Specify the ip addr as "webui_host" can solve anonymous access issue. You should set webui_host the same as request.env['REMOTE_ADDR'] ] to pass the check, like : webui_host: "::ffff:10.239.36.25" But the fixing imports another issue. :) The osc client will login as the _nobody_ by default which caused permission issues. And my request.env.inspect: request.env.inspect = {"rack.session"=>{:session_id=>"f7b1177cf432f9bf9e8019b41bb36c51"}, "HTTP_HOST"=>"api.obstest.sh.intel.com", "HTTP_ACCEPT"=>"*/*", "SERVER_NAME"=>"api.obstest.sh.intel.com", "REQUEST_PATH"=>"/", "rack.url_scheme"=>"http", "HTTP_USER_AGENT"=>"buildservice-webclient/1.0", "action_controller.request.request_parameters"=>{}, "rack.errors"=>#FCGI::Stream:0xb6758954, "CONTENT_TYPE"=>"text/plain", "SERVER_PROTOCOL"=>"HTTP/1.1", "FCGI_ROLE"=>"RESPONDER", "rack.version"=>[1, 0], "rack.run_once"=>false, "REMOTE_ADDR"=>"::ffff:10.239.36.25", "SERVER_SOFTWARE"=>"lighttpd/1.4.20", "SCRIPT_NAME"=>"/dispatch.fcgi", "SERVER_ADDR"=>"::ffff:10.239.36.25", "HTTP_VERSION"=>"HTTP/1.1", "rack.multithread"=>false, "action_controller.request.path_parameters"=>{"action"=>"workerstatus", "controller"=>"status"}, "rack.multiprocess"=>true, "REQUEST_URI"=>"/status/workerstatus", "REMOTE_PORT"=>"39996", "rack.request.query_hash"=>{}, "SERVER_PORT"=>"80", "rack.session.options"=>{:domain=>nil, :expire_after=>nil, :key=>"_session_id", :id=>"f7b1177cf432f9bf9e8019b41bb36c51", :httponly=>true, :path=>"/"}, "REQUEST_METHOD"=>"GET", "DOCUMENT_ROOT"=>"/srv/www/obs/api/public", "action_controller.request.query_parameters"=>{}, "action_controller.rescue.request"=>#, @parameters={"action"=>"workerstatus", "controller"=>"status"}>, "SCRIPT_FILENAME"=>"/srv/www/obs/api/public/dispatch.fcgi", "rack.request.query_string"=>"", "action_controller.rescue.response"=>#, @parameters={"action"=>"workerstatus", "controller"=>"status"}>, @session={:session_id=>"f7b1177cf432f9bf9e8019b41bb36c51"}, @header={"X-Opensuse-APIVersion"=>"1.9", "Cache-Control"=>"no-cache"}, @writer=#Proc:0xb66f3ce8@/usr/lib/ruby/gems/1.8/gems/actionpack-2.3.5/lib/action_cont..., @redirected_to=nil, @template=#ActionView::Base::ProxyModule:0xb675734c, @controller=#, @parameters={"action"=>"workerstatus", "controller"=>"status"}>, @performed_redirect=false, @request_origin="::ffff:10.239.36.25 at 2010-06-30 14:05:41", @_headers={"X-Opensuse-APIVersion"=>"1.9", "Cache-Control"=>"no-cache"}, @template=#, @_response=#, @before_filter_chain_aborted=false, @_session={:session_id=>"f7b1177cf432f9bf9e8019b41bb36c51"}, @performed_render=false, @action_name="workerstatus", @_params={"action"=>"workerstatus", "controller"=>"status"}, @url=#, @parameters={"action"=>"workerstatus", "controller"=>"status"}>, @parameters={"action"=>"workerstatus", "controller"=>"status"}>, @real_format=nil, @auth_method=:basic>, @_current_render=nil, @view_paths=["/srv/www/obs/api/app/views"], @assigns_added=nil, @_first_render=nil, @assigns={}>, @body=["", []], @block=nil, @status=200, @assigns=[]>, "rack.input"=>#FCGI::Stream:0xb675897c, @unlinked=false, @rewindable_io=nil>, "REDIRECT_STATUS"=>"200", "QUERY_STRING"=>"", "GATEWAY_INTERFACE"=>"CGI/1.1"} Thanks. vivian -----Original Message----- From: Jan Engelhardt [mailto:jengelh@medozas.de] Sent: Wednesday, June 30, 2010 2:27 PM To: Adrian Schröter Cc: opensuse-buildservice@opensuse.org; Zhang, Vivian Subject: Re: [opensuse-buildservice] anonymous access support On Wednesday 2010-06-30 07:57, Adrian Schröter wrote:

On Wednesday 30 June 2010 05:15:25 Zhang, Vivian wrote:

...

