Migrating Gerrit from Google OpenID to Oauth
By Raghu Udiyar
Published in
2 min readApr 10, 2015
Google is phasing out OpenID in favour of Oauth 2.0 with a deadline on 20th April, 2015 — just 10 days from today. A lot of projects depend on google auth, and can’t easily move to another OpenID provider. I recently had to fix this issue with Jenkins and Gerrit.
Jenkins has a great plugin available for this, which was a piece of cake to install and configure. But it wasn’t so easy with Gerrit. Lot of gerrit users have been asking for Oauth support since May last year; we got that finally when David Ostrovsky wrote gerrit-oauth-provider plugin.
I’ve listed the steps I followed below :
- Oauth2 credentials.
Get these from Google Developers Console, note down theclient id
andclient secret
. Ensure the redirect url is set to/oauth
i.e.http://gerrit.yoursite.com/oauth
. - Get the custom gerrit war file. There are a few gerrit changes the plugin needs that haven’t been merged yet. A custom war is available here with the plugin. Download this
gerrit-2.10.2-18-gc6c5e0b.war
file to the new gerrit server. - Backup current gerrit data. Create tarballs of the data directories and dump postgres data (if postgres is being used)
old-gerrit~$ tar czpf gerrit.tar.gz /srv/gerrit/gerrit
old-gerrit~$ tar czpf repositories.tar.gz /srv/gerrit/repositories
old-gerrit~$ pg_dump -xO -Fc reviewdb > reviewdb-$(date +%d-%m-%Y).pdump - Restore data to new gerrit server
gerrit:/srv/gerrit$ tar xzpf repositories.tar.gz
gerrit:/srv/gerrit$ tar xzpf gerrit.tar.gz - Restore pg data
psql : ALTER USER gerrit WITH SUPERUSER;
$ dropdb reviewdb
$ createdb reviewdb -O gerrit
$ pg_restore -O -d reviewdb --role=gerrit reviewdb-20-03-2015.pdump
psql: ALTER USER gerrit WITH NOSUPERUSER; - Run migrations
Gerrit requires cascading migrations to be run for every major version released. For e.g to update from 2.5 to 2.10, we have to run the following$ sudo su - gerrit -s /bin/bash
$ java -jar gerrit-2.8.6.1.war init -d gerrit
$ java -jar gerrit-2.9.4.war init -d gerrit
$ java -jar gerrit-2.9.4.war reindex --recheck-mergeable -d gerrit
For the custom jar migration be sure to configure the Oauth plugin$ java -jar gerrit-2.10.1–4-a83387b.war init -d gerrit
[…]
OAuth Authentication Provider Use Google OAuth provider for Gerrit login ? [Y/n]?
Application client id :
Application client secret :
confirm password :
Link to OpenID accounts? [true]:
Use GitHub OAuth provider for Gerrit login ? [Y/n]? n
$ java -jar gerrit-2.10.1–4-a83387b.war reindex -d gerrit - Switch old gerrit domain name to the new server
For automatic acount linking to work, the domain name must match the old server. Otherwise the OpenID accounts will not be linked with the new Oauth2 account. - Start gerrit server and confirm everything works
gerrit:/srv/gerrit$ ./bin/gerrit.sh start