Gerrit和Jenkins的谷歌认证
Jenkins和Gerrit都有OpenID2.0的插件,但是Google在2014年5月19日()不推荐使用该API,这使得新安装无法使用,现有安装必须迁移到OAuth2.0(OpendID connect)。尝试使用OpenID2.0时,您将收到错误消息“错误400:OpenIDAuth请求包含未注册的域” Gerrit团队已意识到问题,但尚未找到解决方案: 詹金斯不太清楚。更新2014/11/05:对于来到这里的人,请首先阅读下面的内容。谢谢你的反馈。它包含在更新版本中。安装程序现在使用建议的改进,并且只使用mod_rewrite将gerrit注销url重定向到正确的位置。还要注意的是,不是只使用电子邮件的非域部分,而是未经修改地使用电子邮件。这意味着,如果您碰巧有一个现有的设置,您需要更改用户名映射 对于Jenkins,请执行以下操作:Gerrit和Jenkins的谷歌认证,jenkins,google-oauth,gerrit,google-openid,mod-auth-openidc,Jenkins,Google Oauth,Gerrit,Google Openid,Mod Auth Openidc,Jenkins和Gerrit都有OpenID2.0的插件,但是Google在2014年5月19日()不推荐使用该API,这使得新安装无法使用,现有安装必须迁移到OAuth2.0(OpendID connect)。尝试使用OpenID2.0时,您将收到错误消息“错误400:OpenIDAuth请求包含未注册的域” Gerrit团队已意识到问题,但尚未找到解决方案: 詹金斯不太清楚。更新2014/11/05:对于来到这里的人,请首先阅读下面的内容。谢谢你的反馈。它包含在更新版本中。安装程序现在使用
- 将${jenkins_home}/users/youruser移动到${jenkins_home}/users/youruser@yourdomain
- 打开${jenkins_home}/config.xml搜索“youruser”并替换为youruser@yourdomain
- 使用以下两种方法之一打开sql数据库:
- [推荐]通过ssh提供的gerrit命令:
ssh gerrit.revault.ch gerrit gsql
- 或在机器本身上(将GERRIT_HOME更改为机器上的位置):
- 显示外部
select * from ACCOUNT_EXTERNAL_IDS;
- 外部ID将您的帐户映射到不同的用户名、电子邮件等
- 以用户名为前缀的,例如用户名:test@example.com用于ssh/git登录名
- 以gerrit为前缀的:例如,gerrit:test@example.com用于web界面
- 对于给定的帐户id,您可以使用sql为现有用户添加新映射:例如
insert into ACCOUNT_EXTERNAL_IDS values(1000032, NULL,NULL, 'username:test@example.com'); insert into ACCOUNT_EXTERNAL_IDS values(1000032, NULL,NULL, 'gerrit:test@example.com');
解决方案 您可以使用Apache作为反向代理为您处理身份验证: Gerrit 假设您已经安装了Gerrit,并且它正在监听地址10.10.10.10:8080。 您必须将gerrit配置为使用基本身份验证,即您数据库中的[auth]部分 ${gerrit_installation}/etc/gerrit.config应如下所示:
[gerrit]
basePath = git
canonicalWebUrl = http://gerrit.example.com
[database]
type = h2
database = db/ReviewDB
[index]
type = LUCENE
[auth]
type = HTTP
emailFormat = {0}@example.com
httpHeader = X-Forwarded-User
[sendemail]
smtpServer = localhost
[container]
user = gerrit
javaHome = /usr/lib/jvm/java-8-oracle/jre
[sshd]
listenAddress = 10.10.10.10:2222
[httpd]
listenUrl = http://10.10.10.10:8080/
[cache]
directory = cache
sudo aptitude install libjansson-dev apache2 apache2-dev libcurl4-openssl-dev build-essential autoconf libhiredis-dev
git clone https://github.com/pingidentity/mod_auth_openidc.git
cd mod_auth_openidc
./autogen.sh
./configure
make
sudo make install
sudo a2enmod auth_openidc
sudo a2enmod proxy
sudo a2enmod proxy_http
sudo a2enmod headers
sudo a2enmod rewrite
<VirtualHost *:80>
ServerName gerrit.example.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration
OIDCClientID <from api console>
OIDCClientSecret <from api console>
OIDCScope "openid email profile"
OIDCRedirectURI http://gerrit.example.com/oauth2callback
OIDCCryptoPassphrase <generate long random passphrase here, no sure if used>
OIDCSessionInactivityTimeout 600
OIDCCookiePath /
OIDCAuthRequestParams hd=example.com
OIDCRemoteUserClaim email
OIDCAuthNHeader X-Forwarded-User
RewriteEngine On
#LogLevel alert rewrite:trace2
RewriteRule ^/logout$ /oauth2callback?logout=http://gerrit.example.com/ [R]
ProxyPass / http://gerrit.example.com:8080/ nocanon
ProxyPassReverse / http://gerrit.example.com:8080/
ProxyRequests Off
AllowEncodedSlashes NoDecode
<Proxy http://gerrit.example.com:8080/*>
# add rewrites here if necessary
</Proxy>
<Location />
AuthType openid-connect