Hi, I have setup OBS 2.0.1 on my local machine and tried to enable anonymous access.

Here is my config in /srv/www/obs/api/config/options.xml:

allow_anonymous: true webui_host: build.obstest.sh.intel.com

Unfortunately, it does not work, the log reports : Processing StatusController#workerstatus (for ::ffff:10.239.36.25 at 2010-06-30 11:09:50) [GET] [D|# 8304] AUTH: [D|# 8304] remote_host: [D|# 8304] remote_addr: ::ffff:10.239.36.25 [D|# 8304] no authentication string was sent

Seems the request.env['REMOTE_HOST'] is NULL and it failed at the host check at: [...app/controllers/application_controller.rb] if @http_user.nil? and CONFIG['allow_anonymous'] and CONFIG['webui_host'] and [ request.env['REMOTE_HOST'], request.env['REMOTE_ADDR'] ].include?( CONFIG['webui_host'] )

Any comments?

Try to specify the ip addr as "webui_host". lighttpd 1.4 seems to require that since it does no dns lookup for that.

Putting the address into webui_host doesn't change the situation here, either.

If that does not help, I would be interessted in the output of "request.env.inspect" near this code line.

08:20 ares:../obs/api # grep -r request.env.inspect . grep: ./tmp/sockets/fcgi.socket-4: No such device or address grep: ./tmp/sockets/fcgi.socket-7: No such device or address grep: ./tmp/sockets/fcgi.socket-10: No such device or address grep: ./tmp/sockets/fcgi.socket-1: No such device or address grep: ./tmp/sockets/fcgi.socket-0: No such device or address grep: ./tmp/sockets/fcgi.socket-9: No such device or address grep: ./tmp/sockets/fcgi.socket-3: No such device or address grep: ./tmp/sockets/fcgi.socket-8: No such device or address grep: ./tmp/sockets/fcgi.socket-6: No such device or address grep: ./tmp/sockets/fcgi.socket-5: No such device or address grep: ./tmp/sockets/fcgi.socket-2: No such device or address grep: ./tmp/sockets/fcgi.socket-11: No such device or address N�����r��y隊Z)z{.���Wlz��qﮞ˛���m�)z{.��+�Z+i�b�*'jW(�f�vǦj)h���Ǜ�)]���Ǿ��i�������

On Wednesday 2010-06-30 08:55, Jan Engelhardt wrote:

...

Try to specify the ip addr as "webui_host". lighttpd 1.4 seems to require that since it does no dns lookup for that.

Adrian, your commit 2131a4202f68881b8fae72557f9d6f6c2cb0ae76 is not quite functional, because IPv4 isn't the only way of connecting to the target. -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org

On Wednesday 2010-06-30 22:48, Robert Xu wrote:

On Wed, Jun 30, 2010 at 03:03, Jan Engelhardt wrote:

...

On Wednesday 2010-06-30 08:55, Jan Engelhardt wrote:

...

...

Try to specify the ip addr as "webui_host". lighttpd 1.4 seems to require that since it does no dns lookup for that.

Adrian, your commit 2131a4202f68881b8fae72557f9d6f6c2cb0ae76 is not quite functional, because IPv4 isn't the only way of connecting to the target.

I am confused. So, what did you change to make anonymous access work?

webui_host: 2001:470:1f0b:1129::5 Then again, enabling anon access breaks "osc ci". Back to a closed one for now :-/ -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org

On Thursday 01 July 2010 10:59:19 Zhang, Vivian wrote:

Then to clarify it, "enabling anon access breaks osc ci " is a expected behavior or a new issue caused by using ip_addr?

