Gerrit和OpenLDAP服務器集成
作者:尹正傑
版權聲明:原創作品,謝絕轉載!否則將追究法律責任。
一.安裝LDAP服務器
詳情請參考:https://www.cnblogs.com/yinzhengjie/p/11020700.html
二.安裝Gerrit基於LDAP驗證(我們之前演示基於"development_become_any_account"認證的方式)
[gerrit@node201.yinzhengjie.org.cn ~/soft]$ java -jar gerrit-2.15.14.war init Using secure store: com.google.gerrit.server.securestore.DefaultSecureStore *** Gerrit Code Review 2.15.14 *** *** Git Repositories *** Location of Git repositories [git]: *** SQL Database *** Database server type [mysql]: Server hostname [node201.yinzhengjie.org.cn]: Server port [3306]: Database name [gerrit]: Database username [gerrit]: Change gerrit's password [y/N]? n *** Index *** Type [lucene/?]: The index must be rebuilt before starting Gerrit: java -jar gerrit.war reindex -d site_path *** User Authentication *** Authentication method [development_become_any_account/?]: ? Supported options are: openid openid_sso http http_ldap client_ssl_cert_ldap ldap ldap_bind custom_extension development_become_any_account oauth Authentication method [development_become_any_account/?]: ldap Git/HTTP authentication [http/?]: LDAP server [ldap://localhost]: ldap://node202.yinzhengjie.org.cn:389 #指定LDAP的服務器地址 LDAP username : cn=Manager,dc=yinzhengjie,dc=org,dc=cn #指定LDAP的用戶名 cn=Manager,dc=yinzhengjie,dc=org,dc=cn's password : #輸入登陸LDAP的密碼 confirm password : Account BaseDN [DC=yinzhengjie,DC=org,DC=cn:389]: ou=People,dc=yinzhengjie,dc=org,dc=cn #指定我們認證用戶對應的LDAP路徑 Group BaseDN [ou=People,dc=yinzhengjie,dc=org,dc=cn]: ou=Group,dc=yinzhengjie,dc=org,dc=cn #指定我們認證的用戶組對應的LDAP路徑 Enable signed push support [y/N]? n *** Email Delivery *** SMTP server hostname [smtp.qq.com]: SMTP server port [465]: SMTP encryption [ssl/?]: SMTP username [y1053419035@qq.com]: Change y1053419035@qq.com's password [y/N]? n *** Container Process *** Run as [gerrit]: Java runtime [/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.212.b04-0.el7_6.x86_64/jre]: Upgrade ./bin/gerrit.war [Y/n]? n *** SSH Daemon *** Listen on address [node201.yinzhengjie.org.cn]: Listen on port [29418]: *** HTTP Daemon *** Behind reverse proxy [y/N]? n Use SSL (https://) [y/N]? n Listen on address [node201.yinzhengjie.org.cn]: Listen on port [8080]: Canonical URL [http://172.30.1.201:8080]: *** Cache *** Delete cache file /yinzhengjie/softwares/gerrit/soft/cache/diff_summary.lock.db [y/N]? y #刪除掉之前的緩存文件 Delete cache file /yinzhengjie/softwares/gerrit/soft/cache/diff_summary.h2.db [y/N]? y Delete cache file /yinzhengjie/softwares/gerrit/soft/cache/change_kind.lock.db [y/N]? y Delete cache file /yinzhengjie/softwares/gerrit/soft/cache/change_kind.h2.db [y/N]? y Delete cache file /yinzhengjie/softwares/gerrit/soft/cache/mergeability.lock.db [y/N]? y Delete cache file /yinzhengjie/softwares/gerrit/soft/cache/mergeability.h2.db [y/N]? y Delete cache file /yinzhengjie/softwares/gerrit/soft/cache/conflicts.lock.db [y/N]? y Delete cache file /yinzhengjie/softwares/gerrit/soft/cache/conflicts.h2.db [y/N]? y Delete cache file /yinzhengjie/softwares/gerrit/soft/cache/diff_intraline.lock.db [y/N]? y Delete cache file /yinzhengjie/softwares/gerrit/soft/cache/diff_intraline.h2.db [y/N]? y Delete cache file /yinzhengjie/softwares/gerrit/soft/cache/diff.lock.db [y/N]? y Delete cache file /yinzhengjie/softwares/gerrit/soft/cache/diff.h2.db [y/N]? y Delete cache file /yinzhengjie/softwares/gerrit/soft/cache/oauth_tokens.lock.db [y/N]? y Delete cache file /yinzhengjie/softwares/gerrit/soft/cache/oauth_tokens.h2.db [y/N]? y Delete cache file /yinzhengjie/softwares/gerrit/soft/cache/git_tags.lock.db [y/N]? y Delete cache file /yinzhengjie/softwares/gerrit/soft/cache/git_tags.h2.db [y/N]? y Delete cache file /yinzhengjie/softwares/gerrit/soft/cache/web_sessions.lock.db [y/N]? y Delete cache file /yinzhengjie/softwares/gerrit/soft/cache/web_sessions.h2.db [y/N]? y *** Plugins *** Installing plugins. Install plugin