[opensuse-buildservice] anonymous access support
Hi, I have setup OBS 2.0.1 on my local machine and tried to enable anonymous access. Here is my config in /srv/www/obs/api/config/options.xml: allow_anonymous: true webui_host: build.obstest.sh.intel.com Unfortunately, it does not work, the log reports : Processing StatusController#workerstatus (for ::ffff:10.239.36.25 at 2010-06-30 11:09:50) [GET] [D|# 8304] AUTH: [D|# 8304] remote_host: [D|# 8304] remote_addr: ::ffff:10.239.36.25 [D|# 8304] no authentication string was sent Seems the request.env['REMOTE_HOST'] is NULL and it failed at the host check at: [...app/controllers/application_controller.rb] if @http_user.nil? and CONFIG['allow_anonymous'] and CONFIG['webui_host'] and [ request.env['REMOTE_HOST'], request.env['REMOTE_ADDR'] ].include?( CONFIG['webui_host'] ) Any comments? Thanks vivian
On Wednesday 30 June 2010 05:15:25 Zhang, Vivian wrote:
Hi, I have setup OBS 2.0.1 on my local machine and tried to enable anonymous access.
Here is my config in /srv/www/obs/api/config/options.xml:
allow_anonymous: true
webui_host: build.obstest.sh.intel.com
Unfortunately, it does not work, the log reports : Processing StatusController#workerstatus (for ::ffff:10.239.36.25 at 2010-06-30 11:09:50) [GET] [D|# 8304] AUTH: [D|# 8304] remote_host: [D|# 8304] remote_addr: ::ffff:10.239.36.25 [D|# 8304] no authentication string was sent
Seems the request.env['REMOTE_HOST'] is NULL and it failed at the host check at: [...app/controllers/application_controller.rb] if @http_user.nil? and CONFIG['allow_anonymous'] and CONFIG['webui_host'] and [ request.env['REMOTE_HOST'], request.env['REMOTE_ADDR'] ].include?( CONFIG['webui_host'] )
Any comments?
Try to specify the ip addr as "webui_host". lighttpd 1.4 seems to require that since it does no dns lookup for that. If that does not help, I would be interessted in the output of "request.env.inspect" near this code line. bye adrian -- Adrian Schroeter SUSE Linux Products GmbH email: adrian@suse.de -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On Wednesday 2010-06-30 07:57, Adrian Schröter wrote:
On Wednesday 30 June 2010 05:15:25 Zhang, Vivian wrote:
Hi, I have setup OBS 2.0.1 on my local machine and tried to enable anonymous access.
Here is my config in /srv/www/obs/api/config/options.xml:
allow_anonymous: true webui_host: build.obstest.sh.intel.com
Unfortunately, it does not work, the log reports : Processing StatusController#workerstatus (for ::ffff:10.239.36.25 at 2010-06-30 11:09:50) [GET] [D|# 8304] AUTH: [D|# 8304] remote_host: [D|# 8304] remote_addr: ::ffff:10.239.36.25 [D|# 8304] no authentication string was sent
Seems the request.env['REMOTE_HOST'] is NULL and it failed at the host check at: [...app/controllers/application_controller.rb] if @http_user.nil? and CONFIG['allow_anonymous'] and CONFIG['webui_host'] and [ request.env['REMOTE_HOST'], request.env['REMOTE_ADDR'] ].include?( CONFIG['webui_host'] )
Any comments?
Try to specify the ip addr as "webui_host". lighttpd 1.4 seems to require that since it does no dns lookup for that.
Putting the address into webui_host doesn't change the situation here, either.
If that does not help, I would be interessted in the output of "request.env.inspect" near this code line.
08:20 ares:../obs/api # grep -r request.env.inspect . grep: ./tmp/sockets/fcgi.socket-4: No such device or address grep: ./tmp/sockets/fcgi.socket-7: No such device or address grep: ./tmp/sockets/fcgi.socket-10: No such device or address grep: ./tmp/sockets/fcgi.socket-1: No such device or address grep: ./tmp/sockets/fcgi.socket-0: No such device or address grep: ./tmp/sockets/fcgi.socket-9: No such device or address grep: ./tmp/sockets/fcgi.socket-3: No such device or address grep: ./tmp/sockets/fcgi.socket-8: No such device or address grep: ./tmp/sockets/fcgi.socket-6: No such device or address grep: ./tmp/sockets/fcgi.socket-5: No such device or address grep: ./tmp/sockets/fcgi.socket-2: No such device or address grep: ./tmp/sockets/fcgi.socket-11: No such device or address -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
Specify the ip addr as "webui_host" can solve anonymous access issue.
