Gerrit Admin 配置

登录授权

OpenID: 去中心化的网上身份认证系统

[auth]
	type = OpenID	# Or OpenID_SSO
	openIdSsoUrl = # OpenID 服务商提供的单点登录地址
	allowedOpenID = https://	# 限定可以登录的 OpenID 列表，正则表达式
	trustedOpenID = https://login.launchpad.net/+openid # 区分匿名和注册用户
	openIdDomain = example.com	# List of allowed OpenID email address domains
	maxOpenIdSessionAge = 7200s # Session 有效时间

OpenID Connect 概念解释：

• 深入理解 OIDC 协议
• What is OpenID connect?

HTTP Basic Authentication

[auth]
	type = HTTP
	auth.httpHeader = # HTTP header to trust the username from
					  # or unset to select HTTP basic authentication
	auth.httpDisplaynameHeader = 
	auth.httpEmailHeader = 
	auth.httpExternalIdHeader = 
	auth.loginUrl = 
	auth.loginText = "Sign In" # Only used if auth.loginUrl is set.
	auth.registerPageUrl = 
	auth.logoutUrl = 
	emailFormat = {0}@example.com

• Nginx: Restricting Access with HTTP Basic Authentication

此时，Gerrit 会假设 Web 服务器在讲请求交给自己之前，已经完成了身份验证。

LDAP or LDAP_BIND

• 什么是 LDAP

OAUTH

[auth]
	type = OAUTH
	gitBasicAuthPolicy = HTTP
[plugin "gerrit-oauth-provider-phabricator-oauth"]
	client-id = PHID-OASC-duqhnip4x7p5mza7guxf
	root-url = https://phab.xyz

auth.gitOAuthProvider 需要插件支持：Gerrit OAuth2 authentication provider

DEVELOPMENT_BECOME_ANY_ACCOUNT

Only for use in a development environment.

auth.gitBasicAuthPolicy

授权方式说明：https://gerrit-review.googlesource.com/Documentation/config-sso.html

Accounts 管理

https://gerrit-review.googlesource.com/Documentation/config-accounts.html#external-ids

主题样式

在 GERRIT_SITE 目录中创建或者修改定制 theme 文件，可以在登录页面生效：

• etc/GerritSiteHeader.html
• etc/GerritSiteFooter.html
• etc/GerritSite.css
• static/ 静态资源位置

例如，可以在 GerritSiteFooter.html 中增加站点统计代码：

<div>
  <!-- standard analytics code -->
  <script type="text/javascript">
      var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
      document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
    </script>
    <script type="text/javascript">
      var pageTracker = _gat._getTracker("UA-nnnnnnn-n");
      pageTracker._trackPageview();
    </script>
  be <!-- /standard analytics code -->

  <script type="text/javascript">
    window.onload = function() {
      var p = window.location.pathname;
      Gerrit.on('history', function (s) {
        pageTracker._trackPageview(p + '/' + s)
      });
    };
  </script>
</div>

The *.html files must be valid XHTML, with one root element, typically a single <div> tag.

深度的界面定制：

• JavaScript Plugin Development and API

WebUI plugin 示例：

(() => {
  'use strict';

  Gerrit.install(plugin => {
    const rule = `
      html {
        --header-background-color: #347dbe;
        --header-text-color: #fff;
        --header-title-content: "🌿 述知 Code Review";
        --header-title-font-size: 1.4em;
        --header-icon: url("https://phab-xyz-1255747930.cos.ap-beijing.myqcloud.com/expound.png");
        --header-icon-size: 0em;
      }
    `;
    plugin.styleApi(). insertCSSRule(rule);
  });
})();

安装 JS 插件：

ssh -p 29418 lone@code.expound.cc gerrit plugin add -n header-webui-plugin.js - < header-webui-plugin.js

Integration with other tools

REST API

• 如何与 REST API 交互的简易教程
• Gerrit 的 REST API 文档
• AUthentication
  • request the URL /a/projects/ | Inside the access_token query parameter.
• CORS: site.allowOriginRegex

https://gerrit-documentation.storage.googleapis.com/Documentation/3.9.1/intro-project-owner.html#tool-integration

机器人自动评论集成

• Robot Comments with REST API

gerrit.config

配置文件的位置： $GERRIT_SITE/etc/gerrit.config , 下面是部分配置项说明：

[gerrit]
	basePath = git		        # 所有 git 仓库存储的基础路径（相对路径）
	defaultBranch = 	        # 项目创建时的默认分支，默认是 refs/heads/main
	canonicalWebUrl = 	        # 自定义域名
	cdnPath = 		        # Path prefix for Gerrit's static resources if using a CDN.
[accounts]
	visibility = ALL		# 账号之间的可见权限控制，ALL | SMAE_GROUP | VISIABLE_GROUP | NONE
	defaultDisplayName = FULL_NAME	# FULL_NAME | USERNAME | FIRST_NAME
[auth]
	type = HTTP 			# 账号的登录方式配置，比如可以增加 OAUTH、SSO、LDAP 的支持
[oauth]
	allowRegisterNewEmail = true          # additional email addresses can be registered 
	allowEditFullName =             # the full name can be edited in the contact information.
[cache]
	directory = cache		# Gerrit 缓存目录配置（相对路径），持久化为 H2 databases 文件
	h2CacheSize = 250m              # in-memory cache for each opened H2 cache database
[capability]
	administrateServer = group Fail Safe Admins # 管理员用户组配置
	makeFirstUserAdmin = true 	# 是否将第一个用户设置为管理员，默认为 true
[change]
	allowBlame = true		# 是否在 diff 代码时，显示追责按钮
	disablePrivateChanges	        # 是否允许创建私有 Change
	enableAssignee = false	        # 是否允许在界面上进行 指派（Assign） 功能
[httpd]                                 # 使用 Nginx or Apache Web Server 进行反向代理
  	listenUrl = proxy-http://127.0.0.1:8081
[container]
	heapLimit = 512m 		# Maximum heap size of the Java process running Gerrit
	javaHome = 			# Path of the JRE/JDK installation to run Gerrit with.
	javaOptions = 			# Additional options to pass along to the Java runtime.
[sendemail]				# SMTP 邮件发送配置
	smtpServer = 
	smtpServerPort = 465
	smtpEncryption = SSL
	smtpUser =

更多配置：https://gerrit-review.googlesource.com/Documentation/config-gerrit.html

重新加载配置文件或重启服务，运行下面的命令：

$GERRIT_SITE/bin/gerrit.sh restart