Require claim hd:example.com
Require valid-user
</Location>
</VirtualHost>
用户名将位于标题X-User中。这就是Apache转发用户名的方式
给Gerrit
在Apache上,我们将使用mod_auth_openidc,它支持oauth2。以获取进一步信息和
示例文档参考。在最近的一次Ubuntu安装中
看起来像这样:
[gerrit]
basePath = git
canonicalWebUrl = http://gerrit.example.com
[database]
type = h2
database = db/ReviewDB
[index]
type = LUCENE
[auth]
type = HTTP
emailFormat = {0}@example.com
httpHeader = X-Forwarded-User
[sendemail]
smtpServer = localhost
[container]
user = gerrit
javaHome = /usr/lib/jvm/java-8-oracle/jre
[sshd]
listenAddress = 10.10.10.10:2222
[httpd]
listenUrl = http://10.10.10.10:8080/
[cache]
directory = cache
sudo aptitude install libjansson-dev apache2 apache2-dev libcurl4-openssl-dev build-essential autoconf libhiredis-dev
git clone https://github.com/pingidentity/mod_auth_openidc.git
cd mod_auth_openidc
./autogen.sh
./configure
make
sudo make install
sudo a2enmod auth_openidc
sudo a2enmod proxy
sudo a2enmod proxy_http
sudo a2enmod headers
sudo a2enmod rewrite
<VirtualHost *:80>
ServerName gerrit.example.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration
OIDCClientID <from api console>
OIDCClientSecret <from api console>
OIDCScope "openid email profile"
OIDCRedirectURI http://gerrit.example.com/oauth2callback
OIDCCryptoPassphrase <generate long random passphrase here, no sure if used>
OIDCSessionInactivityTimeout 600
OIDCCookiePath /
OIDCAuthRequestParams hd=example.com
OIDCRemoteUserClaim email
OIDCAuthNHeader X-Forwarded-User
RewriteEngine On
#LogLevel alert rewrite:trace2
RewriteRule ^/logout$ /oauth2callback?logout=http://gerrit.example.com/ [R]
ProxyPass / http://gerrit.example.com:8080/ nocanon
ProxyPassReverse / http://gerrit.example.com:8080/
ProxyRequests Off
AllowEncodedSlashes NoDecode
<Proxy http://gerrit.example.com:8080/*>
# add rewrites here if necessary
</Proxy>
<Location />
AuthType openid-connect
Require claim hd:example.com
Require valid-user
</Location>
</VirtualHost>
您需要在/etc/apache2/sites available中添加一个站点配置,例如gerrit.conf,类似于下面的配置(您可能也需要TLS),并通过以下方式激活它:
sudo a2ensite gerrit.conf
文件/etc/apache2/sites available/gerrit.conf如下所示:
[gerrit]
basePath = git
canonicalWebUrl = http://gerrit.example.com
[database]
type = h2
database = db/ReviewDB
[index]
type = LUCENE
[auth]
type = HTTP
emailFormat = {0}@example.com
httpHeader = X-Forwarded-User
[sendemail]
smtpServer = localhost
[container]
user = gerrit
javaHome = /usr/lib/jvm/java-8-oracle/jre
[sshd]
listenAddress = 10.10.10.10:2222
[httpd]
listenUrl = http://10.10.10.10:8080/
[cache]
directory = cache
sudo aptitude install libjansson-dev apache2 apache2-dev libcurl4-openssl-dev build-essential autoconf libhiredis-dev
git clone https://github.com/pingidentity/mod_auth_openidc.git
cd mod_auth_openidc
./autogen.sh
./configure
make
sudo make install
sudo a2enmod auth_openidc
sudo a2enmod proxy
sudo a2enmod proxy_http
sudo a2enmod headers
sudo a2enmod rewrite
<VirtualHost *:80>
ServerName gerrit.example.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration
OIDCClientID <from api console>
OIDCClientSecret <from api console>
OIDCScope "openid email profile"
OIDCRedirectURI http://gerrit.example.com/oauth2callback
OIDCCryptoPassphrase <generate long random passphrase here, no sure if used>
OIDCSessionInactivityTimeout 600
