Gerrit和OpenLDAP服务器集成
作者:尹正杰
版权声明:原创作品,谢绝转载!否则将追究法律责任。
一.安装LDAP服务器
详情请参考:https://www.cnblogs.com/yinzhengjie/p/11020700.html
二.安装Gerrit基于LDAP验证(我们之前演示基于"development_become_any_account"认证的方式)
[gerrit@node201.yinzhengjie.org.cn ~/soft]$ java -jar gerrit-2.15.14.war init Using secure store: com.google.gerrit.server.securestore.DefaultSecureStore *** Gerrit Code Review 2.15.14 *** *** Git Repositories *** Location of Git repositories [git]: *** SQL Database *** Database server type [mysql]: Server hostname [node201.yinzhengjie.org.cn]: Server port [3306]: Database name [gerrit]: Database username [gerrit]: Change gerrit's password [y/N]? n *** Index *** Type [lucene/?]: The index must be rebuilt before starting Gerrit: java -jar gerrit.war reindex -d site_path *** User Authentication *** Authentication method [development_become_any_account/?]: ? Supported options are: openid openid_sso http http_ldap client_ssl_cert_ldap ldap ldap_bind custom_extension development_become_any_account oauth Authentication method [development_become_any_account/?]: ldap Git/HTTP authentication [http/?]: LDAP server [ldap://localhost]: ldap://node202.yinzhengjie.org.cn:389 #指定LDAP的服务器地址 LDAP username : cn=Manager,dc=yinzhengjie,dc=org,dc=cn #指定LDAP的用户名 cn=Manager,dc=yinzhengjie,dc=org,dc=cn's password : #输入登陆LDAP的密码 confirm password : Account BaseDN [DC=yinzhengjie,DC=org,DC=cn:389]: ou=People,dc=yinzhengjie,dc=org,dc=cn #指定我们认证用户对应的LDAP路径 Group BaseDN [ou=People,dc=yinzhengjie,dc=org,dc=cn]: ou=Group,dc=yinzhengjie,dc=org,dc=cn #指定我们认证的用户组对应的LDAP路径 Enable signed push support [y/N]? n *** Email Delivery *** SMTP server hostname [smtp.qq.com]: SMTP server port [465]: SMTP encryption [ssl/?]: SMTP username [y1053419035@qq.com]: Change y1053419035@qq.com's password [y/N]? n *** Container Process *** Run as [gerrit]: Java runtime [/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.212.b04-0.el7_6.x86_64/jre]: Upgrade ./bin/gerrit.war [Y/n]? n *** SSH Daemon *** Listen on address [node201.yinzhengjie.org.cn]: Listen on port [29418]: *** HTTP Daemon *** Behind reverse proxy [y/N]? n Use SSL (https://) [y/N]? n Listen on address [node201.yinzhengjie.org.cn]: Listen on port [8080]: Canonical URL [http://172.30.1.201:8080]: *** Cache *** Delete cache file /yinzhengjie/softwares/gerrit/soft/cache/diff_summary.lock.db [y/N]? y #删除掉之前的缓存文件 Delete cache file /yinzhengjie/softwares/gerrit/soft/cache/diff_summary.h2.db [y/N]? y Delete cache file /yinzhengjie/softwares/gerrit/soft/cache/change_kind.lock.db [y/N]? y Delete cache file /yinzhengjie/softwares/gerrit/soft/cache/change_kind.h2.db [y/N]? y Delete cache file /yinzhengjie/softwares/gerrit/soft/cache/mergeability.lock.db [y/N]? y Delete cache file /yinzhengjie/softwares/gerrit/soft/cache/mergeability.h2.db [y/N]? y Delete cache file /yinzhengjie/softwares/gerrit/soft/cache/conflicts.lock.db [y/N]? y Delete cache file /yinzhengjie/softwares/gerrit/soft/cache/conflicts.h2.db [y/N]? y Delete cache file /yinzhengjie/softwares/gerrit/soft/cache/diff_intraline.lock.db [y/N]? y Delete cache file /yinzhengjie/softwares/gerrit/soft/cache/diff_intraline.h2.db [y/N]? y Delete cache file /yinzhengjie/softwares/gerrit/soft/cache/diff.lock.db [y/N]? y Delete cache file /yinzhengjie/softwares/gerrit/soft/cache/diff.h2.db [y/N]? y Delete cache file /yinzhengjie/softwares/gerrit/soft/cache/oauth_tokens.lock.db [y/N]? y Delete cache file /yinzhengjie/softwares/gerrit/soft/cache/oauth_tokens.h2.db [y/N]? y Delete cache file /yinzhengjie/softwares/gerrit/soft/cache/git_tags.lock.db [y/N]? y Delete cache file /yinzhengjie/softwares/gerrit/soft/cache/git_tags.h2.db [y/N]? y Delete cache file /yinzhengjie/softwares/gerrit/soft/cache/web_sessions.lock.db [y/N]? y Delete cache file /yinzhengjie/softwares/gerrit/soft/cache/web_sessions.h2.db [y/N]? y *** Plugins *** Installing plugins. Install plugin