Closed Bug 1249149 Opened 9 years ago Closed 9 years ago

Add SSH command to associate LDAP account with MozReview

Categories

(MozReview Graveyard :: General, defect, P1)

Product:
MozReview Graveyard
Component:
General
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: gps, Assigned: gps)

References

Details

Attachments

(1 file)

MozReview Request: hgserver: pash command to associate LDAP account with MozReview (bug 1249149); r?dminor
58 bytes, text/x-review-board-request
dminor
: review+
kang
: feedback+
Details
The proper fix for bug 1239815 is somewhat involved. As a quick hack, let's deploy an SSH command that will associate the authenticated SSH/LDAP account with MozReview. That way, people can run `ssh reviewboard-hg.mozilla.org associate-ldap-account` or some such and magic ensues. Making P1 because Git users aren't able to use Try/Autoland until we can associate LDAP accounts.
In terms of security and compatibility with existing workflows, the easiest way to associate a LDAP account with MozReview is over SSH. This is because an SSH connection proves ownership of that LDAP account and SSH is already how we associate LDAP accounts today. This commit introduces a pash SSH command for associating an LDAP account with MozReview. It prompts for a Bugzilla username and API Key then makes a HTTP request to Review Board's LDAP association web API. Everything behaves just like LDAP association is currently done except we're not doing it from a Mercurial context. We introduce a standalone script for performing the HTTP request because Pash is a Python 2.6 process running out of the system Python installation and therefore doesn't have access to the Review Board Python package. We run the script out of the Python 2.7 virtualenv, which is where pash-invoked `hg` processes run out of. Comprehensive tests of the new functionality have been added. Documentation has also been added. We've talked about performing a reverse LDAP search to automatically associate LDAP accounts. However, this may not always work (e.g. not all users may have Bugzilla metadata registered in LDAP). So, a manual solution (which this commit provides) will likely always need to exist. While the manual association in this commit isn't the most turn-key, it does unblock HTTP pushers (including all Git users) from not being able to use several MozReview features. Hopefully that will be enough until the LDAP search functionality is deployed (if ever). Review commit: https://reviewboard.mozilla.org/r/35381/diff/#index_header See other reviews: https://reviewboard.mozilla.org/r/35381/
Attachment #8720621 - Flags: review?(dminor)
Comment on attachment 8720621 [details] MozReview Request: hgserver: pash command to associate LDAP account with MozReview (bug 1249149); r?dminor kang: I don't anticipate any major concerns with this feature. But I thought I'd run it by you just in case.
Attachment #8720621 - Flags: feedback?(gdestuynder)
Attachment #8720621 - Flags: feedback?(gdestuynder) → feedback+
Comment on attachment 8720621 [details] MozReview Request: hgserver: pash command to associate LDAP account with MozReview (bug 1249149); r?dminor https://reviewboard.mozilla.org/r/35381/#review32291 Sorry for the delay in reviewing this. ::: hgserver/pash/hg_helper.py:504 (Diff revision 1) > + print('error reading Mercurial config; please report this error') Unless there's a good reason not to, we should display the backtrace here so it can be reported in a bug. ::: scripts/mozreview-associate-ldap:18 (Diff revision 1) > + nit: two blank lines here please.
Attachment #8720621 - Flags: review?(dminor) → review+
https://hg.mozilla.org/hgcustom/version-control-tools/rev/5e7da07ff6ee24e424fe86cd4180b3c870ef3404 hgserver: pash command to associate LDAP account with MozReview (bug 1249149); r=dminor
https://reviewboard.mozilla.org/r/35381/#review32291 > Unless there's a good reason not to, we should display the backtrace here so it can be reported in a bug. There is a good reason to: security. I'm paranoid that backtraces print file content, which may include passwords. I'll add an inline comment.
I'll hold off deploying this until next week since it is late'ish on a Friday and I'm not sure @ is safe to deploy since a number of other things have landed.
Product: Developer Services → MozReview
This is deployed.
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: