Saturday, June 7, 2014

Configure GIT/GERRIT with OPEN LDAP for Code Review Process

This post is about setting up and configuring GIT/Gerrit  which is authenticated by LDAP backend for code review process.

GIT

Git is a distributed version control system which is open source. And this is based on many branches and merges.

Gerrit

Gerrit is a another open source product which can manage Git repositories. This provides authentication,  authorization management for Git projects and most importantly code review facility.

LDAP

For the purpose of authenticating users for the Gerrit, OpenLdap is used. This provides means for  centrally managing all developers and reviwers.

Setting Up Gerrit.

As for the  server environment , Ubuntu 12.04 is used and for the JRE , version  1.7_10 is used.



  1. Create gerrit user and group. 

    # adduser git (This will add both user/group)
  2. Install Git

    # apt-get install git-core
  3. Get the Gerrit and configure as gerrit user.

    # su - gerrit (Switch to the user gerrit)

    $ wget http://gerrit-releases.storage.googleapis.com/gerrit-2.8.5.war (Stable by this time)


    Create required Mysql database and grant the privileges. At the installation provide the correct DB and User/Password information.


    mysql>create database reviewdb;
    mysql> grant all privileges on reviewdb.* to 'gerrit'@'localhost' identified by 'gerrit';

    Database -> reviewdb
    User -> gerrit
    Password -> gerrit

    $java -jar gerrit*.war init -d review_site (Install Gerrit , and it will ask questions o the process such as DB to use , SMTP server ...etc)

     After the installation is over you can find Gerrit configuration file at "/home/gerrit/review_site/etc/gerrit.config"

    Following is My content. (/home/gerrit/review_site/etc/gerrit.config).

     [gerrit]  
         basePath = git  
         canonicalWebUrl = http://gitserver:8080/  
     [database]  
         type = mysql  
         hostname = localhost  
         database = reviewdb  
         username = gerrit  
     [auth]  
         type = ldap  
     [ldap]  
       server = ldap://ldapserverr  
       accountBase = ou=people,dc=domain,dc=com  
       groupBase = ou=groups,dc=domain,dc=com  
       referral = follow  
       accountPattern = (uid=${username})  
       groupPattern = (cn=${groupname})  
       accountFullName = cn  
       accountMemberField = memberOf  
       accountEmailAddress = mail  
     [sendemail]  
         smtpServer = SMTP server  
         smtpUser = gerrit  
     [container]  
         user = gerrit  
         javaHome = /opt/java/jdk  
     [sshd]  
         listenAddress = *:29418  
     [httpd]  
         listenUrl = http://*:8080/  
     [cache]  
         directory = cache  
  4. Once the configurations are correctly configured you can start the Gerrit  and access (http://gitserver:8080/) to it for further  configurations such ah creating projects,groups and to setup ACLs.

    $cd /home/gerrit/review_site/bin/;./gerrit.sh  start (As gerrit user)

    First Login, just after the installation  to the Gerrit system, will get the Admin rights.

    Once you logged in you can create groups for developers and for reviewers, In my set up I have restricted direct  code push to the GIT for developers , instead they have to go through code review process. In Gerrt there is a reference mapping called ref/for/BRANCH NAME , which is used as staging area for code review and push to this mapping will not causes to code to get merge with the branch. Once developer push the commit , reviewer must review and push the commit to the branch. Below diagram shows the Gerrit code review process.



    (REF - https://review.openstack.org/Documentation/intro-quick.html#_creating_the_review)

    Following is the ACL I have used  for the created  Git project and from the All-Projects ACL I have removed all privileges except Administrator privileges  globally  to  create fine grained access control per project.


    On above ACL I have restricted Push rights only on  reference map refs/for/* for developer group which forces developers to perform the code review. Also review group members must add the required project to the watched project list to receive emails on review request as below.


  5. On client machine you need to install following packages and setup remote branch for gerrit review process.

    $apt-get install git-core git-review

    After package installation completed , login to the Gerrit server to add SSH public key for accessing the repository.

