Fix PUT/POST/DELETE REST-API with cookie authentication

Change-Id: I2a56197ee0 has broken existing Python (or other)
scripting when performing automation with Gerrit REST-API.
That is due to the generation of the GerritAccount cookie in
the HTTP response, which Python automatically manages
to reuse in subsequent calls.

Gerrit REST-API have a stricter requirement for incoming calls
that are not GET or HEAD requests: they need the X-Gerrit-Auth
HTTP header matching the associated attribute in the user's session.
When the X-Gerrit-Auth header isn't there OR does not correspond
to the user's session, the REST-API execution fails with
403 FORBIDDEN even though the user has an active session associated
with the cookie.

Python has no way to manage that logic out of the box and therefore
it is the responsibility of the Gerrit backend to request explicit
authentication when the incoming call isn't from a Git/HTTP client.

For the Git/HTTP requests instead, the requirement for X-Gerrit-Auth
isn't there and therefore, the current cookie-based authentication can
continue to be used as usual and won't cause any trouble.

Bug: Issue 14553
Change-Id: I62a7a59b07333eeb1a36d4a6b8b67edd5da76440
3 files changed
tree: 9a5be3aa14fa46f6172f6727966be0e1ca635f25
  1. .bazelignore
  2. .bazelproject
  3. .bazelrc
  4. .bazelversion
  5. .editorconfig
  6. .git-blame-ignore-revs
  7. .gitignore
  8. .gitmodules
  9. .gitreview
  10. .mailmap
  11. .pydevproject
  12. .settings/
  13. .zuul.yaml
  14. BUILD
  16. Documentation/
  18. Jenkinsfile
  22. antlr3/
  23. contrib/
  24. e2e-tests/
  25. java/
  26. javatests/
  27. lib/
  28. modules/
  29. package.json
  30. plugins/
  31. polygerrit-ui/
  32. prolog/
  33. prologtests/
  34. proto/
  35. resources/
  36. tools/
  37. version.bzl
  38. webapp/

Gerrit Code Review

Gerrit is a code review and project management tool for Git based projects.

Build Status


Gerrit makes reviews easier by showing changes in a side-by-side display, and allowing inline comments to be added by any reviewer.

Gerrit simplifies Git based project maintainership by permitting any authorized user to submit changes to the master Git repository, rather than requiring all approved changes to be merged in by hand by the project maintainer.


For information about how to install and use Gerrit, refer to the documentation.


Our canonical Git repository is located on There is a mirror of the repository on Github.

Reporting bugs

Please report bugs on the issue tracker.


Gerrit is the work of hundreds of contributors. We appreciate your help!

Please read the contribution guidelines.

Note that we do not accept Pull Requests via the Github mirror.

Getting in contact

The Developer Mailing list is repo-discuss on Google Groups.


Gerrit is provided under the Apache License 2.0.


Install Bazel and run the following:

    git clone --recurse-submodules
    cd gerrit && bazel build release

Install binary packages (Deb/Rpm)

The instruction how to configure GerritForge/BinTray repositories is here

On Debian/Ubuntu run:

    apt-get update & apt-get install gerrit=<version>-<release>

NOTE: release is a counter that starts with 1 and indicates the number of packages that have been released with the same version of the software.

On CentOS/RedHat run:

    yum clean all && yum install gerrit-<version>[-<release>]

On Fedora run:

    dnf clean all && dnf install gerrit-<version>[-<release>]

Use pre-built Gerrit images on Docker

Docker images of Gerrit are available on DockerHub

To run a CentOS 7 based Gerrit image:

    docker run -p 8080:8080 gerritforge/gerrit-centos7[:version]

To run a Ubuntu 15.04 based Gerrit image:

    docker run -p 8080:8080 gerritforge/gerrit-ubuntu15.04[:version]

NOTE: release is optional. Last released package of the version is installed if the release number is omitted.