We Keep Coding

Create Gerrit project - with permission, unable to access it

Question regards Gerrit 2.14
Goal
I want to have projects visible only to Registered Users, and also I would wish that 'owner' of project can set it's visibility, share, hide etc without admin rights, or involving admin to set those rights for him/her per project. For example I want to have projects A, B, C, D, E with B, C owned by p1, and C shared between p1, p2. So user p1 would see B, C, and user p2 would see C.
What I've checked
I believe that there are 3 ways of achieving something described above:
user has admin rights - can set parent of project other than All-projects: I don't want that
admin can set per project ACL for user/group: I don't want that
user becomes Project Owner of projects s/he created
By default "Create Project" is not granted for Registered users and "READ for refs/*"
I have tried
Setting permissions in All-Projects.git that all project inherit
Create Group
Registered Users
Create Project
Registered Users
Reference: refs/*
Allow Administrators
Allow Project Owners
Deny Anonymous Users
/* IF I add ALLOW Registered Users here -> see bottom of question */
and all remaining permissions unchanged, I expected to be able, as registered user:
Be sure that anonymous (not registered/logged on) users cannot view projects
Create project using both GUI and SSH
Be assigned as Project Owner to that project - have full control over this single project
Result
Unfortunately, registered user can create project (if user does not select previously prepared parent All-public-projects - which grants multiple other permissions - default All-projects is assigned as parent) BUT user, who is supposed to be Project Owner cannot access this project.
Ideas what is wrong
I'm aware that Registered Users are members of Anonymous Users group as well, but documentation states
Inherited access rights can be overwritten unless they are defined as BLOCK rule. BLOCK rules are used to limit the possibilities of the project owners on the inheriting projects.
Changing the parent of a project is only allowed for Gerrit administrators. This means you need to contact the administrator of your Gerrit server if you want to reparent your project.
and also
[READ] This category has a special behavior, where the per-project ACL is evaluated before the global all projects ACL. If the per-project ACL has granted Read with 'DENY', and does not otherwise grant Read with 'ALLOW', then a Read in the all projects ACL is ignored. This behavior is useful to hide a handful of projects on an otherwise public server.
For an open source, public Gerrit installation it is common to grant Read to Anonymous Users in the All-Projects ACL, enabling casual browsing of any project’s changes, as well as fetching any project’s repository over SSH or HTTP. New projects can be temporarily hidden from public view by granting Read with 'DENY' to Anonymous Users and granting Read to the project owner’s group within the per-project ACL.
Now since I do not want to set permissions per project basis, am I correct to think that reason for this to fail is
For the All-Projects root project any Owner access right on 'refs/*' is ignored since this permission would allow users to edit the global capabilities, which is the same as being able to administrate the Gerrit server (e.g. the user could assign the Administrate Server capability to the own account).
Questions
If my reasoning is correct, how do I achieve my goal?
Also, granting READ refs/* to Registered User makes project to be accessible, but also all others too. How would I then be able to hide some projects from other Registered users? Or if that is not possible - how do I configure permissions in order to prevent other registered users to commit, and possibly even clone other projects?
Additional question.
How do I quickly see who is set as project's Project Owner?

I'm glad to see not beeing the only one with such a requirement. For me everything would work just fine if the user who creates a project via Gerrit's Web UI would be automatically the project owner (only if the user is not and Admin User). However, as you know the current Web UI does neither pass this information to the Gerrit backend nor does it allow to assign project owners when creating a new project. I see the following options:
Open a feature request for the Gerrit dev team hoping they will consider the idea
Use the create-project REST API and pass the project owner(s) for creating projects, i.e. using an own app
Use the create project CLI and pass the project owner(s) for creating projects
Implement an own Gerrit Plugin - see 2. Plugin Development which would make the current user creating a new project a project owner
For me only option 1 or 4 is viable because the other mean way too much overhead. I'm thinking about writing such a plugin, and I would make it opensource... About 2 months ago I was hoping there's aready something available I could use, but I couldn't find anything.
To your second question: I typically us the Web UI for this by going to the project's Access tab and then checking the who has the permission "Owner" for the branch refs/*.

Synchronize the user from ldap server to jira soon

I was using a openldap server to control the user in jira and confluence. But after I insert a user into ldap and add the user into the jira-users group, i still need to synchronize the user in jira. Can i set something to let it synchronize automatically after i insert the user into ldap server?

