Mailinglist Archive: opensuse-buildservice (332 mails)

< Previous Next >
Re: [opensuse-buildservice] anonymous access support
  • From: Thomas Schmidt <tom@xxxxxxxxxxxx>
  • Date: Tue, 06 Jul 2010 10:37:41 +0200
  • Message-id: <4C32EB55.6010700@xxxxxxxxxxxx>
On 06.07.2010 10:12, Zhang, Vivian wrote:
Hi:

The root cause of "osc ci" permission failure is caused by the double http
request for the remote resource access:
For the normal process with allow_anonymous disabled:
1. osc client sends the normal request without authentication header,
then server will give a 401 response with authentication requirement for real
"API login".
2. osc client sends the same request again with authentication header
which includes the username and password, e.g.:
"Authorization: Basic amZkaW5nOm1vYmxpbjEyMw=="

Then when allow_anonymous is enabled with IP_ADDR:
1. osc client sends the normal request without authentication header, it
passed the anonymous access check since the api server has the same IP_ADDR
as the webui server, it will login with _nobody_.

Here is a workaround:
Adding one line for http_headers in ~/.oscrc, e.g.
[https://api.xxx.com]
user=xxx
passx=xxxxxxxxxxxxxxxxxxxxxx ==
+ http_headers: Authorization: Basic amZkaW5nOm1vYmxpbjEyMw==

The encoded string after "Basic" is the base64 encoded "username:passwd",
or you can get it from command:
#echo -n username:passwd | base64

Anyway, it is a workaround from osc client side. Any good solution on
the authentication check in server side?

Maybe it would be a good idea if the osc client always sends the authentication
header by default?

Greetings

--
Thomas Schmidt (tom [at] opensuse.org)
openSUSE Boosters Team
"Don't Panic", Douglas Adams (1952 - 11.05.2001)
--
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-buildservice+help@xxxxxxxxxxxx

< Previous Next >
Follow Ups