[Gluster-infra] Google OpenID Connect support for Gerrit?

Marcelo Barbosa firemanxbr at fedoraproject.org
Wed Mar 11 19:25:49 UTC 2015


Justin,

   Sorry my delay, but I was some problems with gluster in my datacenters,
now that's okay.
   About OpenID support in Gerrit:

   We have four native Gerrit options:
   (not to mention any HTTP auth hacks, with some magic in your reverse
proxy thing):

   1) Migrate to LDAP authentication scheme
   ** Advantage: no messing around with OpenID (and friends) any more
   ** Disadvantage: migration overhead

   2) Switch to other OpenID provider
  Force your users to link to other OpenID identity. The instructions how
to link mulple
  OpenID identities to the same Gerrit account are provided here [1]. Also
note, that
  after the needed changes were cherry-picked, 2.10.1 is going to be
available in near
  future that dropped deprecated OpenID provider from the login form and
replaced it
  with Fedora,Launchpad/UbuntuOne.

  ** Advantage: no intervention from admin side is needed
  ** Disadvantage: all users have to move to other OpenID provider(s)

   3) Use Gerrit GitHub plugin
  ** Advantage: Supported upstream
  ** Disadvantage: all users have to sign in to GitHub. New created GitHub
account
  must be manually linked to the existing Gerrit account.

   4) Use experimental OAuth authentication scheme [2] with Google OAuth
plugin [3].
  See the explanation how it works [4] and how to set it up: [5]

  ** Advantage: Users can use their Google accounts
  ** Disadvantage: Gerrit must be patched. Manually linking OAuth Google
identity to
  existing Gerrit accounts is needed (linking of multiple identities is not
yet implemented)

[1]
https://gerrit-review.googlesource.com/Documentation/config-sso.html#_multiple_identities
[2] https://gerrit-review.googlesource.com/65101
[3] https://github.com/davido/gerrit-oauth-provider
[4] https://groups.google.com/d/topic/repo-discuss/K2U6WcWSCaE/discussion
[5] https://code.google.com/p/gerrit/issues/detail?id=2677#c40

   I would like to see the project with Gluster own accounts all on the
FreeIPA, thus detach it from us in any other form of authentication,
creating value for the project, I imagine in our page one how to register.

Cheers,

firemanxbr

On Mon, Mar 9, 2015 at 11:55 AM, Justin Clift <justin at gluster.org> wrote:

> Hi Marcelo,
>
> Any idea if Gerrit supports OpenID Connect?
>
> Google's current OpenID 2.0 support expires on April 20th,
> to be replaced by "OpenID Connect":
>
>   https://developers.google.com/accounts/docs/OpenID
>
> We'll need a migration plan for our existing Gerrit accounts
> (400+ of them), to either get them using OpenID Connect,
> or migrate them to something else.
>
> It's kind of urgent too (next month)... so ugh.
>
> Regards and best wishes,
>
> Justin Clift
>
> --
> GlusterFS - http://www.gluster.org
>
> An open source, distributed file system scaling to several
> petabytes, and handling thousands of clients.
>
> My personal twitter: twitter.com/realjustinclift
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.gluster.org/pipermail/gluster-infra/attachments/20150311/4f9ae057/attachment.html>


More information about the Gluster-infra mailing list