The list of authentication backends supported by Gerrit does not include GitHub and it cannot be used out of the box, as it does not support OpenID authentication. However, a GitHub plugin for Gerrit has been recently released in order to fill the gaps and allow a seamless integration.
GitHub implements OAuth 2.0 for allowing external applications, such as Gerrit, to integrate using a three-step browser-based authentication. Using this scheme, a user can leverage their existing GitHub account without the need to provision and manage a separate one in Gerrit. Additionally, the Gerrit instance will be able to self-provision the SSH public keys needed for pushing changes for review.
In order for us to use GitHub OAuth authentication with Gerrit, we need to do the following:
Build the Gerrit GitHub plugin
Install the GitHub OAuth filter into the Gerrit libraries (
/lib
under the Gerrit site directory)Reconfigure Gerrit to use the HTTP authentication type
The Gerrit GitHub plugin can be found under the Gerrit plugins/github
repository on https://gerrit-review.googlesource.com/#/admin/projects/plugins/github. It is open source under the Apache 2.0 license and can be cloned and built using the Java 6 JDK and Maven.
Refer to the following example:
$ git clone https://gerrit.googlesource.com/plugins/github $ cd github $ mvn install […] [INFO] BUILD SUCCESS [INFO] ----------------------------------------------------------------- [INFO] Total time: 9.591s [INFO] Finished at: Wed Jun 19 18:38:44 BST 2013 [INFO] Final Memory: 12M/145M [INFO] -----------------------------------------------------------------
The Maven build should generate the following artifacts:
github-oauth/target/github-oauth*.jar
, the GitHub OAuth library for authenticating Gerrit usersgithub-plugin/target/github-plugin*.jar
, the Gerrit plugin for integrating with GitHub repositories and pull requests
The GitHub OAuth JAR file needs to copied to the Gerrit /lib
directory; this is required to allow Gerrit to use it for filtering all HTTP requests and enforcing the GitHub three-step authentication process:
$ cp github-oauth/target/github-oauth-*.jar /opt/gerrit/lib/
The GitHub plugin includes the additional support for the overall configuration, the advanced GitHub repositories replication, and the integration of pull requests into the Code Review process.
We now need to install the plugin before running the Gerrit init again so that we can benefit from the simplified automatic configuration steps:
$ cp github-plugin/target/github-plugin-*.jar \/opt/gerrit/plugins/github.jar
Before going through the Gerrit init, we need to tell GitHub to trust Gerrit as a partner application. This is done through the generation of a ClientId/ClientSecret pair associated to the exact Gerrit URLs that will be used for initiating the 3-step OAuth authentication.
We can register a new application in GitHub through the URL https://github.com/settings/applications/new, where the following three fields are requested:
Application name: It is the logical name of the application authorized to access GitHub, for example, Gerrit.
Main URL: The Gerrit canonical web URL used for redirecting to GitHub OAuth authentication, for example,
https://myhost.mydomain:8443
.Callback URL: The URL that GitHub should redirect to when the OAuth authentication is successfully completed, for example,
https://myhost.mydomain:8443/oauth.
GitHub will automatically generate a unique pair ClientId/ClientSecret that has to be provided to Gerrit identifying them as a trusted authentication partner.
Note
ClientId/ClientSecret are not GitHub credentials and cannot be used by an interactive user to access any GitHub data or information. They are only used for authorizing the integration between a Gerrit instance and GitHub.
We now need to stop Gerrit and go through the init steps again in order to reconfigure the Gerrit authentication. We need to enable HTTP authentication by choosing an HTTP header to be used to verify the user's credentials, and to go through the GitHub settings wizard to configure the OAuth authentication.
$ /opt/gerrit/bin/gerrit.sh stop Stopping Gerrit Code Review: OK $ cd /opt/gerrit $ java -jar gerrit.war init [...] *** User Authentication *** Authentication method []: HTTP RETURN Get username from custom HTTP header [Y/n]? Y RETURN Username HTTP header []: GITHUB_USER RETURN SSO logout URL : /oauth/reset RETURN *** GitHub Integration *** GitHub URL [https://github.com]: RETURN Use GitHub for Gerrit login ? [Y/n]? Y RETURN ClientId []: 384cbe2e8d98192f9799 RETURN ClientSecret []: f82c3f9b3802666f2adcc4 RETURN Initialized /opt/gerrit $ /opt/gerrit/bin/gerrit.sh start Starting Gerrit Code Review: OK
Gerrit is now fully configured to register and authenticate users through GitHub OAuth. When opening the browser to access any Gerrit web pages, we are automatically redirected to the GitHub for login. If we have already visited and authenticated with GitHub previously, the browser cookie will be automatically recognized and used for the authentication, instead of presenting the GitHub login page. Alternatively, if we do not yet have a GitHub account, we create a new GitHub profile by clicking on the SignUp button.
Once the authentication process is successfully completed, GitHub requests the user's authorization to grant access to their public profile information. The following screenshot shows GitHub OAuth authorization for Gerrit:
The authorization status is then stored under the user's GitHub applications preferences on https://github.com/settings/applications.
Finally, GitHub redirects back to Gerrit propagating the user's profile securely using a one-time code which is used to retrieve the full data profile including username, full name, e-mail, and associated SSH public keys.