Is it possible to delete group in Gerrit Code Review? May be some plugins or this action should be performed 'manually' in SQL-like manner (e.g. gerrit gsql)?
Unfortunately there isn't a way to remove Gerrit groups using the command line tools or the REST API.
I have a script that removes a Gerrit group from the Gerrit database.
It basically does the following:
1) Check if the group exists in Gerrit:
if ssh -p 29418 USER#GERRIT-SERVER gerrit ls-groups -q GROUP > /dev/null
then
# GROUP EXIST
else
# GROUP DOESN'T EXIST
fi
2) Check if the group has access rights assigned in any project:
ssh -p 29418 USER#GERRIT-SERVER gerrit ls-projects --type ALL --has-acl-for GROUP > /tmp/ls-projects
if [[ -s /tmp/ls-projects ]]
then
# GROUP HAS ACCESS RIGHTS ASSIGNED
else
# GROUP DOESN'T HAVE ACCESS RIGHTS ASSIGNED
fi
Note: you need first to remove the group from any project access rights.
3) Search for the group id in the Gerrit database
SELECT group_id FROM account_group_names WHERE name = 'GROUP';
4) Remove the group from the Gerrit database
START TRANSACTION;
DELETE FROM account_group_id WHERE s = 'GROUP-ID';
DELETE FROM account_group_by_id WHERE group_id = 'GROUP-ID';
DELETE FROM account_group_by_id_aud WHERE group_id = 'GROUP-ID';
DELETE FROM account_group_members WHERE group_id = 'GROUP-ID';
DELETE FROM account_group_names WHERE group_id = 'GROUP-ID';
DELETE FROM account_groups WHERE group_id = 'GROUP-ID';
DELETE FROM account_group_members_audit WHERE group_id = 'GROUP-ID';
COMMIT;
UPDATE
This procedure does NOT work anymore for Gerrit v3.0.x and forward.
Related
We have our company users list and with that users list we need to prepare a report that each user have access to which gerrit project.
So how to list the project(s) for particular user from gerrit?
Some direction to achieve this will be helpful. Thanks in advance.
You have two options to give a try:
Use the "gerrit ls-projects" SSH command
Using the "--has-acl-for GROUP" option, you can list projects on which access rights for this group are directly assigned. Note: projects which only inherit access rights for this group are not listed:
ssh -p 29418 USER#GERRIT-SERVER gerrit ls-projects --has-acl-for GROUP
See more details in Gerrit documentation here.
Use the "Check Access" project REST endpoint
Using this endpoint you can verify if a user has access to a repository. Note: this requires the View Access global capability:
curl --user USER:PASS --request GET "https://GERRIT-SERVER/a/projects/PROJECT/check.access?account=ACCOUNT-ID&ref=refs%2Fheads%2Fmaster"
This command checks if the user with the ACCOUNT-ID number has access to the branch "master" of the PROJECT. As you have noted, you need to know the user ACCOUNT-ID. You can find the user ACCOUNT-ID using REST too:
curl --user USER:PASS --request GET "https://GERRIT-SERVER/a/accounts/?q=username:USERNAME" | sed 1d | jq --raw-output .[]._account_id
See more details in Gerrit documentation here.
Hi I installed JIRA on a ubuntu box, but I forgot to write down my user/password (I know :/).
Mails are not working because the mail server isn't configured, and I can't access the admin panel.
The DB is a hsqldb db and I only have command line which seems impossible to run query's against.
How can I recover my user/password ?
You can run the HSQL Database Manager by shutting down JIRA, then running the following command:
java -cp /path/to/WEB-INF/lib/hsqldb-1.8.0.5.jar org.hsqldb.util.DatabaseManager \
-user sa \
-url jdbc:hsqldb:/path/to/jira-home/database
...depending on the actual filename of the HSQL jar. The actual JDBC string should be available in JIRA admin somewhere.
This will then allow you to look in the cwd_user table for the user and reset the password as described here:
https://confluence.atlassian.com/display/JIRA/Retrieving+the+JIRA+Administrator
You'll be able to see the users with this:
select u.user_name, d.directory_name
from cwd_user u inner join cwd_directory d on u.directory_id = d.id
order by directory_name, user_name;
Then reset the password like this:
update cwd_user
set credential='uQieO/1CGMUIXXftw3ynrsaYLShI+GTcPS4LdUGWbIusFvHPfUzD7CZvms6yMMvA8I7FViHVEqr6Mj4pCLKAFQ=='
where user_name='some-user-name';
-- new password is 'sphere'
More details on HSQL Database Manager & Atlassian products:
How to access the HSQL Database Manager during Atlassian Confluence add-on development
Accessing HSQL Database Manager
Some of our Jenkins jobs are such that they deploy e.g. to a client acceptance test environment. It is very important that this type of jobs are not triggered by accident. Is it therefore possible to configure Jenkins to somehow require a password when triggering a specific build?
