The class no longer controls capabilities. It now only provides
limits over server resources consumed during a request.
Change-Id: I70408bd5dda68b05502c4ece989b60f55793a8dd
This is the second part of migrating accounts from ReviewDb to NoteDb.
This change:
* migrates the accounts from ReviewDb to NoteDb (for single instance
Gerrit servers)
* adds a configuration parameter (user.readAccountsFromGit) that
controls whether external IDs are read from ReviewDb or NoteDb
AccountIT is now loading external IDs of an account directly from NoteDb
instead of retrieving them via the account cache. This is because for
the test deleteUserBranchWithAccessDatabaseCapability() the admin
account gets deleted by deleting its user branch and then the @After
restoreExternalIds() method couldn't delete the external IDs of that
account anymore (because the account was deleted it couldn't be
retrieved via the account cache anymore).
Change-Id: I41fa3a6bdb76f497c79a05bdc76e97a7e73624a6
Signed-off-by: Edwin Kempin <ekempin@google.com>
Always write account updates to both backends, ReviewDb and NoteDb.
In NoteDb accounts are represented as user branches in the All-Users
repository. Optionally a user branch can contain a 'account.config' file
that stores account properties, such as full name, preferred email,
status and the active flag. The timestamp of the first commit on a user
branch denotes the registration date. The initial commit on the user
branch may be empty (since having an 'account.config' is optional).
The 'account.config' file is a git config file that has one 'account'
section with the properties of the account:
[account]
active = false
fullName = John Doe
preferredEmail = john.doe@foo.com
status = Overloaded with reviews
All keys are optional. This means 'account.config' may not exist on the
user branch if no properties are set.
If no value for 'active' is specified, by default the account is
considered as active.
AccountsUpdate is now sending RefUpdatedEvent's when an account is
updated. ReindexAfterRefUpdate receives the events and takes care to
evict the updated accounts from the account cache, which in turn
triggers reindex of the accounts. This is why AccountsUpdate no longer
needs to evict the updated accounts itself from the account cache. Since
AccountsUpdate doesn't reindex accounts on its own anymore the
ServerNoReindex factory can be removed.
To support a live migration on a multi-master Gerrit installation, the
migration of accounts from ReviewDb to NoteDb is done in 3 steps:
- part 1 (this change):
* always write to both backends (ReviewDb and NoteDb)
* always read accounts from ReviewDb
* upgraded instances write to both backends, old instances only
write to ReviewDb
* after upgrading all instances (all still read from ReviewDb)
run a batch to copy all accounts from the ReviewDb to NoteDb
- part 2 (next change):
* bump the database schema version
* migrate the accounts from ReviewDb to NoteDb (for single instance
Gerrit servers)
* config option to control whether accounts are read from ReviewDb or
NoteDb
- part 3:
* remove config option to control whether accounts are read from
ReviewDb or NoteDb and always read from NoteDb
* delete the database table
Change-Id: I2e0b13feb3465e086b49b2de2439a56696b5fba9
Signed-off-by: Edwin Kempin <ekempin@google.com>
The retry mechanism in NotesBranchUtil is inflexible, and only retries a
fixed number of times on lock failure, with a fixed wait in between, up
to 250ms total. Now that we have RetryHelper available globally, make
use of that instead. This allows us to eliminate a lot of code from
NotesBranchUtil, which is a good thing, since this extra code also has
some bugs. For example, it doesn't handle all possible
RefUpdate.Results.
This is a philosophical difference in how to approach retries, which
requires fixing downstream code, including in the reviewnotes plugin.
RetryHelper is designed to be run at the highest level, completely
reopening the repository, to ensure we get the latest ref state and
start with a fresh inserter.
Since we now expect downstream plugins to use RetryHelper, export
guava-retrying from the plugin API.
Change-Id: I8a93e20f811a7c67c5cfd9cdf630afac7327c64f
Drop the capabilities reference from all user objects. Most global
capabilities can be checked with the PermissionBackend.
QoS, query limits, and emailing reviewers still require the capability
object. Bundle its factory into the call sites that need it.
Continue caching the CapabilityControl in an opaque property on the
CurrentUser, and also in the DefaultPermissionBackend.WithUserImpl.
Both of these sites reduce evaluations for critical properties like
"administrateServer".
