On Tuesday 06 July 2010 10:12:48 Zhang, Vivian wrote:
Hi:
The root cause of "osc ci" permission failure is caused by the double http request for the remote resource access: For the normal process with allow_anonymous disabled: 1. osc client sends the normal request without authentication header, then server will give a 401 response with authentication requirement for real "API login". 2. osc client sends the same request again with authentication header which includes the username and password, e.g.: "Authorization: Basic amZkaW5nOm1vYmxpbjEyMw=="
Then when allow_anonymous is enabled with IP_ADDR: 1. osc client sends the normal request without authentication header, it passed the anonymous access check since the api server has the same IP_ADDR as the webui server, it will login with _nobody_.
So you run osc on the system where your webui is running ? I have not tested that, I have to admit ...
Here is a workaround: Adding one line for http_headers in ~/.oscrc, e.g. [https://api.xxx.com] user=xxx passx=xxxxxxxxxxxxxxxxxxxxxx == + http_headers: Authorization: Basic amZkaW5nOm1vYmxpbjEyMw==
The encoded string after "Basic" is the base64 encoded "username:passwd", or you can get it from command: #echo -n username:passwd | base64
Anyway, it is a workaround from osc client side. Any good solution on the authentication check in server side?
Maybe checking for the client and only accept the anonymouse mode, if the webui is doing the request. bye adrian
Thanks vivian
-----Original Message----- From: Jan Engelhardt [mailto:jengelh@medozas.de] Sent: Thursday, July 01, 2010 5:46 PM To: Adrian Schr?ter Cc: Zhang, Vivian; Robert Xu; opensuse-buildservice@opensuse.org Subject: Re: [opensuse-buildservice] anonymous access support
On Thursday 2010-07-01 11:37, Adrian Schröter wrote:
On Thursday 01 July 2010 10:59:19 Zhang, Vivian wrote:
Then to clarify it, "enabling anon access breaks osc ci " is a expected behavior or a new issue caused by using ip_addr?
No, our instance api.opensuse.org is running fine with anonymous support.
11:44 ares:../osc2/osc > osc ci -m . WARNING: validator directory /usr/lib/osc/source_validators configured, but not existing. Skipping ... Sending osc.spec Server returned an error: HTTP Error 403: Forbidden no permission to execute command 'copy'
And this 403 goes away if I disable allow_anonymous.
-- Adrian Schroeter SUSE Linux Products GmbH email: adrian@suse.de -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org