You should set webui_host the same as request.env['REMOTE_ADDR'] ] to pass the check, like :
webui_host: "::ffff:10.239.36.25"
But the fixing imports another issue. :) The osc client will login as the _nobody_ by default which caused permission issues.
And my request.env.inspect:
request.env.inspect = {"rack.session"=>{:session_id=>"f7b1177cf432f9bf9e8019b41bb36c51"}, "HTTP_HOST"=>"api.obstest.sh.intel.com", "HTTP_ACCEPT"=>"*/*", "SERVER_NAME"=>"api.obstest.sh.intel.com", "REQUEST_PATH"=>"/", "rack.url_scheme"=>"http", "HTTP_USER_AGENT"=>"buildservice-webclient/1.0", "action_controller.request.request_parameters"=>{}, "rack.errors"=>#FCGI::Stream:0xb6758954, "CONTENT_TYPE"=>"text/plain", "SERVER_PROTOCOL"=>"HTTP/1.1", "FCGI_ROLE"=>"RESPONDER", "rack.version"=>[1, 0], "rack.run_once"=>false, "REMOTE_ADDR"=>"::ffff:10.239.36.25", "SERVER_SOFTWARE"=>"lighttpd/1.4.20", "SCRIPT_NAME"=>"/dispatch.fcgi", "SERVER_ADDR"=>"::ffff:10.239.36.25", "HTTP_VERSION"=>"HTTP/1.1", "rack.multithread"=>false, "action_controller.request.path_parameters"=>{"action"=>"workerstatus", "controller"=>"status"}, "rack.multiprocess"=>true, "REQUEST_URI"=>"/status/workerstatus", "REMOTE_PORT"=>"39996", "rack.request.query_hash"=>{}, "SERVER_PORT"=>"80", "rack.session.options"=>{:domain=>nil, :expire_after=>nil, :key=>"_session_id", :id=>"f7b1177cf432f9bf9e8019b41bb36c51", :httponly=>true, :path=>"/"}, "REQUEST_METHOD"=>"GET", "DOCUMENT_ROOT"=>"/srv/www/obs/api/public", "action_controller.request.query_parameters"=>{}, "action_controller.rescue.request"=>#
On Wednesday 30 June 2010 05:15:25 Zhang, Vivian wrote:
Hi, I have setup OBS 2.0.1 on my local machine and tried to enable anonymous access.
Here is my config in /srv/www/obs/api/config/options.xml:
allow_anonymous: true webui_host: build.obstest.sh.intel.com
Unfortunately, it does not work, the log reports : Processing StatusController#workerstatus (for ::ffff:10.239.36.25 at 2010-06-30 11:09:50) [GET] [D|# 8304] AUTH: [D|# 8304] remote_host: [D|# 8304] remote_addr: ::ffff:10.239.36.25 [D|# 8304] no authentication string was sent
Seems the request.env['REMOTE_HOST'] is NULL and it failed at the host check at: [...app/controllers/application_controller.rb] if @http_user.nil? and CONFIG['allow_anonymous'] and CONFIG['webui_host'] and [ request.env['REMOTE_HOST'], request.env['REMOTE_ADDR'] ].include?( CONFIG['webui_host'] )
Any comments?
Try to specify the ip addr as "webui_host". lighttpd 1.4 seems to require that since it does no dns lookup for that.
Putting the address into webui_host doesn't change the situation here, either.
If that does not help, I would be interessted in the output of "request.env.inspect" near this code line.