Change-Id: I5aae8200e0a579ac1295a3fb7005703fd39d2696
WorkQueue.Executor is a thin layer on top of
ScheduledThreadPoolExecutor. Since it is a class, rather than an
implementation, it is impossible to inject a wrapper around an
existing implementation.
This change is one step towards enabling this.
Change-Id: Id6b1d0fd10b5f8549cbc76a4867b3afb750aca02
Callers have to pass a number of arguments to build and configure the
VisibleRefFilter. Instead of forcing callers to pass around many
arguments, use an assisted injection factory to create the instance.
Rely on the context Provider<ReviewDb> and Provider<CurrentUser> to
gain database access and user identity within the filter. Given all
current call sites, these should already be populated.
Change-Id: I8197ee773c94f16472d53162fb70791c45899c1b
As described in SSHD-715 [1] the NIO2_READ_TIMEOUT parameter was
introduced in sshd version 1.3.
[1] https://issues.apache.org/jira/browse/SSHD-715
Bug: Issue 6173
Change-Id: I6f930cafef9583a83aed2e6d05ff2a9f27c33cb8
This is the third part of migrating external IDs from ReviewDb to
NoteDb.
This change:
* changes the code to always read external IDs from NoteDb (the
user.readExternalIdsFromGit configuration parameter is removed)
* bumps the database schema version
* deletes the database table for external IDs
Pushing to the refs/meta/external-ids branch is still prevented by a
commit validator. Since all external IDs are now in NoteDb only we
could allow pushing to refs/meta/external-ids. However we would still
like to do validation of the branch content and reject invalid content
(e.g. invalid Git config files, usage of non-existing account IDs
etc.) and such a validator is not implemented yet (but can be
implemented in a follow-up change).
Change-Id: Id9e5574a1d8d82f4f48fbb0b6dadc0e27d138a28
Signed-off-by: Edwin Kempin <ekempin@google.com>
FileInputStream and FileOutputStream rely on finalize() method to ensure
resources are closed. This implies they are added to the finalizer queue
which causes additional work for the JVM GC process.
This is an open bug on the OpenJDK [1] and the recommended workaround is
to use the Files.newInputStream and Files.newOutputStream static methods
instead.
[1] https://bugs.openjdk.java.net/browse/JDK-8080225
Change-Id: I3cef6fcf198dde2be7cd15bded8d2fa247177654
* stable-2.14:
Use account cache instead of ReviewDb in MailProcessor
Change log message to reflect IMAP RFC
Get rid of calls to SecurityUtils.isBouncyCastleRegistered()
SshDaemon: Improve log message when formatting ssh host key fails
Change-Id: Ibbc3a1d32c7127335840233d66324fca7f664e12
Since we now ship BouncyCastle in the .war file, this will always
return true. Remove the code that is now redundant.
Change-Id: I35d6191b6f5e4cea40a022236cbc848eb01d7ba1
Include the key string, which will help to track down which one
failed, and omit the entire stack trace, which doesn't actually
provide any useful information.
Change-Id: I67c1fbe75c99f8cda6dbebe27c050e338e571315
* stable-2.14:
Use 'Merge list' as display name for /MERGE_LIST
DatabasePubKeyAuth: Also look for ecdsa keys and ed25519 keys
SshDaemon: Also look for ecdsa keys and ed25519 keys
InitSshd: Generate ecdsa and ed25519 keys if the host supports them
Speed up reviewer suggestion
Relocate setting page base to app initialization
Allow multiple Servlet filters on Jetty HTTPD
Change-Id: I22fa3777ea8150a89e4c66d5d32535caee1b5a76
Excludes a few that will require more work to plumb the
BatchUpdate.Factory into the class that actually does the work.
Change-Id: Id8c679c91ed8ea142f1856fcc2d976c4fb609dc5
* stable-2.14:
Move systemctl files to /init/ rather than /systemd/
SitePathInitializer: Fix destination file name for gerrit.socket
Clarify documentation for accountPatchReviewDb.url
Add the new gerrit systemctl file to init
Remove unneeded output in MigrateAccountPatchReviewDb
ES: Implement online reindex for ElasticSearch
JdbcAccountPatchReviewStore: Fix copyright year
Fix documentation nits in pgm-MigrateAccountPatchReviewDb.txt
Support Jdbc implementation of AccountPatchReviewStore
ES: Temporarily disable server discovery
Change-Id: I1034869bc6146db929f6242610c9eb13a7b092f7
Implement online reindexing for ElasticSearch based on the code for
Lucene online reindex.
