Gerrit和OpenLDAP服務器集成

　　　　　　　　　　Gerrit和OpenLDAP服務器集成

　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　做者：尹正傑

版權聲明：原創做品，謝絕轉載！不然將追究法律責任。

 

 

 

 

一.安裝LDAP服務器

　　詳情請參考：https://www.cnblogs.com/yinzhengjie/p/11020700.html

 

 

二.安裝Gerrit基於LDAP驗證（咱們以前演示基於"development_become_any_account"認證的方式）

[gerrit@node201.yinzhengjie.org.cn ~/soft]$  java -jar gerrit-2.15.14.war init
Using secure store: com.google.gerrit.server.securestore.DefaultSecureStore

*** Gerrit Code Review 2.15.14
*** 


*** Git Repositories
*** 

Location of Git repositories   [git]: 

*** SQL Database
*** 

Database server type           [mysql]: 
Server hostname                [node201.yinzhengjie.org.cn]: 
Server port                    [3306]: 
Database name                  [gerrit]: 
Database username              [gerrit]: 
Change gerrit's password       [y/N]? n

*** Index
*** 

Type                           [lucene/?]: 

The index must be rebuilt before starting Gerrit:
  java -jar gerrit.war reindex -d site_path

*** User Authentication
*** 

Authentication method          [development_become_any_account/?]: ?
       Supported options are:
         openid
         openid_sso
         http
         http_ldap
         client_ssl_cert_ldap
         ldap
         ldap_bind
         custom_extension
         development_become_any_account
         oauth
Authentication method          [development_become_any_account/?]: ldap
Git/HTTP authentication        [http/?]: 
LDAP server                    [ldap://localhost]: ldap://node202.yinzhengjie.org.cn:389　　　　　　　　　　　　　　#指定LDAP的服務器地址
LDAP username                  : cn=Manager,dc=yinzhengjie,dc=org,dc=cn　　　　　　　　　　　　　　　　　　　　　　　　#指定LDAP的用戶名
cn=Manager,dc=yinzhengjie,dc=org,dc=cn's password : 　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　#輸入登錄LDAP的密碼
              confirm password : 
Account BaseDN                 [DC=yinzhengjie,DC=org,DC=cn:389]: ou=People,dc=yinzhengjie,dc=org,dc=cn　　　　  #指定咱們認證用戶對應的LDAP路徑
Group BaseDN                   [ou=People,dc=yinzhengjie,dc=org,dc=cn]: ou=Group,dc=yinzhengjie,dc=org,dc=cn　　 #指定咱們認證的用戶組對應的LDAP路徑
Enable signed push support     [y/N]? n

*** Email Delivery
*** 

SMTP server hostname           [smtp.qq.com]: 
SMTP server port               [465]: 
SMTP encryption                [ssl/?]: 
SMTP username                  [y1053419035@qq.com]: 
Change y1053419035@qq.com's password [y/N]? n

*** Container Process
*** 

Run as                         [gerrit]: 
Java runtime                   [/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.212.b04-0.el7_6.x86_64/jre]: 
Upgrade ./bin/gerrit.war       [Y/n]? n

*** SSH Daemon
*** 

Listen on address              [node201.yinzhengjie.org.cn]: 
Listen on port                 [29418]: 

*** HTTP Daemon
*** 

Behind reverse proxy           [y/N]? n
Use SSL (https://)             [y/N]? n
Listen on address              [node201.yinzhengjie.org.cn]: 
Listen on port                 [8080]: 
Canonical URL                  [http://172.30.1.201:8080]: 

*** Cache
*** 

Delete cache file /yinzhengjie/softwares/gerrit/soft/cache/diff_summary.lock.db [y/N]? y　　　　　　　　#刪除掉以前的緩存文件
Delete cache file /yinzhengjie/softwares/gerrit/soft/cache/diff_summary.h2.db [y/N]? y
Delete cache file /yinzhengjie/softwares/gerrit/soft/cache/change_kind.lock.db [y/N]? y
Delete cache file /yinzhengjie/softwares/gerrit/soft/cache/change_kind.h2.db [y/N]? y
Delete cache file /yinzhengjie/softwares/gerrit/soft/cache/mergeability.lock.db [y/N]? y
Delete cache file /yinzhengjie/softwares/gerrit/soft/cache/mergeability.h2.db [y/N]? y
Delete cache file /yinzhengjie/softwares/gerrit/soft/cache/conflicts.lock.db [y/N]? y
Delete cache file /yinzhengjie/softwares/gerrit/soft/cache/conflicts.h2.db [y/N]? y
Delete cache file /yinzhengjie/softwares/gerrit/soft/cache/diff_intraline.lock.db [y/N]? y
Delete cache file /yinzhengjie/softwares/gerrit/soft/cache/diff_intraline.h2.db [y/N]? y
Delete cache file /yinzhengjie/softwares/gerrit/soft/cache/diff.lock.db [y/N]? y
Delete cache file /yinzhengjie/softwares/gerrit/soft/cache/diff.h2.db [y/N]? y
Delete cache file /yinzhengjie/softwares/gerrit/soft/cache/oauth_tokens.lock.db [y/N]? y
Delete cache file /yinzhengjie/softwares/gerrit/soft/cache/oauth_tokens.h2.db [y/N]? y
Delete cache file /yinzhengjie/softwares/gerrit/soft/cache/git_tags.lock.db [y/N]? y
Delete cache file /yinzhengjie/softwares/gerrit/soft/cache/git_tags.h2.db [y/N]? y
Delete cache file /yinzhengjie/softwares/gerrit/soft/cache/web_sessions.lock.db [y/N]? y
Delete cache file /yinzhengjie/softwares/gerrit/soft/cache/web_sessions.h2.db [y/N]? y