    Generate the keys if not available

    $ssh-keygen -C  user@example.com

    (This email address should match with the email address on Gerrit account., in this scenario this email address should be set to the users's LDAP account). After that get the key and add it as below. On Gerrit below the user name (right side upper corner) click and go to the Settings section, there go to the SSH Public Key section.




    Once key is added  clone of the repository first , you can find the clone URL from the Gerrit server once you logged in.




    $git clone ssh://username@gitserver:29418/testProject

    Get the remote repository URLs.

    $git remote -v
    origin ssh://username@gitserver:29418/testProject (fetch)
    origin ssh://username@gitserver:29418/testProject (push)

    Add the gerrit alias to the remote repository which return from the above command. (This alias is used by the git review command to create review request)

    $git  remote  add gerrit ssh://username@gitserver:29418/testProject

    Now client environment is ready for code review process. Following is the list of command.

    Add file a file to the repository.

    $git add

    Commit the file to the local branch.

    $git commit -m "Commit message"

    Request a code review before the merge happen.

    $git review

    Once client execute this command , reviewer get the review request and after the approval , code will get merged with the branch.





2 comments:

Surjit Bains said...

Hi,

Nice post!!

Do you have the initial openLDAP DIT and ldapadd entries?

thanks

chamara samarakoon said...

HI Surajit,

Sorry for delayed response , In my example I used following DIT details.

After Slapd is installed with ldap utils admin user will be created for rootDN of your database.

$ apt-get install slapd ldap-utils

During the installtion process, Slapd prompt to provide admin password.To create your own base DN reconfigure Slapd with dpkg-reconfigure slapd after installation is completed

$ dpkg-reconfigure slapd

1.) Under DNS domain name section , provide the domain name you wish to configure for DIT in following format
domain.com
Once you provide above DNS name slapd will create baseDN -> dc=domain,dc=com
2. For other steps go with defaults.

Once you finishes the Slapd configurations, you would be able to browse Ldap DIT as below.
$ldapsearch -x -LLL -H ldap:/// -b dc=domain,dc=com dn

After above step completed now you have basic DIT with baseDN set to dc=domain,dc=com. Next steps is to add entries for storing users and groups.

1.) LDIF file for adding entry for creating group called people.

-------------addgroups1.ldif-------------------------------
dn: ou=people,dc=domain,dc=com
objectClass: organizationalUnit
ou: people
-----------------------------------------------------------

Adding to LDAP
$ ldapadd -x -H ldap://localhost -D cn=admin,dc=domain,dc=com -W -f addgroups1.ldif

2.) Similarly you can add entry for groups as well.

-------------addgroups2.ldif-------------------------------
dn: ou=groups,dc=domain,dc=com
objectClass: organizationalUnit
ou: groups
-----------------------------------------------------------
Adding to LDAP
$ ldapadd -x -H ldap://localhost -D cn=admin,dc=domain,dc=com -W -f addgroups2.ldif

3.) Finally you can add users(ex:- testuser) under people entry and groups(ex:- dev) under groups entry as below.

------------------------addgroup.ldif--------------------------------
dn: cn=dev,ou=groups,dc=domain,dc=com
objectClass: posixGroup
cn: dev
gidNumber: 5000
----------------------------------------------------------------------

Adding to LDAP
$ ldapadd -x -H ldap://localhost -D cn=admin,dc=domain,dc=com -W -f addgroup.ldif


------------------------adduser.ldif--------------------------------
dn: uid=testuser,ou=people,dc=domain,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: testuser
sn: User
givenName: testuser
cn: testuser
displayName: Test User
uidNumber: 10000
gidNumber: 5000
userPassword: tsetuser
gecos: Test User
loginShell: /bin/bash
homeDirectory: /home/testuser

----------------------------------------------------------------------
Adding to LDAP
$ ldapadd -x -H ldap://localhost -D cn=admin,dc=domain,dc=com -W -f adduser.ldif

As explained above we can create entries as much as we want.

Hope this is what you want.

Regards,
Chamara