Google authentication for Gerrit and Jenkins
Jenkins and Gerrit have both plugins for OpenID 2.0, but this API has been deprecated by Google May 19 2014 (https://developers.google.com/accounts/docs/OpenID) making it impossible for new installation to use and existing installations must migrate to OAuth2.0(OpendID connect). When trying to use OpenID 2.0 you will get the error message "Error 400: OpenID auth request contains an unregistered domain".
The Gerrit team is aware of the problem but no solution as of yet: https://code.google.com/p/gerrit/issues/detail?id=2677
Not sure about Jenkins.
Answer
Update 2014/11/05: For those coming here the first place read on below. Thanks hans-zandbelt for the feedback. It is incorporated in the updated version. The setup now uses the suggested improvements and only uses mod_rewrite to redirect the gerrit logout url to the right place. Also note that instead of only using the non-domain part of the email the email is used unmodified. This means that if you happen to have an existing setup you need to change username mappings.
For Jenkins do the following:
- move ${jenkins_home}/users/youruser to ${jenkins_home}/users/youruser@yourdomain
- open ${jenkins_home}/config.xml search "youruser" and replace with youruser@yourdomain
For Gerrit:
either on the machine itself (change GERRIT_HOME to where it is on your machine):
open the sql database with one of the two methods below:
[Recommended] Either through the gerrit command available through ssh:
ssh gerrit.revault.ch gerrit gsqlOR on the machine itself (change GERRIT_HOME to where it is on your machine):
export GERRIT_HOME=/var/gerrit_home pushd ${GERRIT_HOME} java -cp $(find . -name "h2*.jar") org.h2.tools.Shell -url "jdbc:h2:file:${GERRIT_HOME}/db/ReviewDB;IFEXISTS=TRUE"
show external
select * from ACCOUNT_EXTERNAL_IDS;the external ids map your account to different usernames, emails etc.
- the ones prefixed with username: e.g. username:[email protected] are for ssh / git login names
- the ones prefixed with gerrit: e.g. gerrit:[email protected] are used for the web interface
for a given account_id you can just add new mappings for existing users using sql: e.g.
insert into ACCOUNT_EXTERNAL_IDS values(1000032, NULL,NULL, 'username:[email protected]'); insert into ACCOUNT_EXTERNAL_IDS values(1000032, NULL,NULL, 'gerrit:[email protected]');
Solution
You can use an Apache as a reverse proxy handling authentication for you:
Gerrit
Assuming you already have installed Gerrit and it is listening on address 10.10.10.10:8080. You will have to configure gerrit to use basic authentication, the [auth] section in your ${gerrit_installation}/etc/gerrit.config should look like this:
[gerrit]
basePath = git
canonicalWebUrl = http://gerrit.example.com
[database]
type = h2
database = db/ReviewDB
[index]
type = LUCENE
[auth]
type = HTTP
emailFormat = {0}@example.com
httpHeader = X-Forwarded-User
[sendemail]
smtpServer = localhost
[container]
user = gerrit
javaHome = /usr/lib/jvm/java-8-oracle/jre
[sshd]
listenAddress = 10.10.10.10:2222
[httpd]
listenUrl = http://10.10.10.10:8080/
[cache]
directory = cache
The username will be in the header X-Forwarded-User. That's how Apache will forward the username to Gerrit.
