On Wednesday, 21 January 2015 23:57:07 CEST, Ben Cooksley wrote:
Using either
http://www.guywarner.com/2014/06/part-2-integrating-phabricator-and.html
or http://www.dctrwatson.com/2013/01/jenkins-and-phabricator/ or a
variation thereof.
That is quite some custom code that one has to maintain, though.
Commit emails could either be sent by our existing hooks, or we could
migrate to Herald and customise it's template to fit what we need if
necessary.
People would filter them / subscribe to them through Herald.
How would they subcribe via Herald if it was done via the existing hooks?
Doesn't seem too high, although I don't see how that would be made web
accessible - which might be the hard and costly part maintenance wise.
(You have to deal with security issues too as you are in a separate
web application, so you need to authenticate the developer first).
Well, Apache's mod_authnz_ldap and a "Require group developers" stanza
makes this really easy. Just look up $user from an appropriate env var
provided by the web server. Where is the problem?
Our existing solution is triggered on change events in LDAP and causes
all SSH keys to be re-read and a new ~/.ssh/authorized_keys file to be
written out. You can't rely on OpenLDAP stating the addition/removals
properly when using the syncrepl interface, at least in my experience.
In this way we avoid dependence on the Identity web application.
A quick & dirty approach:
`ssh bot@gerrit set-account $user --remove-ssh-keys ALL`
`ssh bot@gerrit set-account $user --add-ssh-key - < authorized_keys`
A better and race-free code would have to invoke `comm` in addition to
that, and only add/remove keys which has to be removed or added. That's
left as an excercise for the reader, it's easy enough. Or, to avoid relying
on a local state altogether, just issue a REST call for SSH key retrieval
and base a decision on that. It's gonna be like 10 lines of custom code.
Cheers,
Jan
--
Trojitá, a fast Qt IMAP e-mail client -- http://trojita.flaska.net/
