gerrit should use the OpenID team extension
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Core Infrastructure |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
From mtaylor:
If you look at git://github.
src/main/
the OpenIdExtension class and
src/main/
The Team Extension itself is in com.cloudbees.
see in pom.xml as openid4java-
In gerrit (git://
reference to that extension into the pom.xml and then if you look at
gerrit-
You should see the same authenticate and addExtension calls... so it
should be reasonably straightforward to write an extension class similar
to TeamsExtension and register it there. Biggest trick is going to be
figuring out how to register that team membership with the user object
once you know it.
Changed in openstack-ci: | |
status: | New → Incomplete |
status: | Incomplete → Won't Fix |
This wouldn't enable us to avoid the launchpad user sync, because we still need to add and remove people from gerrit groups without their logging in via openid since a good deal of important gerrit action happens over ssh rather than http.
While it could mean that an initial login would be better able to set up an account, we should be careful about suggesting that adding this obviates the need for external group syncing.
It's worth also considering whether there are any "first time" actions we perform when syncing a group that we'd lose if we implemented this (like setting watches).
I think we should consider all those points, then evaluate whether we should do this.