08:20 ares:../obs/api # grep -r request.env.inspect . grep: ./tmp/sockets/fcgi.socket-4: No such device or address grep: ./tmp/sockets/fcgi.socket-7: No such device or address grep: ./tmp/sockets/fcgi.socket-10: No such device or address grep: ./tmp/sockets/fcgi.socket-1: No such device or address grep: ./tmp/sockets/fcgi.socket-0: No such device or address grep: ./tmp/sockets/fcgi.socket-9: No such device or address grep: ./tmp/sockets/fcgi.socket-3: No such device or address grep: ./tmp/sockets/fcgi.socket-8: No such device or address grep: ./tmp/sockets/fcgi.socket-6: No such device or address grep: ./tmp/sockets/fcgi.socket-5: No such device or address grep: ./tmp/sockets/fcgi.socket-2: No such device or address grep: ./tmp/sockets/fcgi.socket-11: No such device or address N�����r��y隊Z)z{.���Wlz��qﮞ˛���m�)z{.��+�Z+i�b�*'jW(�f�vǦj)h���Ǜ�)]���Ǿ��i�������
On Wednesday 2010-06-30 07:57, Adrian Schröter wrote:
Processing StatusController#workerstatus (for ::ffff:10.239.36.25 at 2010-06-30 11:09:50) [GET] [D|# 8304] AUTH: [D|# 8304] remote_host: [D|# 8304] remote_addr: ::ffff:10.239.36.25 [D|# 8304] no authentication string was sent
Seems the request.env['REMOTE_HOST'] is NULL and it failed at the host check at: [...app/controllers/application_controller.rb] if @http_user.nil? and CONFIG['allow_anonymous'] and CONFIG['webui_host'] and [ request.env['REMOTE_HOST'], request.env['REMOTE_ADDR'] ].include?( CONFIG['webui_host'] )
Try to specify the ip addr as "webui_host". lighttpd 1.4 seems to require that since it does no dns lookup for that.
Using a php script with lighttpd and dumping the environment shows indeed that no REMOTE_HOST is defined. So it seems application_controller.rb also checks REMOTE_ADDR. Well, as I mumbled previously "just which one address _should_ I put there?" ::1, 127.0.0.1, or any of the two public addresses... anyway I tried that (adding a debug REMOTE_ADDR line) and then chose the one. Anonymous access works now, but lighttpd not doing a resolution woha, was nowhere described. -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On Wednesday 2010-06-30 08:55, Jan Engelhardt wrote:
Try to specify the ip addr as "webui_host". lighttpd 1.4 seems to require that since it does no dns lookup for that.
Adrian, your commit 2131a4202f68881b8fae72557f9d6f6c2cb0ae76 is not quite functional, because IPv4 isn't the only way of connecting to the target. -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On Wed, Jun 30, 2010 at 03:03, Jan Engelhardt
On Wednesday 2010-06-30 08:55, Jan Engelhardt wrote:
Try to specify the ip addr as "webui_host". lighttpd 1.4 seems to require that since it does no dns lookup for that.
Adrian, your commit 2131a4202f68881b8fae72557f9d6f6c2cb0ae76 is not quite functional, because IPv4 isn't the only way of connecting to the target.
I am confused. So, what did you change to make anonymous access work? -- later, Robert Xu -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On Wednesday 2010-06-30 22:48, Robert Xu wrote:
On Wed, Jun 30, 2010 at 03:03, Jan Engelhardt
wrote: On Wednesday 2010-06-30 08:55, Jan Engelhardt wrote:
Try to specify the ip addr as "webui_host". lighttpd 1.4 seems to require that since it does no dns lookup for that.
Adrian, your commit 2131a4202f68881b8fae72557f9d6f6c2cb0ae76 is not quite functional, because IPv4 isn't the only way of connecting to the target.
I am confused. So, what did you change to make anonymous access work?
webui_host: 2001:470:1f0b:1129::5 Then again, enabling anon access breaks "osc ci". Back to a closed one for now :-/ -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
Then to clarify it, "enabling anon access breaks osc ci " is a expected behavior or a new issue caused by using ip_addr? Thanks vivian -----Original Message----- From: Jan Engelhardt [mailto:jengelh@medozas.de] Sent: Thursday, July 01, 2010 5:12 AM To: Robert Xu Cc: Adrian Schr?ter; opensuse-buildservice@opensuse.org; Zhang, Vivian Subject: Re: [opensuse-buildservice] anonymous access support On Wednesday 2010-06-30 22:48, Robert Xu wrote:
On Wed, Jun 30, 2010 at 03:03, Jan Engelhardt
wrote: On Wednesday 2010-06-30 08:55, Jan Engelhardt wrote:
Try to specify the ip addr as "webui_host". lighttpd 1.4 seems to require that since it does no dns lookup for that.
Adrian, your commit 2131a4202f68881b8fae72557f9d6f6c2cb0ae76 is not quite functional, because IPv4 isn't the only way of connecting to the target.
I am confused. So, what did you change to make anonymous access work?
webui_host: 2001:470:1f0b:1129::5 Then again, enabling anon access breaks "osc ci". Back to a closed one for now :-/ -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On Thursday 01 July 2010 10:59:19 Zhang, Vivian wrote:
Then to clarify it, "enabling anon access breaks osc ci " is a expected behavior or a new issue caused by using ip_addr?
