Hi all!
tl;dr: Gerrit HTTP token auth has been re-enabled. To use it you'll need to generate a token via your preferences page[0].
Gerrit HTTP token auth was disabled in mid-march due to concerns about its implementation[1].
Thanks to the work of Paladox and Gerrit upstream in Gerrit 2.15.14[2] we've re-enabled HTTP token authentication.
I previously removed all HTTP auth tokens, so in order to use HTTP token auth you'll need to generate a fresh token via your preference page[0]
Your Lowly Gerrit Fiddler, -- Tyler
[0]. https://gerrit.wikimedia.org/r/#/settings/http-password [1]. https://phabricator.wikimedia.org/T218750 [2]. https://www.gerritcodereview.com/2.15.html#21514
On Mon, Jun 24, 2019 at 3:53 PM Tyler Cipriani tcipriani@wikimedia.org wrote:
Hi all!
tl;dr: Gerrit HTTP token auth has been re-enabled. To use it you'll need to generate a token via your preferences page[0].
Gerrit HTTP token auth was disabled in mid-march due to concerns about its implementation[1].
Thanks to the work of Paladox and Gerrit upstream in Gerrit 2.15.14[2] we've re-enabled HTTP token authentication.
I previously removed all HTTP auth tokens, so in order to use HTTP token auth you'll need to generate a fresh token via your preference page[0]
Your Lowly Gerrit Fiddler, -- Tyler
[0]. https://gerrit.wikimedia.org/r/#/settings/http-password [1]. https://phabricator.wikimedia.org/T218750 [2]. https://www.gerritcodereview.com/2.15.html#21514
Thank you for the update Tyler and thank you to everyone who worked to clear the security concerns with the feature.
I do not use it often, but being able to push patches to Gerrit from an untrusted location (like a project local Puppet master in a Cloud VPS project) with this workflow is pretty nice: * Generate a fresh password at https://gerrit.wikimedia.org/r/#/settings/http-password * Git push to gerrit over https with username/password auth * Regenerate a password at https://gerrit.wikimedia.org/r/#/settings/http-password to invalidate the password that was exposed to the untrusted instance/network
Bryan
Echoing Brian, Thanks for the hard work once again paladox, and releng, your work does not go unnoticed. Keep it up!
-- Devin “Zppix” CCENT Volunteer Wikimedia Developer Africa Wikimedia Developers Member and Mentor Volunteer Mozilla Support Team Member (SUMO) Quora.com Partner Program Member enwp.org/User:Zppix **Note: I do not work for Wikimedia Foundation, or any of its chapters. I also do not work for Mozilla, or any of its projects. **
On Jun 24, 2019, at 7:59 PM, Bryan Davis bd808@wikimedia.org wrote:
On Mon, Jun 24, 2019 at 3:53 PM Tyler Cipriani tcipriani@wikimedia.org wrote:
Hi all!
tl;dr: Gerrit HTTP token auth has been re-enabled. To use it you'll need to generate a token via your preferences page[0].
Gerrit HTTP token auth was disabled in mid-march due to concerns about its implementation[1].
Thanks to the work of Paladox and Gerrit upstream in Gerrit 2.15.14[2] we've re-enabled HTTP token authentication.
I previously removed all HTTP auth tokens, so in order to use HTTP token auth you'll need to generate a fresh token via your preference page[0]
Your Lowly Gerrit Fiddler, -- Tyler
[0]. https://gerrit.wikimedia.org/r/#/settings/http-password [1]. https://phabricator.wikimedia.org/T218750 [2]. https://www.gerritcodereview.com/2.15.html#21514
Thank you for the update Tyler and thank you to everyone who worked to clear the security concerns with the feature.
I do not use it often, but being able to push patches to Gerrit from an untrusted location (like a project local Puppet master in a Cloud VPS project) with this workflow is pretty nice:
- Generate a fresh password at
https://gerrit.wikimedia.org/r/#/settings/http-password
- Git push to gerrit over https with username/password auth
- Regenerate a password at
https://gerrit.wikimedia.org/r/#/settings/http-password to invalidate the password that was exposed to the untrusted instance/network
Bryan
Bryan Davis Wikimedia Foundation bd808@wikimedia.org [[m:User:BDavis_(WMF)]] Manager, Technical Engagement Boise, ID USA irc: bd808 v:415.839.6885 x6855
Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l
I spoke too soon :(
Frustratingly, Gerrit 2.15.14 exacerbated an existing bug[0] to the extent that I feel like we have no choice but to rollback to 2.15.13.
I have re-disabled HTTP token auth for the time being.
Apologies for the false hope, -- Tyler
[0]. https://phabricator.wikimedia.org/T224448
On 19-06-24 15:53:25, Tyler Cipriani wrote:
Hi all!
tl;dr: Gerrit HTTP token auth has been re-enabled. To use it you'll need to generate a token via your preferences page[0].
Gerrit HTTP token auth was disabled in mid-march due to concerns about its implementation[1].
Thanks to the work of Paladox and Gerrit upstream in Gerrit 2.15.14[2] we've re-enabled HTTP token authentication.
I previously removed all HTTP auth tokens, so in order to use HTTP token auth you'll need to generate a fresh token via your preference page[0]
Your Lowly Gerrit Fiddler, -- Tyler
[0]. https://gerrit.wikimedia.org/r/#/settings/http-password [1]. https://phabricator.wikimedia.org/T218750 [2]. https://www.gerritcodereview.com/2.15.html#21514
wikitech-l@lists.wikimedia.org