OIDCCookiePath /
OIDCAuthRequestParams hd=example.com
OIDCRemoteUserClaim email
OIDCAuthNHeader X-Forwarded-User
RewriteEngine On
#LogLevel alert rewrite:trace2
RewriteRule ^/logout$ /oauth2callback?logout=http://gerrit.example.com/ [R]
ProxyPass / http://gerrit.example.com:8080/ nocanon
ProxyPassReverse / http://gerrit.example.com:8080/
ProxyRequests Off
AllowEncodedSlashes NoDecode
<Proxy http://gerrit.example.com:8080/*>
# add rewrites here if necessary
</Proxy>
<Location />
AuthType openid-connect
Require claim hd:example.com
Require valid-user
</Location>
</VirtualHost>
ServerName gerrit.example.com
服务器管理员webmaster@localhost
DocumentRoot/var/www/html
ErrorLog${APACHE_LOG_DIR}/error.LOG
CustomLog${APACHE\u LOG\u DIR}/access.LOG组合
OIDCProviderMetadataURLhttps://accounts.google.com/.well-known/openid-configuration
舌苔
OIDClientCret
OIDCcope“openid电子邮件配置文件”
白蚁http://gerrit.example.com/oauth2callback
密码短语
OIDCSessionInactivityTimeout 600
OIDCCookiePath/
OIDCAuthRequestParams hd=example.com
用户索赔电子邮件
OidCauthHeader X-Forwarded-User
重新启动发动机
#日志级别警报重写:trace2
重写规则^/logout$/oauth2callback?注销=http://gerrit.example.com/ [R]
ProxyPass/http://gerrit.example.com:8080/ 诺卡农
ProxyPassReverse/http://gerrit.example.com:8080/
代理请求关闭
AllowEncodeDSL节点代码
#如有必要,在此处添加重写
AuthType openid连接
要求索赔hd:example.com
需要有效用户
要获取参数OIDClientId和OIDClientCret,请转到下的api控制台。如果您没有先创建项目,则凭据位于项目上下文中。例如,it认证示例
在项目中,转到API和认证:
- 在API下激活Google+API李>
- 在凭证下,OAuth创建新的客户端ID
- 在apache配置中填写OIDClientId和OIDClientCret(例如gerrit.conf)
- 在“同意”屏幕下,填写电子邮件和产品名称(如果不填写,则会出现错误)
<VirtualHost *:80>
ServerName jenkins.example.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration
OIDCClientID <from api console>
OIDCClientSecret <from api console>
OIDCScope "openid email profile"
OIDCRedirectURI http://jenkins.example.com/oauth2callback
OIDCCryptoPassphrase <generate long random passphrase here, no sure if used>
OIDCSessionInactivityTimeout 600
OIDCCookiePath /
OIDCAuthRequestParams hd=example.com
OIDCRemoteUserClaim email
OIDCAuthNHeader X-Forwarded-User
ProxyPass / http://jenkins.example.com:8080/ nocanon
ProxyPassReverse / http://jenkins.example.com:8080/
ProxyRequests Off
AllowEncodedSlashes NoDecode
<Proxy http://jenkins.example.com:8080/*>
# add rewrites here if necessary
</Proxy>
<Location />
AuthType openid-connect
Require claim hd:example.com
Require valid-user
</Location>
<Location ~ "^/(cli|jnlpJars|subversion|whoAmI|computer/[^/]+/slave-agent.jnlp|tcpSlaveAgentListener)">
Satisfy Any
Allow from all
</Location>
</VirtualHost>
服务器名jenkins.example.com
服务器管理员webmaster@localhost
DocumentRoot/var/www/html
ErrorLog${APACHE_LOG_DIR}/error.LOG
CustomLog${APACHE\u LOG\u DIR}/access.LOG组合
OIDCProviderMetadataURLhttps://accounts.google.com/.well-known/openid-configuration
舌苔
OIDClientCret
OIDCcope“openid电子邮件配置文件”
白蚁http://jenkins.example.com/oauth2callback
密码短语
OIDCSessionInactivityTimeout 600
OIDCCookiePath/
OIDCAuthRequestParams hd=example.com
用户索赔电子邮件
OidCauthHeader X-Forwarded-User
ProxyPass/http://jenkins.example.com:8080/ 诺卡农
ProxyPassReverse/http://jenkins.example.com:8080/
代理请求关闭
AllowEncodeDSL节点代码
#如有必要,在此处添加重写
AuthType openid连接
要求索赔hd:example.com
需要有效用户
满足任何
通融
<
OIDCAuthRequestParams openid.realm=<urlencoded-realm-value>
OIDCRemoteUserClaim openid_id