ebeb15460c
Asciidoc may fail to render link attributes for external links supposed to open in a new window correctly. This change adds :linkattrs: to the beginning of such files to force parsing link attributes correctly. Bug: Issue 12068 Change-Id: If18be60de646ff78f672239dd4fa435fd4fd92ab
206 lines
7.6 KiB
Plaintext
206 lines
7.6 KiB
Plaintext
:linkattrs:
|
|
= Gerrit Code Review - Single Sign-On Security
|
|
|
|
Gerrit supports integration with some types of single sign-on
|
|
security solutions, making it possible for end-users to setup
|
|
and manage accounts, without administrator involvement.
|
|
|
|
== OpenID
|
|
|
|
By default a new Gerrit installation relies upon OpenID to perform
|
|
user authentication services. To enable OpenID, the auth.type
|
|
setting should be `OpenID`:
|
|
|
|
----
|
|
git config --file $site_path/etc/gerrit.config auth.type OpenID
|
|
----
|
|
|
|
As this is the default setting there is nothing required from the
|
|
site administrator to make use of the OpenID authentication services.
|
|
|
|
* http://openid.net/[openid.net,,role=external,window=_blank]
|
|
|
|
If Jetty is being used, you may need to increase the header
|
|
buffer size parameter, due to very long header lines.
|
|
Add the following to `$JETTY_HOME/etc/jetty.xml` under
|
|
`org.mortbay.jetty.nio.SelectChannelConnector`:
|
|
|
|
----
|
|
<Set name="headerBufferSize">16384</Set>
|
|
----
|
|
|
|
In order to use permissions beyond those granted to the
|
|
`Anonymous Users` and `Registered Users` groups, an account
|
|
must only have OpenIDs which match at least one pattern from the
|
|
`auth.trustedOpenID` list in `gerrit.config`. Patterns may be
|
|
either a
|
|
link:http://download.oracle.com/javase/6/docs/api/java/util/regex/Pattern.html[standard
|
|
Java regular expression (java.util.regex),,role=external,window=_blank] (must start with `^`
|
|
and end with `$`) or be a simple prefix (any other string).
|
|
|
|
Out of the box Gerrit is configured to trust two patterns, which
|
|
will match any OpenID provider on the Internet:
|
|
|
|
* `http://` -- trust all OpenID providers using the HTTP protocol
|
|
* `https://` -- trust all OpenID providers using the HTTPS protocol
|
|
|
|
To trust only Yahoo!:
|
|
----
|
|
git config --file $site_path/etc/gerrit.config auth.trustedOpenID https://me.yahoo.com
|
|
----
|
|
|
|
=== Database Schema
|
|
|
|
User identities obtained from OpenID providers are stored as
|
|
link:config-accounts.html#external-ids[external IDs].
|
|
|
|
=== Multiple Identities
|
|
|
|
Users may link more than one OpenID identity to the same Gerrit account, making
|
|
it easier for their browser to sign in to Gerrit if they are frequently switching
|
|
between different unique OpenID accounts.
|
|
|
|
[WARNING]
|
|
Users wishing to link an alternative identity should *NOT* log in separately
|
|
with that identity. Doing so will result in a new account being created, and
|
|
subsequent attempts to link that account with the existing account will fail.
|
|
In cases where this happens, the administrator will need to manually merge the
|
|
accounts. See link:https://gerrit.googlesource.com/homepage/+/md-pages/docs/SqlMergeUserAccounts.md[
|
|
Merging Gerrit User Accounts,,role=external,window=_blank] on the Gerrit Wiki for details.
|
|
|
|
Linking another identity is also useful for users whose primary OpenID provider
|
|
shuts down. For example Google
|
|
link:https://developers.google.com/+/api/auth-migration[shut down their OpenID
|
|
service on 20th April 2015,,role=external,window=_blank]. Users who failed to add an alternative identity with
|
|
another OpenID provider before that date will end up with their account only having
|
|
a disabled Google identity. After creating a separate account with an alternative
|
|
provider, they will need to ask the administrator to merge the accounts using the
|
|
previously mentioned method.
|
|
|
|
To link another identity to an existing account:
|
|
|
|
* Login with the existing account
|
|
* Select menu Settings -> Identities
|
|
* Click the 'Link Another Identity' button
|
|
* Select the OpenID provider for the other identity
|
|
* Authenticate with the other identity
|
|
|
|
Login using the other identity can only be performed after the linking is
|
|
successful.
|
|
|
|
== HTTP Basic Authentication
|
|
|
|
When using HTTP authentication, Gerrit assumes that the servlet
|
|
container or the frontend web server has performed all user
|
|
authentication prior to handing the request off to Gerrit.
