Saturday, June 7, 2014

Configure GIT/GERRIT with OPEN LDAP for Code Review Process

This post is about setting up and configuring GIT/Gerrit  which is authenticated by LDAP backend for code review process.

GIT

Git is a distributed version control system which is open source. And this is based on many branches and merges.

Gerrit

Gerrit is a another open source product which can manage Git repositories. This provides authentication,  authorization management for Git projects and most importantly code review facility.

LDAP

For the purpose of authenticating users for the Gerrit, OpenLdap is used. This provides means for  centrally managing all developers and reviwers.

Setting Up Gerrit.

As for the  server environment , Ubuntu 12.04 is used and for the JRE , version  1.7_10 is used.



  1. Create gerrit user and group. 

    # adduser git (This will add both user/group)
  2. Install Git

    # apt-get install git-core
  3. Get the Gerrit and configure as gerrit user.

    # su - gerrit (Switch to the user gerrit)

    $ wget http://gerrit-releases.storage.googleapis.com/gerrit-2.8.5.war (Stable by this time)


    Create required Mysql database and grant the privileges. At the installation provide the correct DB and User/Password information.


    mysql>create database reviewdb;
    mysql> grant all privileges on reviewdb.* to 'gerrit'@'localhost' identified by 'gerrit';

    Database -> reviewdb
    User -> gerrit
    Password -> gerrit

    $java -jar gerrit*.war init -d review_site (Install Gerrit , and it will ask questions o the process such as DB to use , SMTP server ...etc)

     After the installation is over you can find Gerrit configuration file at "/home/gerrit/review_site/etc/gerrit.config"

    Following is My content. (/home/gerrit/review_site/etc/gerrit.config).

     [gerrit]  
     basePath = git  
     canonicalWebUrl = http://gitserver:8080/  
 [database]  
     type = mysql  
     hostname = localhost  
     database = reviewdb  
     username = gerrit  
 [auth]  
     type = ldap  
 [ldap]  
   server = ldap://ldapserverr  
   accountBase = ou=people,dc=domain,dc=com  
   groupBase = ou=groups,dc=domain,dc=com  
   referral = follow  
   accountPattern = (uid=${username})  
   groupPattern = (cn=${groupname})  
   accountFullName = cn  
   accountMemberField = memberOf  
   accountEmailAddress = mail  
 [sendemail]  
     smtpServer = SMTP server  
     smtpUser = gerrit  
 [container]  
     user = gerrit  
     javaHome = /opt/java/jdk  
 [sshd]  
     listenAddress = *:29418  
 [httpd]  
     listenUrl = http://*:8080/  
 [cache]  
     directory = cache 
  4. Once the configurations are correctly configured you can start the Gerrit  and access (http://gitserver:8080/) to it for further  configurations such ah creating projects,groups and to setup ACLs.

    $cd /home/gerrit/review_site/bin/;./gerrit.sh  start (As gerrit user)

    First Login, just after the installation  to the Gerrit system, will get the Admin rights.

    Once you logged in you can create groups for developers and for reviewers, In my set up I have restricted direct  code push to the GIT for developers , instead they have to go through code review process. In Gerrt there is a reference mapping called ref/for/BRANCH NAME , which is used as staging area for code review and push to this mapping will not causes to code to get merge with the branch. Once developer push the commit , reviewer must review and push the commit to the branch. Below diagram shows the Gerrit code review process.



    (REF - https://review.openstack.org/Documentation/intro-quick.html#_creating_the_review)

    Following is the ACL I have used  for the created  Git project and from the All-Projects ACL I have removed all privileges except Administrator privileges  globally  to  create fine grained access control per project.


    On above ACL I have restricted Push rights only on  reference map refs/for/* for developer group which forces developers to perform the code review. Also review group members must add the required project to the watched project list to receive emails on review request as below.


  5. On client machine you need to install following packages and setup remote branch for gerrit review process.

    $apt-get install git-core git-review

    After package installation completed , login to the Gerrit server to add SSH public key for accessing the repository.

    Generate the keys if not available

    $ssh-keygen -C  user@example.com

    (This email address should match with the email address on Gerrit account., in this scenario this email address should be set to the users's LDAP account). After that get the key and add it as below. On Gerrit below the user name (right side upper corner) click and go to the Settings section, there go to the SSH Public Key section.




    Once key is added  clone of the repository first , you can find the clone URL from the Gerrit server once you logged in.




    $git clone ssh://username@gitserver:29418/testProject

    Get the remote repository URLs.

    $git remote -v
    origin ssh://username@gitserver:29418/testProject (fetch)
    origin ssh://username@gitserver:29418/testProject (push)

    Add the gerrit alias to the remote repository which return from the above command. (This alias is used by the git review command to create review request)

    $git  remote  add gerrit ssh://username@gitserver:29418/testProject

    Now client environment is ready for code review process. Following is the list of command.

    Add file a file to the repository.

    $git add

    Commit the file to the local branch.

    $git commit -m "Commit message"

    Request a code review before the merge happen.

    $git review

    Once client execute this command , reviewer get the review request and after the approval , code will get merged with the branch.





Posted by at 3 comments:
Subscribe to: Posts (Atom)