Hi: The root cause of "osc ci" permission failure is caused by the double http request for the remote resource access: For the normal process with allow_anonymous disabled: 1. osc client sends the normal request without authentication header, then server will give a 401 response with authentication requirement for real "API login". 2. osc client sends the same request again with authentication header which includes the username and password, e.g.: "Authorization: Basic amZkaW5nOm1vYmxpbjEyMw==" Then when allow_anonymous is enabled with IP_ADDR: 1. osc client sends the normal request without authentication header, it passed the anonymous access check since the api server has the same IP_ADDR as the webui server, it will login with _nobody_. Here is a workaround: Adding one line for http_headers in ~/.oscrc, e.g. [https://api.xxx.com] user=xxx passx=xxxxxxxxxxxxxxxxxxxxxx == + http_headers: Authorization: Basic amZkaW5nOm1vYmxpbjEyMw== The encoded string after "Basic" is the base64 encoded "username:passwd", or you can get it from command: #echo -n username:passwd | base64 Anyway, it is a workaround from osc client side. Any good solution on the authentication check in server side? Thanks vivian -----Original Message----- From: Jan Engelhardt [mailto:jengelh@medozas.de] Sent: Thursday, July 01, 2010 5:46 PM To: Adrian Schr?ter Cc: Zhang, Vivian; Robert Xu; opensuse-buildservice@opensuse.org Subject: Re: [opensuse-buildservice] anonymous access support On Thursday 2010-07-01 11:37, Adrian Schröter wrote:
On Thursday 01 July 2010 10:59:19 Zhang, Vivian wrote:
Then to clarify it, "enabling anon access breaks osc ci " is a expected behavior or a new issue caused by using ip_addr?
No, our instance api.opensuse.org is running fine with anonymous support.
11:44 ares:../osc2/osc > osc ci -m . WARNING: validator directory /usr/lib/osc/source_validators configured, but not existing. Skipping ... Sending osc.spec Server returned an error: HTTP Error 403: Forbidden no permission to execute command 'copy' And this 403 goes away if I disable allow_anonymous. N�����r��y隊Z)z{.���Wlz��qﮞ˛���m�)z{.��+�Z+i�b�*'jW(�f�vǦj)h���Ǜ�)]���Ǿ��i�������