On Mon, Jun 24, 2019 at 3:53 PM Tyler Cipriani tcipriani@wikimedia.org wrote:
Hi all!
tl;dr: Gerrit HTTP token auth has been re-enabled. To use it you'll need to generate a token via your preferences page[0].
Gerrit HTTP token auth was disabled in mid-march due to concerns about its implementation[1].
Thanks to the work of Paladox and Gerrit upstream in Gerrit 2.15.14[2] we've re-enabled HTTP token authentication.
I previously removed all HTTP auth tokens, so in order to use HTTP token auth you'll need to generate a fresh token via your preference page[0]
Your Lowly Gerrit Fiddler, -- Tyler
[0]. https://gerrit.wikimedia.org/r/#/settings/http-password [1]. https://phabricator.wikimedia.org/T218750 [2]. https://www.gerritcodereview.com/2.15.html#21514
Thank you for the update Tyler and thank you to everyone who worked to clear the security concerns with the feature.
I do not use it often, but being able to push patches to Gerrit from an untrusted location (like a project local Puppet master in a Cloud VPS project) with this workflow is pretty nice: * Generate a fresh password at https://gerrit.wikimedia.org/r/#/settings/http-password * Git push to gerrit over https with username/password auth * Regenerate a password at https://gerrit.wikimedia.org/r/#/settings/http-password to invalidate the password that was exposed to the untrusted instance/network
Bryan