Here are the main steps :
Log in as a user with the JIRA System Administrators permission
Check your configuration : Settings > User Management > User Directories
You can manually synchronize the LDAP cache by clicking 'Synchronize' on the 'User Directories' screen.
If it works, you just need to set the Synchronization Interval on the directory configuration screen.
Otherwise there is probably something wrong with the current config. In this case, I would:
Check the server settings, see if it's reachable when connecting from a terminal.
Similarly, try to perform a search from a terminal using the schema settings.
Disable Incremental Synchronization if enabled.
Ensure the directory order is correct. Changes to users and groups will be made only in the first directory where the application has permission to make changes.
Ref: Connecting to an LDAP directory

Group Policy Object Creation Failed - This security ID may not be assigned as the owner of this object

We have a Windows SBS 2008 domain controller (the only one in our domain) and I'm trying to create a new Group Policy Object to handle printers. Every time I attempt to create a new GPO, either in the Group Policy folder directly or the linked in one of the organizational folders I receive the following message - "This security ID may not be assigned as the owner of this object." I've been looking around but I haven't found anything that works. Most results for this search indicate that people are having trouble with Folder Redirection policies. We have Folder Redirection enabled, but every workstation in the domain is running Windows 7 Professional, and no one is having trouble with the redirection policy. I've double-checked the sysvol directory and both SYSTEM and Administrators have the appropriate rights. I've added the sysadmin account to the Group Policy Creator Owners group (which again, has rights to sysvol) but still nothing. I've been at this all day and I'm coming up completely empty. There's nothing in the Event View logs, and I even created another administrative level user or simply copy/pasting an existing GPO. Same message everytime. This only started happening this week. Does anyone have any idea? I'm starting to get desperate.

Looks like I managed to solve it. Probably not ideal, but I'll share in case anyone else has a similar issue. Looks like the permissions were not correct as I had assumed. I went through again and granted Full Control to the Group Policy Creator Owners group on the following three folders: C:\Windows\sysvol\sysvol, C:\Windows\sysvol\sysvol\ourDomain.local, and C:\Windows\sysvol\sysvol\ourDomain.local\Policies. The last one, I set the rights to extend to subfiles and folders. After a quick logout to reset the permissions, I was able to create a new policy object.

I just encountered this issue. Google finds solutions (such as here) suggesting you verify you or your security group (domain admins, builtin\administrators) have Group Policy permissions in the Default Domain Controllers Policy at Computer Config > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Restore files and directories.
In my case, I also had to confirm the same permissions in my Default Domain Policy. I'm not sure how they changed, but after adding the group and forcing a Group Policy refresh (gpupdate /force), the problem was resolved.

Can Hudson be configured to prevent certain users from accessing certain projects?

I have various projects being built and tested periodically on a Hudson server, but I don't want every employee in the company to see published artifacts for every project.
Project-based matrix security seemed at first the key, but after many tests I find that granting overall read permissions is mandatory if you want users to be able to read anything in the hudson server.
So, in the end read permissions are binary: either you grant global read permission or you block everything, am I right?

Haven't it tested with the newest release, but I use the matrix setup. I gave Anonymous the overall read. This way they can see the login screen when they type {{http://servername:port/}} but does not give them access to the jobs. In the jobs themselves I configured the users that should actually see the job. Works like a charm.
UPDATE:
Meanwhile I found out that you can use authenticated instead of Anonymous. This enabled access to Hudson/Jenkins through the links in the Build failed messages. Now everyone gets the logon dialog and after signing in, they are right away at the job run of interest.

After trying to do something similar to you with Hudson's authorization settings, I came to the same conclusion you did.

Application/User Settings with Roaming Profiles

Hi Guys any help would be much appreciated.
We have an application that’s installed at several locations but we are having an issue at one particular site. In short the application settings (My.) are not being saved after a reboot. The application is build in VB.Net v3.5 Framework and we are not experiencing any issues elsewhere.
This particular site is using roaming profiles and the network administrator ensures us that the correct permissions are applied to the user account(s) and all application data is being saved to the server. I’ve asked the network admin to check for the existence of the user settings file user.config in the Application Data directory and he says it doesn’t exist.
In our application we store the connection string to the database in the application settings under the user scope. If no connection string is present or if one is present and a connection to the database cannot be made then a form is shown asking the user for the database credentials. Each morning when the users boot the machine and opens the application for the first time they are asked for these credentials but if they close the application and restart it they are not asked for them. This indicates to us that the settings are being saved but once the pc is rebooted and the application is opened for the first time they are asked for the database credentials. This seems like the settings are not persisting after a reboot.
Any thoughts/feedback would be much appreciated.

I'm wondering if it's Code Access Security preventing the file from being written?
If the sysadmin at trouble site has implemented group policy folder redirection, the user's local/roaming profile could be getting stored on a network fileshare. Code Access Security is fairly picky about letting code read/write to/from network resources.
I'm sorry that I don't have more details than this, and I didn't find any sure-fire hits on google, but searching for "code access security", "fulltrust" and any network/fileshare keywords you can think of may get you farther.