTTP will potentially leak your credentials for this. HTTPS with proper certificate validation or possibly Gerrit's SSH interface could provide a secure transport for this sort of feature enhancement. Since Zuul already needs to be able to connect to Gerrit's SSH interface to read the event stream, perhaps much of the needed key management logic is already in place for that?

Revision history for this message
John Dewey (retr0h) wrote :

Ah, yes. I would agree using gerrit's ssh interface would be ideal, if it is possible.

Changed in zuul:
status: New → In Progress
assignee: nobody → Zang MingJie (zealot0630)
Revision history for this message
Zang MingJie (zealot0630) wrote :
Revision history for this message
Gene Snider (gene-4) wrote :

This issue affects everyone who uses the 'proxy-https' setting in the httpd section of gerrit.conf. The change was abandonded due to inactivity but I have asked the author to restore it.

Revision history for this message
Xiaofei.Wang (wangxf-s) wrote :

I have some issue.How can i resolve it?

Revision history for this message
Xiaofei.Wang (wangxf-s) wrote :

I has been fixed it

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers