New issue
Advanced search Search tips

Issue 3698 link

Starred by 2 users

Issue metadata

Status: Released
Owner: ----
Closed: Nov 2015



Sign in to add a comment

Upon a Gerrit installation the admin user can be created who doesn't have admin privileges

Reported by antonio....@wandisco.com, Nov 26 2015

Issue description

Affected Version: 2.11.x - 2.12

What steps will reproduce the problem?
1. Install Gerrit using as DB MySQL with master-master replication enabled
2. 100% of the times everything will go smoothly
3. But 40% of the times the automatic admin user so far created won't be able to create new projects (won't have admin privileges)

What is the expected output? What do you see instead?
Admin should be able to create a new project. Admin is not able. Cannot see any "Create new project" button.
Gerrit is *not* usable.

Please provide any additional information below.
The master-master replication is available for MySQL only if you use a MariaDB with Galera, or if you use Percona XtraDB cluster, all freely available. (But anyway the bug should be fixed regardless of this)
If you create a cluster of 3 or more nodes, the auto-increment columns in the database can preallocate the initial values, so that on one particular node it's not true that the first value will be 1.
So what can happen is that the Admin user is created with a fixed group id of 1, but the "Administrators" group can be created with an id of -- say -- 3. It doesn't match and the privileges are not applied to Admin.

In the initialisation code for Gerrit there is a little bug in the class com.google.gerrit.pgm.init.InitAdminUser

at line 97:

          AccountGroupMember m =
              new AccountGroupMember(new AccountGroupMember.Key(id,
                  new AccountGroup.Id(1)));  // <---------------------
          db.accountGroupMembers().insert(Collections.singleton(m));


it uses the fixed value of 1 when it should rely on the group in which the Administrator has been created, which happens in SchemaCreator.java:initSystemConfig()  (line 109).

Anyway after the installation has finished to fix the problem this is the SQL you need to execute:

update account_group_members set group_id=(select group_id from account_group_names where name='Administrators');

The situation is usually that the id of the admin user can be 3, and in the account_group_name the Administrators group can be created with an id which is not 1.


 
Status: ChangeUnderReview
Thanks for reporting this.  I've uploaded a patch:

https://gerrit-review.googlesource.com/#/c/72768/

but I don't have the necessary environment to fully test it.
Project Member

Comment 2 by ekempin@google.com, Nov 27 2015

Labels: FixedIn-2.11.6
Status: Submitted
Status: Released (was: Submitted)

Sign in to add a comment