*** Plugins
*** 

Installing plugins.
Install plugin commit-message-length-validator version v2.15.14 [Y/n]? y　　　　　　　　　　#安裝對應的插件但不覆蓋
commit-message-length-validator v2.15.14 is already installed, overwrite it [Y/n]? n
Install plugin download-commands version v2.15.14 [Y/n]? y
download-commands v2.15.14 is already installed, overwrite it [Y/n]? n
Install plugin hooks version v2.15.14 [Y/n]? y
hooks v2.15.14 is already installed, overwrite it [Y/n]? n
Install plugin replication version v2.15.14 [Y/n]? y
replication v2.15.14 is already installed, overwrite it [Y/n]? n
Install plugin reviewnotes version v2.15.14 [Y/n]? y
reviewnotes v2.15.14 is already installed, overwrite it [Y/n]? n
Install plugin singleusergroup version v2.15.14 [Y/n]? y
singleusergroup v2.15.14 is already installed, overwrite it [Y/n]? n
Initializing plugins.

*** Experimental features
*** 

Enable any experimental features [y/N]? y
Default to PolyGerrit UI       [Y/n]? y
Enable GWT UI                  [Y/n]? y

Tue Jun 18 04:57:05 EDT 2019 WARN: Establishing SSL connection without server's identity verification is not recommended. According to MySQL 5.5.45+, 5.6.26+ and 5.7.6+ requirements SSL connection must be established by default if explicit option isn't set. For compliance with existing applications not using SSL the verifyServerCertificate property is set to 'false'. You need either to explicitly disable SSL by setting useSSL=false, or set useSSL=true and provide truststore for server certificate verification.
Tue Jun 18 04:57:06 EDT 2019 WARN: Establishing SSL connection without server's identity verification is not recommended. According to MySQL 5.5.45+, 5.6.26+ and 5.7.6+ requirements SSL connection must be established by default if explicit option isn't set. For compliance with existing applications not using SSL the verifyServerCertificate property is set to 'false'. You need either to explicitly disable SSL by setting useSSL=false, or set useSSL=true and provide truststore for server certificate verification.
Initialized /yinzhengjie/softwares/gerrit/soft
[gerrit@node201.yinzhengjie.org.cn ~/soft]$ 
[gerrit@node201.yinzhengjie.org.cn ~/soft]$ 

 

三.啓動Gerrit服務

1>.啓動Gerrit服務（MySQL數據庫別忘記啓動了哈）

[gerrit@node201.yinzhengjie.org.cn ~/soft]$ ./bin/gerrit.sh start
Starting Gerrit Code Review: WARNING: Could not adjust Gerrit's process for the kernel's out-of-memory killer.
         This may be caused by ./bin/gerrit.sh not being run as root.
         Consider changing the OOM score adjustment manually for Gerrit's PID=21559 with e.g.:
         echo '-1000' | sudo tee /proc/21559/oom_score_adj
OK
[gerrit@node201.yinzhengjie.org.cn ~/soft]$ 

2>.檢查啓動的端口

[gerrit@node201.yinzhengjie.org.cn ~/soft]$ ss -ntl
State       Recv-Q Send-Q                                                    Local Address:Port                                                                   Peer Address:Port              
LISTEN      0      50                                                         172.30.1.201:29418                                                                             *:*                  
LISTEN      0      50                                                         172.30.1.201:8080                                                                              *:*                  
LISTEN      0      128                                                                   *:22                                                                                *:*                  
LISTEN      0      100                                                           127.0.0.1:25                                                                                *:*                  
LISTEN      0      80                                                                   :::3306                                                                             :::*                  
LISTEN      0      128                                                                  :::22                                                                               :::*                  
[gerrit@node201.yinzhengjie.org.cn ~/soft]$ 

3>.訪問Gerrit對應的WebUI（http://node201.yinzhengjie.org.cn:8080/q/status:open）

4>.輸入在LDAP中建立的用戶名和密碼（若是你輸入的用戶和密碼不存在，則登錄失敗，服務器也會產生錯誤日誌，根據日誌的報錯信息來解決問題便可）

 

[gerrit@node201.yinzhengjie.org.cn ~/soft/logs]$ tail -100f error_log 　　　　　　#登錄成功後，咱們會在對應的以下日誌信息
......

[2019-06-18 05:15:28,761] [HTTP-67] INFO  com.googlesource.gerrit.plugins.hooks.HookFactory : hooks.path: /yinzhengjie/softwares/gerrit/soft/hooks
[2019-06-18 05:15:28,762] [HTTP-67] INFO  com.googlesource.gerrit.plugins.hooks.HookFactory : hooks.refUpdatedHook resolved to /yinzhengjie/softwares/gerrit/soft/hooks/ref-updated
[2019-06-18 05:15:28,962] [HTTP-67] INFO  com.google.gerrit.server.account.ChangeUserName : Created the new external Id with key: username:jason

 

5>.登錄成功

 

四.對帳戶進行受權

1>.點擊設置，你會發現jason沒有管理員權限

2>.使用"development_become_any_account"進行認證，而後把jason用戶加入到管理員用戶

3>.點擊設置

4>.進入管理員組

5>.搜索用戶，將其加入管理員組中

6>.將jason用戶添加到管理員成功

7>.將"development_become_any_account"認證模式改回"ldap"認證模式，修改配置文件"yinzhengjie/softwares/gerrit/soft/etc/gerrit.config"

8>.再次使用Jason用戶登錄，點擊設置

9>.點擊組

10>.查看Jason屬於管理組權限啦