commit-message-length-validator version v2.15.14 [Y/n]? y #安裝對應的插件但不覆蓋 commit-message-length-validator v2.15.14 is already installed, overwrite it [Y/n]? n Install plugin download-commands version v2.15.14 [Y/n]? y download-commands v2.15.14 is already installed, overwrite it [Y/n]? n Install plugin hooks version v2.15.14 [Y/n]? y hooks v2.15.14 is already installed, overwrite it [Y/n]? n Install plugin replication version v2.15.14 [Y/n]? y replication v2.15.14 is already installed, overwrite it [Y/n]? n Install plugin reviewnotes version v2.15.14 [Y/n]? y reviewnotes v2.15.14 is already installed, overwrite it [Y/n]? n Install plugin singleusergroup version v2.15.14 [Y/n]? y singleusergroup v2.15.14 is already installed, overwrite it [Y/n]? n Initializing plugins. *** Experimental features *** Enable any experimental features [y/N]? y Default to PolyGerrit UI [Y/n]? y Enable GWT UI [Y/n]? y Tue Jun 18 04:57:05 EDT 2019 WARN: Establishing SSL connection without server's identity verification is not recommended. According to MySQL 5.5.45+, 5.6.26+ and 5.7.6+ requirements SSL connection must be established by default if explicit option isn't set. For compliance with existing applications not using SSL the verifyServerCertificate property is set to 'false'. You need either to explicitly disable SSL by setting useSSL=false, or set useSSL=true and provide truststore for server certificate verification. Tue Jun 18 04:57:06 EDT 2019 WARN: Establishing SSL connection without server's identity verification is not recommended. According to MySQL 5.5.45+, 5.6.26+ and 5.7.6+ requirements SSL connection must be established by default if explicit option isn't set. For compliance with existing applications not using SSL the verifyServerCertificate property is set to 'false'. You need either to explicitly disable SSL by setting useSSL=false, or set useSSL=true and provide truststore for server certificate verification. Initialized /yinzhengjie/softwares/gerrit/soft [gerrit@node201.yinzhengjie.org.cn ~/soft]$ [gerrit@node201.yinzhengjie.org.cn ~/soft]$
三.啟動Gerrit服務
1>.啟動Gerrit服務(MySQL數據庫別忘記啟動了哈)
[gerrit@node201.yinzhengjie.org.cn ~/soft]$ ./bin/gerrit.sh start Starting Gerrit Code Review: WARNING: Could not adjust Gerrit's process for the kernel's out-of-memory killer. This may be caused by ./bin/gerrit.sh not being run as root. Consider changing the OOM score adjustment manually for Gerrit's PID=21559 with e.g.: echo '-1000' | sudo tee /proc/21559/oom_score_adj OK [gerrit@node201.yinzhengjie.org.cn ~/soft]$
2>.檢查啟動的端口
[gerrit@node201.yinzhengjie.org.cn ~/soft]$ ss -ntl State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 50 172.30.1.201:29418 *:* LISTEN 0 50 172.30.1.201:8080 *:* LISTEN 0 128 *:22 *:* LISTEN 0 100 127.0.0.1:25 *:* LISTEN 0 80 :::3306 :::* LISTEN 0 128 :::22 :::* [gerrit@node201.yinzhengjie.org.cn ~/soft]$
3>.訪問Gerrit對應的WebUI(http://node201.yinzhengjie.org.cn:8080/q/status:open)
4>.輸入在LDAP中創建的用戶名和密碼(如果你輸入的用戶和密碼不存在,則登陸失敗,服務器也會產生錯誤日志,根據日志的報錯信息來解決問題即可)
[gerrit@node201.yinzhengjie.org.cn ~/soft/logs]$ tail -100f error_log #登陸成功后,我們會在對應的如下日志信息 ...... [2019-06-18 05:15:28,761] [HTTP-67] INFO com.googlesource.gerrit.plugins.hooks.HookFactory : hooks.path: /yinzhengjie/softwares/gerrit/soft/hooks [2019-06-18 05:15:28,762] [HTTP-67] INFO com.googlesource.gerrit.plugins.hooks.HookFactory : hooks.refUpdatedHook resolved to /yinzhengjie/softwares/gerrit/soft/hooks/ref-updated [2019-06-18 05:15:28,962] [HTTP-67] INFO com.google.gerrit.server.account.ChangeUserName : Created the new external Id with key: username:jason
5>.登陸成功
四.對賬戶進行授權
1>.點擊設置,你會發現jason沒有管理員權限
2>.使用"development_become_any_account"進行認證,然后把jason用戶加入到管理員用戶
3>.點擊設置
4>.進入管理員組
5>.搜索用戶,將其加入管理員組中
6>.將jason用戶添加到管理員成功
7>.將"development_become_any_account"認證模式改回"ldap"認證模式,修改配置文件"yinzhengjie/softwares/gerrit/soft/etc/gerrit.config"
8>.再次使用Jason用戶登陸,點擊設置
9>.點擊組
10>.查看Jason屬於管理組權限啦