No, our instance api.opensuse.org is running fine with anonymous support. bye adrian
Thanks vivian
-----Original Message----- From: Jan Engelhardt [mailto:jengelh@medozas.de] Sent: Thursday, July 01, 2010 5:12 AM To: Robert Xu Cc: Adrian Schr?ter; opensuse-buildservice@opensuse.org; Zhang, Vivian Subject: Re: [opensuse-buildservice] anonymous access support
On Wednesday 2010-06-30 22:48, Robert Xu wrote:
On Wed, Jun 30, 2010 at 03:03, Jan Engelhardt
wrote: On Wednesday 2010-06-30 08:55, Jan Engelhardt wrote:
Try to specify the ip addr as "webui_host". lighttpd 1.4 seems to require that since it does no dns lookup for that.
Adrian, your commit 2131a4202f68881b8fae72557f9d6f6c2cb0ae76 is not quite functional, because IPv4 isn't the only way of connecting to the target.
I am confused. So, what did you change to make anonymous access work?
webui_host: 2001:470:1f0b:1129::5
Then again, enabling anon access breaks "osc ci". Back to a closed one for now :-/
-- Adrian Schroeter SUSE Linux Products GmbH email: adrian@suse.de -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On Thursday 2010-07-01 11:37, Adrian Schröter wrote:
On Thursday 01 July 2010 10:59:19 Zhang, Vivian wrote:
Then to clarify it, "enabling anon access breaks osc ci " is a expected behavior or a new issue caused by using ip_addr?
No, our instance api.opensuse.org is running fine with anonymous support.
11:44 ares:../osc2/osc > osc ci -m . WARNING: validator directory /usr/lib/osc/source_validators configured, but not existing. Skipping ... Sending osc.spec Server returned an error: HTTP Error 403: Forbidden no permission to execute command 'copy' And this 403 goes away if I disable allow_anonymous. -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
Hi: The root cause of "osc ci" permission failure is caused by the double http request for the remote resource access: For the normal process with allow_anonymous disabled: 1. osc client sends the normal request without authentication header, then server will give a 401 response with authentication requirement for real "API login". 2. osc client sends the same request again with authentication header which includes the username and password, e.g.: "Authorization: Basic amZkaW5nOm1vYmxpbjEyMw==" Then when allow_anonymous is enabled with IP_ADDR: 1. osc client sends the normal request without authentication header, it passed the anonymous access check since the api server has the same IP_ADDR as the webui server, it will login with _nobody_. Here is a workaround: Adding one line for http_headers in ~/.oscrc, e.g. [https://api.xxx.com] user=xxx passx=xxxxxxxxxxxxxxxxxxxxxx == + http_headers: Authorization: Basic amZkaW5nOm1vYmxpbjEyMw== The encoded string after "Basic" is the base64 encoded "username:passwd", or you can get it from command: #echo -n username:passwd | base64 Anyway, it is a workaround from osc client side. Any good solution on the authentication check in server side? Thanks vivian -----Original Message----- From: Jan Engelhardt [mailto:jengelh@medozas.de] Sent: Thursday, July 01, 2010 5:46 PM To: Adrian Schr?ter Cc: Zhang, Vivian; Robert Xu; opensuse-buildservice@opensuse.org Subject: Re: [opensuse-buildservice] anonymous access support On Thursday 2010-07-01 11:37, Adrian Schröter wrote:
On Thursday 01 July 2010 10:59:19 Zhang, Vivian wrote:
Then to clarify it, "enabling anon access breaks osc ci " is a expected behavior or a new issue caused by using ip_addr?
No, our instance api.opensuse.org is running fine with anonymous support.
11:44 ares:../osc2/osc > osc ci -m . WARNING: validator directory /usr/lib/osc/source_validators configured, but not existing. Skipping ... Sending osc.spec Server returned an error: HTTP Error 403: Forbidden no permission to execute command 'copy' And this 403 goes away if I disable allow_anonymous. N�����r��y隊Z)z{.���Wlz��qﮞ˛���m�)z{.��+�Z+i�b�*'jW(�f�vǦj)h���Ǜ�)]���Ǿ��i�������
On Tuesday 06 July 2010 10:12:48 Zhang, Vivian wrote:
Hi:
The root cause of "osc ci" permission failure is caused by the double http request for the remote resource access: For the normal process with allow_anonymous disabled: 1. osc client sends the normal request without authentication header, then server will give a 401 response with authentication requirement for real "API login". 2. osc client sends the same request again with authentication header which includes the username and password, e.g.: "Authorization: Basic amZkaW5nOm1vYmxpbjEyMw=="
Then when allow_anonymous is enabled with IP_ADDR: 1. osc client sends the normal request without authentication header, it passed the anonymous access check since the api server has the same IP_ADDR as the webui server, it will login with _nobody_.
