/ Administration

Gerrit/OpenID woes

I'm maintaining the gerrit instance on coreboot.org, and we encounter weird issues every now and then.

Many of them are related to its OpenID implementation. We use OpenID to avoid having to maintain another database full of login credentials, and shifting the nastier parts of account management (like storing passwords) elsewhere is a good thing for a server operation like ours without full-time staff maintaining it 24/7.

Today's issue was with a user whose OpenID provider shut down. One member of our community provides OpenID accounts for users that can't run a provider themselves (and aren't on Google, Yahoo! and the like), but it requires them hosting a web page somewhere which becomes their OpenID identifier.

One issue was that openid4java is rather strict on parsing the page - <body> came before </head> which is strictly wrong, but it only led to an unhelpful error message.

After fixing that, the other issue was getting back the old account (which contains the email address, which is blocked for new accounts). This was done with some minor gerrit database hackery:

$ ssh -p 29418 review.coreboot.org gerrit gsql
gerrit> insert into account_external_ids (account_id, external_id) (select account_id, 'http://example.net/new_openid' as external_id from account_external_ids where external_id='http://example.net/old_openid');
UPDATE 1; 1 ms
gerrit> \q
Patrick Georgi

Patrick Georgi

Von der Stadt aufs Land. Freund des retro computings und des inneren Exils. Die Gedanken sind frei. Dieses Recht findet seine Schranken in den Vorschriften der allgemeinen Gesetze.

Read More