Migrating Gerrit from Google OpenID to Oauth

By Raghu Udiyar

Google is phasing out OpenID in favour of Oauth 2.0 with a deadline on 20th April, 2015 — just 10 days from today. A lot of projects depend on google auth, and can’t easily move to another OpenID provider. I recently had to fix this issue with Jenkins and Gerrit.

Jenkins has a great plugin available for this, which was a piece of cake to install and configure. But it wasn’t so easy with Gerrit. Lot of gerrit users have been asking for Oauth support since May last year; we got that finally when David Ostrovsky wrote gerrit-oauth-provider plugin.

I’ve listed the steps I followed below :

  1. Oauth2 credentials. 
    Get these from Google Developers Console, note down the client id and client secret. Ensure the redirect url is set to /oauth i.e. http://gerrit.yoursite.com/oauth.
  2. Get the custom gerrit war file. There are a few gerrit changes the plugin needs that haven’t been merged yet. A custom war is available here with the plugin. Download this gerrit-2.10.2-18-gc6c5e0b.war file to the new gerrit server.
  3. Backup current gerrit data. Create tarballs of the data directories and dump postgres data (if postgres is being used)
    old-gerrit~$ tar czpf gerrit.tar.gz /srv/gerrit/gerrit
     old-gerrit~$ tar czpf repositories.tar.gz /srv/gerrit/repositories
     old-gerrit~$ pg_dump -xO -Fc reviewdb > reviewdb-$(date +%d-%m-%Y).pdump
  4. Restore data to new gerrit server
    gerrit:/srv/gerrit$ tar xzpf repositories.tar.gz
     gerrit:/srv/gerrit$ tar xzpf gerrit.tar.gz
  5. Restore pg data
    psql : ALTER USER gerrit WITH SUPERUSER;
    $ dropdb reviewdb
    $ createdb reviewdb -O gerrit
    $ pg_restore -O -d reviewdb --role=gerrit reviewdb-20-03-2015.pdump
  6. Run migrations
    Gerrit requires cascading migrations to be run for every major version released. For e.g to update from 2.5 to 2.10, we have to run the following
    $ sudo su - gerrit -s /bin/bash
    $ java -jar gerrit- init -d gerrit
    $ java -jar gerrit-2.9.4.war init -d gerrit
    $ java -jar gerrit-2.9.4.war reindex --recheck-mergeable -d gerrit

    For the custom jar migration be sure to configure the Oauth plugin
    $ java -jar gerrit-2.10.1–4-a83387b.war init -d gerrit
     OAuth Authentication Provider Use Google OAuth provider for Gerrit login ? [Y/n]?
     Application client id : 
     Application client secret : 
     confirm password :
     Link to OpenID accounts? [true]:
     Use GitHub OAuth provider for Gerrit login ? [Y/n]? n
    $ java -jar gerrit-2.10.1–4-a83387b.war reindex -d gerrit
  7. Switch old gerrit domain name to the new server
    For automatic acount linking to work, the domain name must match the old server. Otherwise the OpenID accounts will not be linked with the new Oauth2 account.
  8. Start gerrit server and confirm everything works
    gerrit:/srv/gerrit$ ./bin/gerrit.sh start