Set up Project based security, then you can restrict build access on a per-job basis.
From the help on the Jenkins configuration page:
[Project based security] is an extension to "Matrix-based security"
that allows additional ACL matrix to be defined for each project
separately (which is done on the job configuration screen.)
This allows you to say things like "Joe can access project A, B, and C
but he can't see D." See the help of "Matrix-based security" for the
concept of matrix-based security in general.
ACLs are additive, so the access rights granted below will be
effective for all the projects.*
ok.
my 5cents about this question.
Our Jenkins uses Redmine's mysql db as auth input.
in Jenkins you'll need next plugins:
Parameterized Build
Build User Vars Plugin
and after activating Password parameter, you'll be asked for it before build.
So, i figured out 2 options.
It is applicable, if your slaves has direct connection with mysql (or any DB engine).
then pre-build check:
SALT=$(mysql --defaults-extra-file="~/redmcheck.my" -B -se "select salt from redmine.users where login='${BUILD_USER}';")
HASH=$(mysql --defaults-extra-file="~/redmcheck.my" -B -se "select hashed_password from redmine.users where login='${BUILD_USER}';")
CHECK=$(sha1 -qs $SALT$(sha1 -qs $Password))
if [ $HASH != $CHECK ]
then
exit 1;
fi
It will broke build, if your entered password doesn't equal.
Second solution, is to use Rest API in Redmine.
And it allows to recheck user on remote slaves.
CODE=$(curl -X GET -u ${BUILD_USER}:${Password} --write-out "%{http_code}" -o /dev/null -s https://redmine/users/current.json);
if [ $CODE != "200" ]
then
exit 1;
fi
If it gets 200 code, so it goes build.
I am trying to amend the ACL on a file using icacls. I want this file to be owned by Administrator and be accessible to Administrator only. I found out how to make administrator the owner of the files, and I know how to remove a group from the security list but I don't know how to remove all groups but the administrator group if I don't know the name of the other groups.
I am looking for a way to tell Windows that I only want to let Administrator access the file and remove any other user/group if there is any.
I tried using the wildcard character but it doesn't work.
Here's my script:
$domain = [Environment]::UserDomainName
$user = [Environment]::UserName
icacls $myinvocation.mycommand.path /setowner "$domain\$user" /T
icacls $myinvocation.mycommand.path /grant "$domain\$user"
icacls $myinvocation.mycommand.path
In theory, you can use :r after grant (see Docs). However, in practice I couldn't make this work. I think :r means "Replace permisions only for the specified user".
I've tested the following solution in Powershell and it works fine though.
# Reset the folder to just it's inherited permissions
icaclsname c:\temp\test /reset
# Then, disable inheritance and remove all inherited permissions
icacls c:\temp\test /inheritance:r
# Note the :r after grant. It's not now needed, but I've left it in anyway.
# Permissions replace previously granted explicit permissions.
# Also note the :F, where : is escaped with `. This grants FULL CONTROL.
# You can replace F with whatever level of control is required for you.
icacls c:\temp\test /grant:r $domain\$user`:F
Is there command in Perforce to get information which clients has mapping for particular folder from depot ?
Example:
I have depot location //depot/myfolder/somefile.java
I want to know information which clients map this location to which path:
//client1/c:/folder1/somefile.java
//client2/d:/folder2/somefile.java
...
I can get this information from "p4 client" but it is for current client and not for particular folder/file.
Regards, Victor
You could do it with a small script using the p4 clients command to list clients:
p4 help clients
clients -- Display list of clients
workspaces -- synonym for 'clients'
p4 clients [-u user] [-e nameFilter -m max]
Lists all client workspaces currently defined in the server.
The -u user flag lists client workspaces that are owned by the
specified user.
The -e nameFilter flag lists workspaces with a name that matches
the nameFilter pattern, for example: -e 'svr-dev-rel*'
The -m max flag limits output to the specified number of workspaces.
and then iterate over each client using
p4 client -o <client name>
to list the client spec, and finally search for the path(s) you are interested in.