On Mon, Jun 24, 2019 at 3:53 PM Tyler Cipriani <tcipriani(a)wikimedia.org> wrote:
Hi all!
tl;dr: Gerrit HTTP token auth has been re-enabled. To use it you'll need to
generate a token via your preferences page[0].
Gerrit HTTP token auth was disabled in mid-march due to concerns about its
implementation[1].
Thanks to the work of Paladox and Gerrit upstream in Gerrit 2.15.14[2] we've
re-enabled HTTP token authentication.
I previously removed all HTTP auth tokens, so in order to use HTTP token auth
you'll need to generate a fresh token via your preference page[0]
Your Lowly Gerrit Fiddler,
-- Tyler
[0]. <https://gerrit.wikimedia.org/r/#/settings/http-password>
[1]. <https://phabricator.wikimedia.org/T218750>
[2]. <https://www.gerritcodereview.com/2.15.html#21514>
Thank you for the update Tyler and thank you to everyone who worked to
clear the security concerns with the feature.
I do not use it often, but being able to push patches to Gerrit from
an untrusted location (like a project local Puppet master in a Cloud
VPS project) with this workflow is pretty nice:
* Generate a fresh password at
https://gerrit.wikimedia.org/r/#/settings/http-password
* Git push to gerrit over https with username/password auth
* Regenerate a password at
https://gerrit.wikimedia.org/r/#/settings/http-password to invalidate
the password that was exposed to the untrusted instance/network
Bryan
--
Bryan Davis Wikimedia Foundation <bd808(a)wikimedia.org>
[[m:User:BDavis_(WMF)]] Manager, Technical Engagement Boise, ID USA
irc: bd808 v:415.839.6885 x6855