Jenkins Gerrit-Trigger not reporting +1 verified after successful job run

Question

I'm currently attempting to issue a "+1 Verified" using the Jenkins Gerrit-Trigger, but some reason the +1 is failing.

The permissions seem to be in order as the plugin is successfully able to issue "-1 Verified" and "Build Started" comments to the relevant Gerrit changeset.

When the job is successful the "+1 Verified" never materialises. Checking the Jenkins logs show that the last entry relevant to the job is showing a 403 response error:

The Jenkins logs also show the same request:

com.sonymobile.tools.gerrit.gerritevents.workers.rest.AbstractRestCommandJob run
SEVERE: Gerrit response: Forbidden

Gerrit also picks up on the request and the 403 response:

"POST /a/changes/tdmdev~develop~Id917dda3449bf9af738ad7f122adaecba70004bd/revisions/7eab7e90c6b7e66f23faaac7cbfd40d8c9c93726/review HTTP/1.1" 403 46 - "Apache-HttpClient/4.5.2 (Java/1.8.0_77)"

I've tested to see if theres any querky goings on with the API and have had success reporting "+1 Verify" using the URL from the Gerrit logs:

curl -v -X POST -d '{"reviewer":"srv_devops_jenkins","labels":{"Verified":"+1"}}' -H "Content-Type: application/json" --user "srv_devops_jenkins:***" --digest http://foobar.com:8080/a/changes/tdmdev~develop~Id917dda3449bf9af738ad7f122adaecba70004bd/revisions/7eab7e90c6b7e66f23faaac7cbfd40d8c9c93726/review

The Gerrit Trigger is configured to support RESTClient requests, I've ensured the following:

• RESTClient credentials are correct, clicking the "Test REST Connection" returns a success response.
• "Enable Verified" is ticked
• Restarted the Gerrit Trigger connection in Jenkins

The only way I've been successful is to disable the "REST API" and have requests made over the SSH connection, the only downside is that we need to issue +1's on custom labels which to the best of my knowledge aren't supported over SSH through the Gerrit-Trigger.

Versions:
Jenkins: 2.48
Gerrit-Trigger: 2.23.0
Gerrit: 2.12

Thanks for any help you can provide.

Answer 1

In short this is a Gerrit permission issue for the Jenkins user.

The Gerrit trigger when submitting requests over the RESTAPI was including both "Verify" & "Code Review" votes. Now our Jenkins user only had the Verify permission, so any "Code Review" modification was forbidden (explains the 403 response code).

Now as a solution it wasn't practical to simply give the Jenkins user "Code Review" permissions. Instead theres an option to configure the Gerrit vote settings within the Jenkins Job:

"Gerrit Trigger" > click "Advanced..." > "Gerrit Reporting Values"

Under the "Verify" heading, adding "1" for successful, while ensuring all other fields are blank allows the RESTAPI to only send the verify +1 vote after the build.