So you run osc on the system where your webui is running ? I have not tested that, I have to admit ...
Here is a workaround: Adding one line for http_headers in ~/.oscrc, e.g. [https://api.xxx.com] user=xxx passx=xxxxxxxxxxxxxxxxxxxxxx == + http_headers: Authorization: Basic amZkaW5nOm1vYmxpbjEyMw==
The encoded string after "Basic" is the base64 encoded "username:passwd", or you can get it from command: #echo -n username:passwd | base64
Anyway, it is a workaround from osc client side. Any good solution on the authentication check in server side?
Maybe checking for the client and only accept the anonymouse mode, if the webui is doing the request. bye adrian
Thanks vivian
-----Original Message----- From: Jan Engelhardt [mailto:jengelh@medozas.de] Sent: Thursday, July 01, 2010 5:46 PM To: Adrian Schr?ter Cc: Zhang, Vivian; Robert Xu; opensuse-buildservice@opensuse.org Subject: Re: [opensuse-buildservice] anonymous access support
On Thursday 2010-07-01 11:37, Adrian Schröter wrote:
On Thursday 01 July 2010 10:59:19 Zhang, Vivian wrote:
Then to clarify it, "enabling anon access breaks osc ci " is a expected behavior or a new issue caused by using ip_addr?
No, our instance api.opensuse.org is running fine with anonymous support.
11:44 ares:../osc2/osc > osc ci -m . WARNING: validator directory /usr/lib/osc/source_validators configured, but not existing. Skipping ... Sending osc.spec Server returned an error: HTTP Error 403: Forbidden no permission to execute command 'copy'
And this 403 goes away if I disable allow_anonymous.
-- Adrian Schroeter SUSE Linux Products GmbH email: adrian@suse.de -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
No, the osc client running on the different system. What I mean here is that "api" host and "webui" host are on the same system, they share the same IP_Addr, I think it is a common configuration. Then the point here is how to check that it is the request from WebUI, right? I compared the two requests(attached) and does not found the useful env parameter. Thanks vivian -----Original Message----- From: Adrian Schr?ter [mailto:adrian@suse.de] Sent: Tuesday, July 06, 2010 4:21 PM To: Zhang, Vivian Cc: Jan Engelhardt; Robert Xu; opensuse-buildservice@opensuse.org Subject: Re: [opensuse-buildservice] anonymous access support On Tuesday 06 July 2010 10:12:48 Zhang, Vivian wrote:
Hi:
The root cause of "osc ci" permission failure is caused by the double http request for the remote resource access: For the normal process with allow_anonymous disabled: 1. osc client sends the normal request without authentication header, then server will give a 401 response with authentication requirement for real "API login". 2. osc client sends the same request again with authentication header which includes the username and password, e.g.: "Authorization: Basic amZkaW5nOm1vYmxpbjEyMw=="
Then when allow_anonymous is enabled with IP_ADDR: 1. osc client sends the normal request without authentication header, it passed the anonymous access check since the api server has the same IP_ADDR as the webui server, it will login with _nobody_.
So you run osc on the system where your webui is running ? I have not tested that, I have to admit ...
Here is a workaround: Adding one line for http_headers in ~/.oscrc, e.g. [https://api.xxx.com] user=xxx passx=xxxxxxxxxxxxxxxxxxxxxx == + http_headers: Authorization: Basic amZkaW5nOm1vYmxpbjEyMw==
The encoded string after "Basic" is the base64 encoded "username:passwd", or you can get it from command: #echo -n username:passwd | base64
Anyway, it is a workaround from osc client side. Any good solution on the authentication check in server side?
