bloodhound-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Olemis Lang <ole...@gmail.com>
Subject Re: xmlrpc auth question
Date Mon, 10 Mar 2014 22:25:58 GMT
On Mon, Mar 10, 2014 at 4:43 PM, Mark Abbate <abbatemp@gmail.com> wrote:

> Hello All
>
>
Hi !
:)


> I am stuck on xmlrpc auth.
>
> I am using 0.8dev and the latest xmlrpc plugin, with sqlite and the
> builtin server.
>

tracd you mean ? If so , this is a known issue . There's a candidate
solution proposed in this ticket for Trac [2]_


> I am using the apache xmlrpc java libs and I am also using chrome-postman
> to cross-check.
>
>
jftr , see this sample code [1]_ . I tested against a BH 0.8-dev instance
(powered by apache2 web server , btw) and it works as expected with minor
modifications.


> I *think* that the only way I can create a ticket using xmlrpc or postman
> is by using this URL:
>     http://leela:8000/OSPS/products/mercer/login/xmlrpc
> and by giving anonymous TRAC_ADMIN and XML_RPC permissions.
>

that's a combination of permissions I honestly do not recommend


>
> I cannot get this URL to work:
>     http://leela:8000/OSPS/login/rpc


that URL seems to belong in the global environment , you should not have
tickets there in deployments by default , but in products .


>
> The log output shows:
>     2014-03-10 16:10:07,696 Trac[web_ui] DEBUG: RPC(XML-RPC) call by
> 'anonymous'
> despite creating valid basic auth headers in postman, or in the java
> xmlrpc code.
> The log output ends with:
>      ServiceException: ServiceException details : columns product, id are
> not unique
>
>
What version of BH are you running ?


> If I log in from another tab in the browser, and then use postman, I get
> the same error but I do see my login name:
>     2014-03-10 16:14:46,459 Trac[web_ui] DEBUG: RPC(XML-RPC) call by
> 'mabbate'
> (That user does have TRAC_ADMIN and XML_RPC permissions)
>
>
This is documented in [2]_ . What happens (with tracd) is that there is no
way to challenge the RPC client when requesting /products/P/login/.* . The
only possible URLs supported by the tracd auth mechanism is /login/* which
leads you to the global env .


> So, how can I use xmlrpc with a non-anonymous user to avoid giving giving
> anonymous those permissions?
>
>
... with tracd there's no hope as long as something is done about [2]_ .
AFAICR I proposed a patch for BH but it is not committed in /trunk .
Sorry


> I have looked around, read this:
> https://groups.google.com/forum/#!msg/trac-users/lPnrfSOSmoo/6jmUIYqdttkJ
> but that's over my head at this point. The fundamental issue seems
> similar, the http server is defaulting to anonymous.
> I saw the note about use of AccountManagerPlugIn. I am using
> "TracAccountManager 0.4.3 User account management plugin for Trac"
> so I did add as suggested.
>     [account-manager]
>     environ_auth_overwrite = false
>
>
jftr ... it's a lower level issue with tracd . Like I just said , it will
not force the RPC client to send a challenge

[...]

.. [1] http://trac-hacks.org/attachment/ticket/11108/TracRpcApache.java

.. [2] http://trac.edgewall.org/ticket/11287

-- 
Regards,

Olemis - @olemislc

Apache(tm) Bloodhound contributor
http://issues.apache.org/bloodhound
http://blood-hound.net

Blog ES: http://simelo-es.blogspot.com/
Blog EN: http://simelo-en.blogspot.com/

Featured article:

Mime
View raw message