opendev
/
gerrit
Code Issues Proposed changes

Merge branch 'stable-2.15' into stable-2.16 

* stable-2.15:
  Add new maintainer Han-Wen Nienhuys as developer in pom.xml files
  Set version to 2.14.18-SNAPSHOT
  ldap: allow to disable the groups relevance filtering

Change-Id: I32e63792fe13436575167074139ae304915d2aec
This commit is contained in:
David Pursehouse 2018-12-19 17:45:37 +09:00
parent e6bef21369 2d220feb02
commit 292c2ba539
8 changed files with 43 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
Documentation/config-gerrit.txt
View File

@ -3093,6 +3093,19 @@ Directory and link:https://www.freeipa.org[FreeIPA].
groupMemberPattern = (&(objectClass=group)(member=${dn}))
----
[[ldap.guessRelevantGroups]]ldap.guessRelevantGroups::
+
Filter the groups found in LDAP by guessing the ones relevant to
Gerrit and removing the others from list completions and ACL evaluations.
The guess is based on two elements: the projects most recently
accessed in the cache and the list of LDAP groups included in their ACLs.
+
Please note that projects rarely used and thus not cached may be
temporarily inaccessible by users even with LDAP membership and grants
referenced in the ACLs.
+
By default, true.
[[ldap.server]]ldap.server::
+
URL of the organization's LDAP server to query for user information

9
java/com/google/gerrit/server/auth/ldap/LdapGroupBackend.java
View File

@ -34,6 +34,7 @@ import com.google.gerrit.server.account.GroupBackend;
import com.google.gerrit.server.account.GroupMembership;
import com.google.gerrit.server.account.externalids.ExternalId;
import com.google.gerrit.server.auth.ldap.Helper.LdapSchema;
import com.google.gerrit.server.config.GerritServerConfig;
import com.google.gerrit.server.project.ProjectCache;
import com.google.gerrit.server.project.ProjectState;
import com.google.inject.Inject;
@ -52,6 +53,7 @@ import javax.naming.directory.DirContext;
import javax.naming.ldap.LdapName;
import javax.naming.ldap.Rdn;
import javax.security.auth.login.LoginException;
import org.eclipse.jgit.lib.Config;
/** Implementation of GroupBackend for the LDAP group system. */
public class LdapGroupBackend implements GroupBackend {
@ -65,6 +67,7 @@ public class LdapGroupBackend implements GroupBackend {
private final LoadingCache<String, Boolean> existsCache;
private final ProjectCache projectCache;
private final Provider<CurrentUser> userProvider;
private final Config gerritConfig;
@Inject
LdapGroupBackend(
@ -72,12 +75,14 @@ public class LdapGroupBackend implements GroupBackend {
@Named(GROUP_CACHE) LoadingCache<String, Set<AccountGroup.UUID>> membershipCache,
@Named(GROUP_EXIST_CACHE) LoadingCache<String, Boolean> existsCache,
ProjectCache projectCache,
Provider<CurrentUser> userProvider) {
Provider<CurrentUser> userProvider,
@GerritServerConfig Config gerritConfig) {
this.helper = helper;
this.membershipCache = membershipCache;
this.projectCache = projectCache;
this.existsCache = existsCache;
this.userProvider = userProvider;
this.gerritConfig = gerritConfig;
}
private boolean isLdapUUID(AccountGroup.UUID uuid) {
@ -178,7 +183,7 @@ public class LdapGroupBackend implements GroupBackend {
if (id == null) {
return GroupMembership.EMPTY;
}
return new LdapGroupMembership(membershipCache, projectCache, id);
return new LdapGroupMembership(membershipCache, projectCache, id, gerritConfig);
}
private static String findId(Collection<ExternalId> extIds) {

10
java/com/google/gerrit/server/auth/ldap/LdapGroupMembership.java
View File

@ -22,20 +22,24 @@ import com.google.gerrit.server.project.ProjectCache;
import java.util.HashSet;
import java.util.Set;
import java.util.concurrent.ExecutionException;
import org.eclipse.jgit.lib.Config;
class LdapGroupMembership implements GroupMembership {
private final LoadingCache<String, Set<AccountGroup.UUID>> membershipCache;
private final ProjectCache projectCache;
private final String id;
private final boolean guessRelevantGroups;
private GroupMembership membership;
LdapGroupMembership(
LoadingCache<String, Set<AccountGroup.UUID>> membershipCache,
ProjectCache projectCache,
String id) {
String id,
Config gerritConfig) {
this.membershipCache = membershipCache;
this.projectCache = projectCache;
this.id = id;
this.guessRelevantGroups = gerritConfig.getBoolean("ldap", "guessRelevantGroups", true);
}
@Override
@ -56,7 +60,9 @@ class LdapGroupMembership implements GroupMembership {
@Override
public Set<AccountGroup.UUID> getKnownGroups() {
Set<AccountGroup.UUID> g = new HashSet<>(get().getKnownGroups());
g.retainAll(projectCache.guessRelevantGroupUUIDs());
if (guessRelevantGroups) {
g.retainAll(projectCache.guessRelevantGroupUUIDs());
}
return g;
}

3
tools/maven/gerrit-acceptance-framework_pom.xml
View File

@ -43,6 +43,9 @@
<developer>
<name>Edwin Kempin</name>
</developer>
<developer>
<name>Han-Wen Nienhuys</name>
</developer>
<developer>
<name>Hugo Arès</name>
</developer>

3
tools/maven/gerrit-extension-api_pom.xml
View File

@ -43,6 +43,9 @@
<developer>
<name>Edwin Kempin</name>
</developer>
<developer>
<name>Han-Wen Nienhuys</name>
</developer>
<developer>
<name>Hugo Arès</name>
</developer>

3
tools/maven/gerrit-plugin-api_pom.xml
View File

@ -43,6 +43,9 @@
<developer>
<name>Edwin Kempin</name>
</developer>
<developer>
<name>Han-Wen Nienhuys</name>
</developer>
<developer>
<name>Hugo Arès</name>
</developer>

3
tools/maven/gerrit-plugin-gwtui_pom.xml
View File

@ -43,6 +43,9 @@
<developer>
<name>Edwin Kempin</name>
</developer>
<developer>
<name>Han-Wen Nienhuys</name>
</developer>
<developer>
<name>Hugo Arès</name>
</developer>

3
tools/maven/gerrit-war_pom.xml
View File

@ -43,6 +43,9 @@
<developer>
<name>Edwin Kempin</name>
</developer>
<developer>
<name>Han-Wen Nienhuys</name>
</developer>
<developer>
<name>Hugo Arès</name>
</developer>