On Apache we will use mod_auth_openidc which has support for oauth2. For further information and example docs refer to https://github.com/pingidentity/mod_auth_openidc. On a recent Ubuntu the installation looks like this:
sudo aptitude install libjansson-dev apache2 apache2-dev libcurl4-openssl-dev build-essential autoconf libhiredis-dev
git clone https://github.com/pingidentity/mod_auth_openidc.git
cd mod_auth_openidc
./autogen.sh
./configure
make
sudo make install
sudo a2enmod auth_openidc
sudo a2enmod proxy
sudo a2enmod proxy_http
sudo a2enmod headers
sudo a2enmod rewrite
You will need to add a site configuration e.g. gerrit.conf similar to the one below (you probably want TLS, too) to /etc/apache2/sites-available and activate it with:
sudo a2ensite gerrit.conf
The file /etc/apache2/sites-available/gerrit.conf looks like this:
<VirtualHost *:80>
ServerName gerrit.example.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration
OIDCClientID <from api console>
OIDCClientSecret <from api console>
OIDCScope "openid email profile"
OIDCRedirectURI http://gerrit.example.com/oauth2callback
OIDCCryptoPassphrase <generate long random passphrase here, no sure if used>
OIDCSessionInactivityTimeout 600
OIDCCookiePath /
OIDCAuthRequestParams hd=example.com
OIDCRemoteUserClaim email
OIDCAuthNHeader X-Forwarded-User
RewriteEngine On
#LogLevel alert rewrite:trace2
RewriteRule ^/logout$ /oauth2callback?logout=http://gerrit.example.com/ [R]
ProxyPass / http://gerrit.example.com:8080/ nocanon
ProxyPassReverse / http://gerrit.example.com:8080/
ProxyRequests Off
AllowEncodedSlashes NoDecode
<Proxy http://gerrit.example.com:8080/*>
# add rewrites here if necessary
</Proxy>
<Location />
AuthType openid-connect
Require claim hd:example.com
Require valid-user
</Location>
</VirtualHost>
In order to get the parameters OIDCClientID and OIDCClientSecret go to the api console under https://console.developers.google.com/project. The credentials are in the context of a project if you haven't one create a project first. E.g. example-it-authentication
On the project go to APIs & auth:
- Under APIs activate Google+ API.
- Under Credentials, OAuth create new Client ID.
- Fill in OIDCClientID and OIDCClientSecret in your apache config (e.g. gerrit.conf)
- Under Consent screen fill in email and product name (you will get an error if you don't)
service apache2 restart
You should be done!
Jenkins
Assuming you already have installed Jenkins and it is listening on 10.10.10.11:8080.
For Jenkins the configuration is almost identical. You will need to install and activate the Reverse Proxy Auth Plugin http://wiki.jenkins-ci.org/display/JENKINS/Reverse+Proxy+Auth+Plugin. Under Configure Global Security check the "HTTP Header by reverse proxy" radio.
The default values correspond to the configuration below. You will need to create credentials matching the jenkins hostname in the api console https://console.developers.google.com/project. Report them to your config as before (e.g. jenkins.conf). That should be all.
<VirtualHost *:80>
ServerName jenkins.example.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration
OIDCClientID <from api console>
OIDCClientSecret <from api console>
OIDCScope "openid email profile"
OIDCRedirectURI http://jenkins.example.com/oauth2callback
OIDCCryptoPassphrase <generate long random passphrase here, no sure if used>
OIDCSessionInactivityTimeout 600
OIDCCookiePath /
OIDCAuthRequestParams hd=example.com
OIDCRemoteUserClaim email
OIDCAuthNHeader X-Forwarded-User
ProxyPass / http://jenkins.example.com:8080/ nocanon
ProxyPassReverse / http://jenkins.example.com:8080/
ProxyRequests Off
AllowEncodedSlashes NoDecode
<Proxy http://jenkins.example.com:8080/*>
# add rewrites here if necessary
</Proxy>
<Location />
AuthType openid-connect
Require claim hd:example.com
Require valid-user
</Location>
<Location ~ "^/(cli|jnlpJars|subversion|whoAmI|computer/[^/]+/slave-agent.jnlp|tcpSlaveAgentListener)">
Satisfy Any
Allow from all
</Location>
</VirtualHost>
Currently there doesn't seem to be support for groups in mod_auth_openidc. If you need groups you can install an LDAP that stores them (but this probably isn't what you want since you are using Google auth) or wait until it is supported by mod_auth_openidc.