No, our instance api.opensuse.org is running fine with anonymous support. bye adrian

Thanks vivian

-----Original Message----- From: Jan Engelhardt [mailto:jengelh@medozas.de] Sent: Thursday, July 01, 2010 5:12 AM To: Robert Xu Cc: Adrian Schr?ter; opensuse-buildservice@opensuse.org; Zhang, Vivian Subject: Re: [opensuse-buildservice] anonymous access support

On Wednesday 2010-06-30 22:48, Robert Xu wrote:

...

On Wed, Jun 30, 2010 at 03:03, Jan Engelhardt wrote:

...

On Wednesday 2010-06-30 08:55, Jan Engelhardt wrote:

...

...

Try to specify the ip addr as "webui_host". lighttpd 1.4 seems to require that since it does no dns lookup for that.

Adrian, your commit 2131a4202f68881b8fae72557f9d6f6c2cb0ae76 is not quite functional, because IPv4 isn't the only way of connecting to the target.

I am confused. So, what did you change to make anonymous access work?

webui_host: 2001:470:1f0b:1129::5

Then again, enabling anon access breaks "osc ci". Back to a closed one for now :-/

-- Adrian Schroeter SUSE Linux Products GmbH email: adrian@suse.de -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org

Hi: The root cause of "osc ci" permission failure is caused by the double http request for the remote resource access: For the normal process with allow_anonymous disabled: 1. osc client sends the normal request without authentication header, then server will give a 401 response with authentication requirement for real "API login". 2. osc client sends the same request again with authentication header which includes the username and password, e.g.: "Authorization: Basic amZkaW5nOm1vYmxpbjEyMw==" Then when allow_anonymous is enabled with IP_ADDR: 1. osc client sends the normal request without authentication header, it passed the anonymous access check since the api server has the same IP_ADDR as the webui server, it will login with _nobody_. Here is a workaround: Adding one line for http_headers in ~/.oscrc, e.g. [https://api.xxx.com] user=xxx passx=xxxxxxxxxxxxxxxxxxxxxx == + http_headers: Authorization: Basic amZkaW5nOm1vYmxpbjEyMw== The encoded string after "Basic" is the base64 encoded "username:passwd", or you can get it from command: #echo -n username:passwd | base64 Anyway, it is a workaround from osc client side. Any good solution on the authentication check in server side? Thanks vivian -----Original Message----- From: Jan Engelhardt [mailto:jengelh@medozas.de] Sent: Thursday, July 01, 2010 5:46 PM To: Adrian Schr?ter Cc: Zhang, Vivian; Robert Xu; opensuse-buildservice@opensuse.org Subject: Re: [opensuse-buildservice] anonymous access support On Thursday 2010-07-01 11:37, Adrian Schröter wrote:

On Thursday 01 July 2010 10:59:19 Zhang, Vivian wrote:

...

Then to clarify it, "enabling anon access breaks osc ci " is a expected behavior or a new issue caused by using ip_addr?

No, our instance api.opensuse.org is running fine with anonymous support.

11:44 ares:../osc2/osc > osc ci -m . WARNING: validator directory /usr/lib/osc/source_validators configured, but not existing. Skipping ... Sending osc.spec Server returned an error: HTTP Error 403: Forbidden no permission to execute command 'copy' And this 403 goes away if I disable allow_anonymous. N�����r��y隊Z)z{.���Wlz��qﮞ˛���m�)z{.��+�Z+i�b�*'jW(�f�vǦj)h���Ǜ�)]���Ǿ��i�������

No, the osc client running on the different system. What I mean here is that "api" host and "webui" host are on the same system, they share the same IP_Addr, I think it is a common configuration. Then the point here is how to check that it is the request from WebUI, right? I compared the two requests(attached) and does not found the useful env parameter. Thanks vivian -----Original Message----- From: Adrian Schr?ter [mailto:adrian@suse.de] Sent: Tuesday, July 06, 2010 4:21 PM To: Zhang, Vivian Cc: Jan Engelhardt; Robert Xu; opensuse-buildservice@opensuse.org Subject: Re: [opensuse-buildservice] anonymous access support On Tuesday 06 July 2010 10:12:48 Zhang, Vivian wrote:

Hi:

The root cause of "osc ci" permission failure is caused by the double http request for the remote resource access: For the normal process with allow_anonymous disabled: 1. osc client sends the normal request without authentication header, then server will give a 401 response with authentication requirement for real "API login". 2. osc client sends the same request again with authentication header which includes the username and password, e.g.: "Authorization: Basic amZkaW5nOm1vYmxpbjEyMw=="

Then when allow_anonymous is enabled with IP_ADDR: 1. osc client sends the normal request without authentication header, it passed the anonymous access check since the api server has the same IP_ADDR as the webui server, it will login with _nobody_.