Maybe checking for the client and only accept the anonymouse mode, if the webui is doing the request. bye adrian
Thanks vivian
-----Original Message----- From: Jan Engelhardt [mailto:jengelh@medozas.de] Sent: Thursday, July 01, 2010 5:46 PM To: Adrian Schr?ter Cc: Zhang, Vivian; Robert Xu; opensuse-buildservice@opensuse.org Subject: Re: [opensuse-buildservice] anonymous access support
On Thursday 2010-07-01 11:37, Adrian Schröter wrote:
On Thursday 01 July 2010 10:59:19 Zhang, Vivian wrote:
Then to clarify it, "enabling anon access breaks osc ci " is a expected behavior or a new issue caused by using ip_addr?
No, our instance api.opensuse.org is running fine with anonymous support.
11:44 ares:../osc2/osc > osc ci -m . WARNING: validator directory /usr/lib/osc/source_validators configured, but not existing. Skipping ... Sending osc.spec Server returned an error: HTTP Error 403: Forbidden no permission to execute command 'copy'
And this 403 goes away if I disable allow_anonymous.
-- Adrian Schroeter SUSE Linux Products GmbH email: adrian@suse.de
Hi, On Tuesday 06 July 2010 10:52:34 Zhang, Vivian wrote:
No, the osc client running on the different system. What I mean here is that "api" host and "webui" host are on the same system, they share the same IP_Addr, I think it is a common configuration. Then the point here is how to check that it is the request from WebUI, right? I compared the two requests(attached) and does not found the useful env parameter.
I am sorry, but I fail to reproduce this problem at all here. I did test with the OBS Appliance 2.0.3 candidate (will be released today) and osc 0.127. bye adrian -- Adrian Schroeter SUSE Linux Products GmbH email: adrian@suse.de -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On 06.07.2010 10:12, Zhang, Vivian wrote:
Hi:
The root cause of "osc ci" permission failure is caused by the double http request for the remote resource access: For the normal process with allow_anonymous disabled: 1. osc client sends the normal request without authentication header, then server will give a 401 response with authentication requirement for real "API login". 2. osc client sends the same request again with authentication header which includes the username and password, e.g.: "Authorization: Basic amZkaW5nOm1vYmxpbjEyMw=="
Then when allow_anonymous is enabled with IP_ADDR: 1. osc client sends the normal request without authentication header, it passed the anonymous access check since the api server has the same IP_ADDR as the webui server, it will login with _nobody_.
Here is a workaround: Adding one line for http_headers in ~/.oscrc, e.g. [https://api.xxx.com] user=xxx passx=xxxxxxxxxxxxxxxxxxxxxx == + http_headers: Authorization: Basic amZkaW5nOm1vYmxpbjEyMw==
The encoded string after "Basic" is the base64 encoded "username:passwd", or you can get it from command: #echo -n username:passwd | base64
Anyway, it is a workaround from osc client side. Any good solution on the authentication check in server side?
Maybe it would be a good idea if the osc client always sends the authentication header by default? Greetings -- Thomas Schmidt (tom [at] opensuse.org) openSUSE Boosters Team "Don't Panic", Douglas Adams (1952 - 11.05.2001) -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On Tuesday 2010-07-06 10:37, Thomas Schmidt wrote:
The root cause of "osc ci" permission failure is caused by the double http request for the remote resource access: For the normal process with allow_anonymous disabled: 1. osc client sends the normal request without authentication header, then server will give a 401 response with authentication requirement for real "API login". 2. osc client sends the same request again with authentication header which includes the username and password, e.g.: "Authorization: Basic amZkaW5nOm1vYmxpbjEyMw=="
Then when allow_anonymous is enabled with IP_ADDR: 1. osc client sends the normal request without authentication header, it passed the anonymous access check since the api server has the same IP_ADDR as the webui server, it will login with _nobody_.
Maybe it would be a good idea if the osc client always sends the authentication header by default?
I think so too, yes. That is what "most" other SCMs do. -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On Tue, Jul 6, 2010 at 11:12 AM, Zhang, Vivian
Here is a workaround: Adding one line for http_headers in ~/.oscrc, e.g. [https://api.xxx.com] user=xxx passx=xxxxxxxxxxxxxxxxxxxxxx == + http_headers: Authorization: Basic amZkaW5nOm1vYmxpbjEyMw==
The encoded string after "Basic" is the base64 encoded "username:passwd", or you can get it from command: #echo -n username:passwd | base64
don't ask me the technical details, but this workaround fixed an issue I have when I upload to MeeGo OBS behind a proxy. Thanks for the tips. -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
participants (6)
-
Adrian Schröter
-
Fathi Boudra
-
Jan Engelhardt
-
Robert Xu
-
Thomas Schmidt
-
Zhang, Vivian