Jenkins Gerrit-Trigger not reporting +1 verified after successful job run

Asked 1/3, 2017 at 10:31 Answered 5/5, 2019 at 14:11

I'm currently attempting to issue a "+1 Verified" using the Jenkins Gerrit-Trigger, but some reason the +1 is failing.

The permissions seem to be in order as the plugin is successfully able to issue "-1 Verified" and "Build Started" comments to the relevant Gerrit changeset.

When the job is successful the "+1 Verified" never materialises. Checking the Jenkins logs show that the last entry relevant to the job is showing a 403 response error:

The Jenkins logs also show the same request:

com.sonymobile.tools.gerrit.gerritevents.workers.rest.AbstractRestCommandJob run
SEVERE: Gerrit response: Forbidden

Gerrit also picks up on the request and the 403 response:

"POST /a/changes/tdmdev~develop~Id917dda3449bf9af738ad7f122adaecba70004bd/revisions/7eab7e90c6b7e66f23faaac7cbfd40d8c9c93726/review HTTP/1.1" 403 46 - "Apache-HttpClient/4.5.2 (Java/1.8.0_77)"

I've tested to see if theres any querky goings on with the API and have had success reporting "+1 Verify" using the URL from the Gerrit logs:

curl -v -X POST -d '{"reviewer":"srv_devops_jenkins","labels":{"Verified":"+1"}}' -H "Content-Type: application/json" --user "srv_devops_jenkins:***" --digest http://foobar.com:8080/a/changes/tdmdev~develop~Id917dda3449bf9af738ad7f122adaecba70004bd/revisions/7eab7e90c6b7e66f23faaac7cbfd40d8c9c93726/review

The Gerrit Trigger is configured to support RESTClient requests, I've ensured the following:

RESTClient credentials are correct, clicking the "Test REST Connection" returns a success response.
"Enable Verified" is ticked
Restarted the Gerrit Trigger connection in Jenkins

The only way I've been successful is to disable the "REST API" and have requests made over the SSH connection, the only downside is that we need to issue +1's on custom labels which to the best of my knowledge aren't supported over SSH through the Gerrit-Trigger.

Versions:
Jenkins: 2.48
Gerrit-Trigger: 2.23.0
Gerrit: 2.12

Thanks for any help you can provide.

Harappa answered 1/3, 2017 at 10:31 Comment(3)

Do you have Gerrit Plugin events-log installed? I am having the same problem. REST doesn't work, SSH works. I am the process of installing it. – Spitzer 3/3, 2017 at 18:54

> the only downside is that we need to issue +1's on custom labels which to the best of my knowledge aren't supported over SSH through the Gerrit-Trigger Did you try using --label ? gerrit review <CHANGE>,<PATCHSET> --message 'voting up' --label Verified=1 in the Gerrit Trigger's configuraion? – Spitzer 3/3, 2017 at 19:12

We haven't got the events-log plugin installed, just: reviewnotes, commit-message-length-validator, download-commands & replication. I did consider modifying the SSH commands, however it wouldn't suit using the Jenkins Sonar Plugin, which issues the label request (over REST) after the Sonar step has completed. – Harappa 6/3, 2017 at 12:57

In short this is a Gerrit permission issue for the Jenkins user.

The Gerrit trigger when submitting requests over the RESTAPI was including both "Verify" & "Code Review" votes. Now our Jenkins user only had the Verify permission, so any "Code Review" modification was forbidden (explains the 403 response code).

Now as a solution it wasn't practical to simply give the Jenkins user "Code Review" permissions. Instead theres an option to configure the Gerrit vote settings within the Jenkins Job:

"Gerrit Trigger" > click "Advanced..." > "Gerrit Reporting Values"

Under the "Verify" heading, adding "1" for successful, while ensuring all other fields are blank allows the RESTAPI to only send the verify +1 vote after the build.

Harappa answered 30/5, 2017 at 9:16 Comment(0)

In Jenkins >> Gerrit Trigger >> your server name >> Gerrit Reporting Values >> Advanced >> reset api, please check the ‘Enable Verified’.

Biostatics answered 5/5, 2019 at 14:11 Comment(0)

Recommended topics

Hot tags