Mailinglist Archive: opensuse-buildservice (332 mails)

[Thomas Schmidt <tom@xxxxxxxxxxxx>]

On 06.07.2010 10:12, Zhang, Vivian wrote:
> Hi:
>  
>   The root cause of "osc ci" permission failure is caused by the double http 
> request for the remote resource access:
>     For the normal process with allow_anonymous disabled:
>     1. osc client sends the normal request without authentication header, 
> then server will give a 401 response with authentication requirement for real 
> "API login".
>     2. osc client sends the same request again with authentication header 
> which includes the username and password, e.g.:
>         "Authorization: Basic amZkaW5nOm1vYmxpbjEyMw==" 
>
>     Then when allow_anonymous is enabled with IP_ADDR:
>     1. osc client sends the normal request without authentication header, it 
> passed the anonymous access check since the api server has the same IP_ADDR 
> as the webui server, it will login with _nobody_. 
>
>     Here is a workaround:
>     Adding one line for http_headers in ~/.oscrc, e.g.
>         [https://api.xxx.com]
>         user=xxx
>         passx=xxxxxxxxxxxxxxxxxxxxxx ==
>         + http_headers: Authorization: Basic amZkaW5nOm1vYmxpbjEyMw==
>
>     The encoded string after "Basic" is the base64 encoded "username:passwd", 
> or you can get it from command:
>         #echo -n username:passwd | base64
>
>      Anyway, it is a workaround from osc client side. Any good solution on 
> the authentication check in server side?

Maybe it would be a good idea if the osc client always sends the authentication 
header by default?

Greetings

-- 
Thomas Schmidt (tom [at] opensuse.org)
openSUSE Boosters Team
"Don't Panic", Douglas Adams (1952 - 11.05.2001)
-- 
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-buildservice+help@xxxxxxxxxxxx