Testing scenario:
1. Start fresh Gerrit site with this patch
2. Create account
3. Verify data in ElasticSearch:
curl http://localhost:9200/gerritaccounts_0004/
curl http://localhost:9200/gerritaccounts_0004/_search
4. Stop Gerrit
5. Cherry pick change I77e1643cd1a7fbef9f4d2fa214823759188e9592
6. Start Gerrit
6. Wait for log message:
Starting online reindex from schema version 4 to 5
7. Verify state in ElasticSearch:
curl http://localhost:9200/gerritaccounts_0005/
curl http://localhost:9200/gerritaccounts_0005/_search
Entry for user account created in step 2 should have "elastic_online"
property with value "reindex work".
Change-Id: I9efcf5735e65b4f2dc2a97914d398f81656fc12a
Allow plugins to define their own capability and permission and check
for current user satisfy them, consuming PluginPermission from the
plugin extension API.
Change-Id: Iabba0ffa2a7e40605b09b41c25ab147395bb5f8c
When parsing a project name from a command line argument or in the
REST API, check the caller has ACCESS permission using
PermissionBackend, failing if they don't.
In UploadArchive check READ permission to determine if the
reachability check can be skipped.
Change-Id: I8b9155834a4ab36b964e339f5d9e1d110f771158
Rewrite the code to use Java 8 streams and the new
PermissionBackend to filter batches of direct children
for ACCESS permission.
Change-Id: I7ca6b5566a6ec675760dc937db369e9150546dd3
Define two ProjectPermissions:
ACCESS - Caller can see at least one reference (or change) and
should be able to learn the project exists, and use APIs that
depend on that fact. Hidden projects are not accessible unless
the user is an owner.
READ - Caller can see all references in the project and can
use things like GitwebServlet where filtering doesn't happen.
Hidden projects are not readable unless the user is an owner.
Add a filter() method in PermissionBackend to support checking
a permission across many projects at once, and use this inside
of SuggestParentCandidates to filter results to only projects
that the caller has ACCESS permission to.
Change-Id: I1329a8df1e7858e02379b7a1a526ad4954f0e42a
Leave a poorly named backdoor in CapabilityControl for the existing
ProjectControl, RefControl, ChangeControl and GroupControl to test
administrator permission.
Update test expecting a failure when administateServer is not granted.
Change-Id: I0f523dbf26506ea53c38ffb02aeef74f3cf18ba6
When dynamicbeans are defined by an external plugin on commands from a
different plugin, instantiate the dynamic bean with a delegating
classloader which uses the command's classloader as the parent and
resolves resources via the dynamicbean's classloader. Also instantiate
the dynamicbeans using the injector from the command.
Change-Id: If2cff8235a9680eb64c58b77f2d482c5896baf0f
Replace CapabilityUtils with support in PermissionBackend to check if
the caller has at least one of the specified permissions parsed from
class annotation.
This enables hiding canPerform(String) from CapabilityControl, which
makes it much harder to bypass the PermissionBackend.
Assume anyone with ADMINISTRATE_SERVER also has any PluginPermission.
This is carried over from CapabilityUtils, which skip any further
checks when the user has canAdministrateServer.
Update the error message in GarbageCollectionIT to now be the generic
"maintain server not permitted".
Change-Id: I9458bd55fa1c9709557ae1ad95a57a1d968c52a3
Update a few test messages to reflect check throwing a generic
AuthException("modify account not permitted") instead of the
prior custom text.
Change-Id: Ie3ddd250289618a43d2708264863f2e850fd54cb
Create a ChangeAttributeFactory interface to allow
plugins to register to provide additonal attributes to be
output in a change query result.
Example Usage:
https://gerrit-review.googlesource.com/#/c/102650/
Change-Id: I4a09d9abd8bda09a3ecde7ca203434d6ab8ab7be
The accessDatabase check is complicated inside VisibleRefsFilter
so for now it continues to use canAccessDatabase().
Change-Id: Ia4202a7f1658868f4d5698a1cb1db6ccaf5a062e
REST API and UI allow project owner to change the project settings so
fix inconsistency by allowing the same in the ssh command.
Change-Id: I123007629db87c1df6162cb1e56fc51bacff9631