commit-message-length-validator version v2.15.14 [Y/n]? y #安装对应的插件但不覆盖 commit-message-length-validator v2.15.14 is already installed, overwrite it [Y/n]? n Install plugin download-commands version v2.15.14 [Y/n]? y download-commands v2.15.14 is already installed, overwrite it [Y/n]? n Install plugin hooks version v2.15.14 [Y/n]? y hooks v2.15.14 is already installed, overwrite it [Y/n]? n Install plugin replication version v2.15.14 [Y/n]? y replication v2.15.14 is already installed, overwrite it [Y/n]? n Install plugin reviewnotes version v2.15.14 [Y/n]? y reviewnotes v2.15.14 is already installed, overwrite it [Y/n]? n Install plugin singleusergroup version v2.15.14 [Y/n]? y singleusergroup v2.15.14 is already installed, overwrite it [Y/n]? n Initializing plugins. *** Experimental features *** Enable any experimental features [y/N]? y Default to PolyGerrit UI [Y/n]? y Enable GWT UI [Y/n]? y Tue Jun 18 04:57:05 EDT 2019 WARN: Establishing SSL connection without server's identity verification is not recommended. According to MySQL 5.5.45+, 5.6.26+ and 5.7.6+ requirements SSL connection must be established by default if explicit option isn't set. For compliance with existing applications not using SSL the verifyServerCertificate property is set to 'false'. You need either to explicitly disable SSL by setting useSSL=false, or set useSSL=true and provide truststore for server certificate verification. Tue Jun 18 04:57:06 EDT 2019 WARN: Establishing SSL connection without server's identity verification is not recommended. According to MySQL 5.5.45+, 5.6.26+ and 5.7.6+ requirements SSL connection must be established by default if explicit option isn't set. For compliance with existing applications not using SSL the verifyServerCertificate property is set to 'false'. You need either to explicitly disable SSL by setting useSSL=false, or set useSSL=true and provide truststore for server certificate verification. Initialized /yinzhengjie/softwares/gerrit/soft [gerrit@node201.yinzhengjie.org.cn ~/soft]$ [gerrit@node201.yinzhengjie.org.cn ~/soft]$
三.启动Gerrit服务
1>.启动Gerrit服务(MySQL数据库别忘记启动了哈)
[gerrit@node201.yinzhengjie.org.cn ~/soft]$ ./bin/gerrit.sh start Starting Gerrit Code Review: WARNING: Could not adjust Gerrit's process for the kernel's out-of-memory killer. This may be caused by ./bin/gerrit.sh not being run as root. Consider changing the OOM score adjustment manually for Gerrit's PID=21559 with e.g.: echo '-1000' | sudo tee /proc/21559/oom_score_adj OK [gerrit@node201.yinzhengjie.org.cn ~/soft]$
2>.检查启动的端口
[gerrit@node201.yinzhengjie.org.cn ~/soft]$ ss -ntl State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 50 172.30.1.201:29418 *:* LISTEN 0 50 172.30.1.201:8080 *:* LISTEN 0 128 *:22 *:* LISTEN 0 100 127.0.0.1:25 *:* LISTEN 0 80 :::3306 :::* LISTEN 0 128 :::22 :::* [gerrit@node201.yinzhengjie.org.cn ~/soft]$
3>.访问Gerrit对应的WebUI(http://node201.yinzhengjie.org.cn:8080/q/status:open)
4>.输入在LDAP中创建的用户名和密码(如果你输入的用户和密码不存在,则登陆失败,服务器也会产生错误日志,根据日志的报错信息来解决问题即可)
[gerrit@node201.yinzhengjie.org.cn ~/soft/logs]$ tail -100f error_log #登陆成功后,我们会在对应的如下日志信息 ...... [2019-06-18 05:15:28,761] [HTTP-67] INFO com.googlesource.gerrit.plugins.hooks.HookFactory : hooks.path: /yinzhengjie/softwares/gerrit/soft/hooks [2019-06-18 05:15:28,762] [HTTP-67] INFO com.googlesource.gerrit.plugins.hooks.HookFactory : hooks.refUpdatedHook resolved to /yinzhengjie/softwares/gerrit/soft/hooks/ref-updated [2019-06-18 05:15:28,962] [HTTP-67] INFO com.google.gerrit.server.account.ChangeUserName : Created the new external Id with key: username:jason
5>.登陆成功
四.对账户进行授权
1>.点击设置,你会发现jason没有管理员权限
2>.使用"development_become_any_account"进行认证,然后把jason用户加入到管理员用户
3>.点击设置
4>.进入管理员组
5>.搜索用户,将其加入管理员组中
6>.将jason用户添加到管理员成功
7>.将"development_become_any_account"认证模式改回"ldap"认证模式,修改配置文件"yinzhengjie/softwares/gerrit/soft/etc/gerrit.config"
8>.再次使用Jason用户登陆,点击设置
9>.点击组
10>.查看Jason属于管理组权限啦
