Mailinglist Archive: opensuse-buildservice (332 mails)

< Previous Next >
Re: [opensuse-buildservice] anonymous access support
  • From: Adrian Schröter <adrian@xxxxxxx>
  • Date: Tue, 6 Jul 2010 10:21:03 +0200
  • Message-id: <201007061021.04138.adrian@xxxxxxx>
On Tuesday 06 July 2010 10:12:48 Zhang, Vivian wrote:
Hi:

The root cause of "osc ci" permission failure is caused by the double http
request for the remote resource access:
For the normal process with allow_anonymous disabled:
1. osc client sends the normal request without authentication header,
then server will give a 401 response with authentication requirement for real
"API login".
2. osc client sends the same request again with authentication header
which includes the username and password, e.g.:
"Authorization: Basic amZkaW5nOm1vYmxpbjEyMw=="

Then when allow_anonymous is enabled with IP_ADDR:
1. osc client sends the normal request without authentication header, it
passed the anonymous access check since the api server has the same IP_ADDR
as the webui server, it will login with _nobody_.

So you run osc on the system where your webui is running ?
I have not tested that, I have to admit ...

Here is a workaround:
Adding one line for http_headers in ~/.oscrc, e.g.
[https://api.xxx.com]
user=xxx
passx=xxxxxxxxxxxxxxxxxxxxxx ==
+ http_headers: Authorization: Basic amZkaW5nOm1vYmxpbjEyMw==

The encoded string after "Basic" is the base64 encoded "username:passwd",
or you can get it from command:
#echo -n username:passwd | base64

Anyway, it is a workaround from osc client side. Any good solution on
the authentication check in server side?

Maybe checking for the client and only accept the anonymouse mode, if the webui
is doing the request.

bye
adrian

Thanks
vivian

-----Original Message-----
From: Jan Engelhardt [mailto:jengelh@xxxxxxxxxx]
Sent: Thursday, July 01, 2010 5:46 PM
To: Adrian Schr?ter
Cc: Zhang, Vivian; Robert Xu; opensuse-buildservice@xxxxxxxxxxxx
Subject: Re: [opensuse-buildservice] anonymous access support

On Thursday 2010-07-01 11:37, Adrian Schröter wrote:
On Thursday 01 July 2010 10:59:19 Zhang, Vivian wrote:
Then to clarify it, "enabling anon access breaks osc ci " is a expected
behavior or a new issue caused by using ip_addr?

No, our instance api.opensuse.org is running fine with anonymous support.

11:44 ares:../osc2/osc > osc ci -m .
WARNING: validator directory /usr/lib/osc/source_validators configured,
but not existing. Skipping ...
Sending osc.spec
Server returned an error: HTTP Error 403: Forbidden
no permission to execute command 'copy'


And this 403 goes away if I disable allow_anonymous.


--

Adrian Schroeter
SUSE Linux Products GmbH
email: adrian@xxxxxxx

--
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-buildservice+help@xxxxxxxxxxxx

< Previous Next >
Follow Ups