So you run osc on the system where your webui is running ? I have not tested that, I have to admit ...

Here is a workaround: Adding one line for http_headers in ~/.oscrc, e.g. [https://api.xxx.com] user=xxx passx=xxxxxxxxxxxxxxxxxxxxxx == + http_headers: Authorization: Basic amZkaW5nOm1vYmxpbjEyMw==

The encoded string after "Basic" is the base64 encoded "username:passwd", or you can get it from command: #echo -n username:passwd | base64

Anyway, it is a workaround from osc client side. Any good solution on the authentication check in server side?

Maybe checking for the client and only accept the anonymouse mode, if the webui is doing the request. bye adrian

Thanks vivian

-----Original Message----- From: Jan Engelhardt [mailto:jengelh@medozas.de] Sent: Thursday, July 01, 2010 5:46 PM To: Adrian Schr?ter Cc: Zhang, Vivian; Robert Xu; opensuse-buildservice@opensuse.org Subject: Re: [opensuse-buildservice] anonymous access support

On Thursday 2010-07-01 11:37, Adrian Schröter wrote:

...

On Thursday 01 July 2010 10:59:19 Zhang, Vivian wrote:

...

Then to clarify it, "enabling anon access breaks osc ci " is a expected behavior or a new issue caused by using ip_addr?

No, our instance api.opensuse.org is running fine with anonymous support.

11:44 ares:../osc2/osc > osc ci -m . WARNING: validator directory /usr/lib/osc/source_validators configured, but not existing. Skipping ... Sending osc.spec Server returned an error: HTTP Error 403: Forbidden no permission to execute command 'copy'

And this 403 goes away if I disable allow_anonymous.

-- Adrian Schroeter SUSE Linux Products GmbH email: adrian@suse.de

On 06.07.2010 10:12, Zhang, Vivian wrote:

Hi:

The root cause of "osc ci" permission failure is caused by the double http request for the remote resource access: For the normal process with allow_anonymous disabled: 1. osc client sends the normal request without authentication header, then server will give a 401 response with authentication requirement for real "API login". 2. osc client sends the same request again with authentication header which includes the username and password, e.g.: "Authorization: Basic amZkaW5nOm1vYmxpbjEyMw=="

Then when allow_anonymous is enabled with IP_ADDR: 1. osc client sends the normal request without authentication header, it passed the anonymous access check since the api server has the same IP_ADDR as the webui server, it will login with _nobody_.

Here is a workaround: Adding one line for http_headers in ~/.oscrc, e.g. [https://api.xxx.com] user=xxx passx=xxxxxxxxxxxxxxxxxxxxxx == + http_headers: Authorization: Basic amZkaW5nOm1vYmxpbjEyMw==

The encoded string after "Basic" is the base64 encoded "username:passwd", or you can get it from command: #echo -n username:passwd | base64

Anyway, it is a workaround from osc client side. Any good solution on the authentication check in server side?

Maybe it would be a good idea if the osc client always sends the authentication header by default? Greetings -- Thomas Schmidt (tom [at] opensuse.org) openSUSE Boosters Team "Don't Panic", Douglas Adams (1952 - 11.05.2001) -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org

On Tue, Jul 6, 2010 at 11:12 AM, Zhang, Vivian wrote:

   Here is a workaround:    Adding one line for http_headers in ~/.oscrc, e.g.        [https://api.xxx.com]        user=xxx        passx=xxxxxxxxxxxxxxxxxxxxxx ==        + http_headers: Authorization: Basic amZkaW5nOm1vYmxpbjEyMw==

   The encoded string after "Basic" is the base64 encoded "username:passwd", or you can get it from command:        #echo -n username:passwd | base64

don't ask me the technical details, but this workaround fixed an issue I have when I upload to MeeGo OBS behind a proxy. Thanks for the tips. -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org