|
|
|
|
As a result of this assumption, Gerrit can assume that any and
|
|
all requests have already been authenticated. The "Sign In" and
|
|
"Sign Out" links are therefore not displayed in the web UI.
|
|
|
|
To enable this form of authentication:
|
|
|
|
----
|
|
git config --file $site_path/etc/gerrit.config auth.type HTTP
|
|
git config --file $site_path/etc/gerrit.config --unset auth.httpHeader
|
|
git config --file $site_path/etc/gerrit.config auth.emailFormat '{0}@example.com'
|
|
----
|
|
|
|
The auth.type must always be HTTP, indicating the user identity
|
|
will be obtained from the HTTP authorization data.
|
|
|
|
The auth.httpHeader must always be unset. If set to any value
|
|
(including `Authorization`) then Gerrit won't correctly honor the
|
|
standard `Authorization` HTTP header.
|
|
|
|
The auth.emailFormat field ('optional') sets the preferred email
|
|
address during first login. Gerrit will replace `{0}` with the
|
|
username, as obtained from the Authorization header. A format such
|
|
as shown in the example would be typical, to add the domain name
|
|
of the organization.
|
|
|
|
If Apache HTTPd is being used as the primary web server and the
|
|
Apache server will be handling user authentication, a configuration
|
|
such as the following is recommended to ensure Apache performs the
|
|
authentication at the proper time:
|
|
|
|
----
|
|
<Location "/login/">
|
|
AuthType Basic
|
|
AuthName "Gerrit Code Review"
|
|
Require valid-user
|
|
...
|
|
</Location>
|
|
----
|
|
|
|
=== Database Schema
|
|
|
|
User identities are stored as
|
|
link:config-accounts.html#external-ids[external IDs] with "gerrit" as
|
|
scheme. The user string obtained from the authorization header is
|
|
stored as ID of the external ID.
|
|
|
|
|
|
== Computer Associates Siteminder
|
|
|
|
Siteminder is a commercial single sign on solution marketed by
|
|
Computer Associates. It is very common in larger enterprise
|
|
environments.
|
|
|
|
When using Siteminder, Gerrit assumes it has been installed in a
|
|
servlet container which is running behind an Apache web server,
|
|
and that the Siteminder authentication module has been configured
|
|
within Apache to protect the entire Gerrit application. In this
|
|
configuration all users must authenticate with Siteminder before
|
|
they can access any resource on Gerrit.
|
|
|
|
As a result of this assumption, Gerrit can assume that any and
|
|
all requests have already been authenticated. The "Sign In" and
|
|
"Sign Out" links are therefore not displayed in the web UI.
|
|
|
|
To enable this form of authentication:
|
|
|
|
----
|
|
git config --file $site_path/etc/gerrit.config auth.type HTTP
|
|
git config --file $site_path/etc/gerrit.config auth.httpHeader SM_USER
|
|
git config --file $site_path/etc/gerrit.config auth.emailFormat '{0}@example.com'
|
|
----
|
|
|
|
The auth.type must always be HTTP, indicating the user identity
|
|
will be obtained from the HTTP authorization data.
|
|
|
|
The auth.httpHeader indicates in which HTTP header field the Siteminder
|
|
product has stored the username. Usually this is "SM_USER", but
|
|
may differ in your environment. Please refer to your organization's
|
|
single sign-on or security group to ensure the setting is correct.
|
|
|
|
The auth.emailFormat field ('optional') sets the user's preferred
|
|
email address when they first login. Gerrit will replace `{0}`
|
|
with the username, as supplied by Siteminder. A format such as
|
|
shown in the example would be typical, to add the domain name of
|
|
the organization.
|
|
|
|
If Jetty is being used, you may need to increase the header
|
|
buffer size parameter, due to very long header lines.
|
|
Add the following to `$JETTY_HOME/etc/jetty.xml` under
|
|
`org.mortbay.jetty.nio.SelectChannelConnector`:
|
|
|
|
----
|
|
<Set name="headerBufferSize">16384</Set>
|
|
----
|
|
|
|
|
|
=== Database Schema
|
|
|
|
User identities are stored as
|
|
link:config-accounts.html#external-ids[external IDs] with "gerrit" as
|
|
scheme. The user string obtained from Siteminder (e.g. the value in the
|
|
"SM_USER" HTTP header) is stored as ID in the external ID.
|
|
|
|
GERRIT
|
|
------
|
|
Part of link:index.html[Gerrit Code Review]
|
|
|
|
SEARCHBOX
|
|
---------
|