Mailinglist Archive: opensuse-buildservice (332 mails)

< Previous Next >
RE: [opensuse-buildservice] anonymous access support
  • From: "Zhang, Vivian" <vivian.zhang@xxxxxxxxx>
  • Date: Tue, 6 Jul 2010 16:12:48 +0800
  • Message-id: <625BA99ED14B2D499DC4E29D8138F1503426903314@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Hi:

The root cause of "osc ci" permission failure is caused by the double http
request for the remote resource access:
For the normal process with allow_anonymous disabled:
1. osc client sends the normal request without authentication header, then
server will give a 401 response with authentication requirement for real "API
login".
2. osc client sends the same request again with authentication header which
includes the username and password, e.g.:
"Authorization: Basic amZkaW5nOm1vYmxpbjEyMw=="

Then when allow_anonymous is enabled with IP_ADDR:
1. osc client sends the normal request without authentication header, it
passed the anonymous access check since the api server has the same IP_ADDR as
the webui server, it will login with _nobody_.

Here is a workaround:
Adding one line for http_headers in ~/.oscrc, e.g.
[https://api.xxx.com]
user=xxx
passx=xxxxxxxxxxxxxxxxxxxxxx ==
+ http_headers: Authorization: Basic amZkaW5nOm1vYmxpbjEyMw==

The encoded string after "Basic" is the base64 encoded "username:passwd",
or you can get it from command:
#echo -n username:passwd | base64

Anyway, it is a workaround from osc client side. Any good solution on the
authentication check in server side?

Thanks
vivian

-----Original Message-----
From: Jan Engelhardt [mailto:jengelh@xxxxxxxxxx]
Sent: Thursday, July 01, 2010 5:46 PM
To: Adrian Schr?ter
Cc: Zhang, Vivian; Robert Xu; opensuse-buildservice@xxxxxxxxxxxx
Subject: Re: [opensuse-buildservice] anonymous access support

On Thursday 2010-07-01 11:37, Adrian Schröter wrote:
On Thursday 01 July 2010 10:59:19 Zhang, Vivian wrote:
Then to clarify it, "enabling anon access breaks osc ci " is a expected
behavior or a new issue caused by using ip_addr?

No, our instance api.opensuse.org is running fine with anonymous support.

11:44 ares:../osc2/osc > osc ci -m .
WARNING: validator directory /usr/lib/osc/source_validators configured,
but not existing. Skipping ...
Sending osc.spec
Server returned an error: HTTP Error 403: Forbidden
no permission to execute command 'copy'


And this 403 goes away if I disable allow_anonymous.
N�����r��y隊Z)z{.����Wlz��qﮞ˛���m�)z{.��+�Z+i�b�*'jW(�f�vǦj)h����Ǜ�)]����Ǿ��i�������
< Previous Next >