Merge "Document dual account split for Gerrit admins"
This commit is contained in:
Zuul
Gerrit Code Review
commit
15d579cf31
@ -122,6 +122,66 @@ following practices must be observed for SSH access:
|
|||||||
then the old one removed.
|
then the old one removed.
|
||||||
|
|
||||||
|
|
||||||
|
Gerrit Admins
|
||||||
|
=============
|
||||||
|
|
||||||
|
To provide a reasonable firewall from outside authentication systems,
|
||||||
|
Gerrit administrators keep two accounts: one for normal code review
|
||||||
|
activity and one for performing Gerrit administration. Following the same
|
||||||
|
pattern as our Kerberos administrator account logins, the admin account
|
||||||
|
corresponding to ``$USER`` would be ``$USER.admin`` (Gerrit doesn't allow
|
||||||
|
``/`` in usernames) so they can be easily identified when auditing
|
||||||
|
activity. Unlike the normal code review account, the admin account should
|
||||||
|
have no OpenID so that it is only accessable by API/CLI methods so they
|
||||||
|
cannot be compromised at the third-party ID provider.
|
||||||
|
|
||||||
|
To create a personal Gerrit admin account from a shell on the server, run
|
||||||
|
the following command::
|
||||||
|
|
||||||
|
sudo -u gerrit2 ssh -i ~gerrit2/review_site/etc/ssh_host_rsa_key \
|
||||||
|
-p 29418 -l 'Gerrit Code Review' localhost \
|
||||||
|
"suexec --as openstack-project-creator -- \
|
||||||
|
gerrit create-account --group Administrators --full-name myname.admin \
|
||||||
|
--ssh-key 'ssh-rsa AAAA...BCDE myname@computer' myname.admin"
|
||||||
|
|
||||||
|
We ``suexec`` as the ``openstack-project-creator`` account because the
|
||||||
|
magic ``Gerrit Code Review`` pseudoaccount can't set group memberships so
|
||||||
|
we need to run that command as a user which is already in the
|
||||||
|
``Administrators`` group. With an account like this, routine actions like
|
||||||
|
populating new groups with initial members is still quite simple::
|
||||||
|
|
||||||
|
ssh -p 29418 myname.admin@review.opendev.org \
|
||||||
|
"gerrit set-members some-new-group --add somebody@example.org"
|
||||||
|
|
||||||
|
Another common example is bypassing Zuul to submit a change for merging
|
||||||
|
directly to a project. In this case we must first add our account to
|
||||||
|
another group which has permission to set the relevant labels (it doesn't
|
||||||
|
get that simply by being an administrator), and then do the
|
||||||
|
commenting/voting/submitting, followed by cleaning up the extra group
|
||||||
|
membership again at the end::
|
||||||
|
|
||||||
|
ssh -p 29418 myname.admin@review.opendev.org \
|
||||||
|
"gerrit set-members 'Project Bootstrappers' --add myname.admin"
|
||||||
|
|
||||||
|
ssh -p 29418 myname.admin@review.opendev.org \
|
||||||
|
"gerrit review 12345,6 --message 'Bypassing Zuul to merge this.'
|
||||||
|
--code-review 2 --verified 2 --label Workflow=1 --submit"
|
||||||
|
|
||||||
|
ssh -p 29418 myname.admin@review.opendev.org \
|
||||||
|
"gerrit set-members 'Project Bootstrappers' --remove myname.admin"
|
||||||
|
|
||||||
|
Note that it's possible to temporarily add your normal OpenID-associated
|
||||||
|
WebUI account to the ``Administrators`` group or other groups with similar
|
||||||
|
superuser permissions like ``Project Bootstrappers``, but keep in mind that
|
||||||
|
an attacker who has quietly gained control of your account at the OpenID
|
||||||
|
provider could be waiting for that opportunity to take advantage of the
|
||||||
|
added permissions, or you may simply forget to remove the account afterward
|
||||||
|
negating the added safety of this account separation.
|
||||||
|
|
||||||
|
For more examples, see the detailed documentation for Gerrit's SSH CLI,
|
||||||
|
available on our server:
|
||||||
|
https://review.opendev.org/Documentation/cmd-index.html
|
||||||
|
|
||||||
GitHub Access
|
GitHub Access
|
||||||
=============
|
=============
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user