<div dir="ltr">Hi Narunas,<div><br></div><div>The security schemes implemented in buildbot was mainly done to prevent users to do some restricted actions on the bot.</div><div><br></div><div>I was not aware of the view restriction functionality in buildbot eight. Indeed it looks like to very well implemented if the json api is not accounting for this restriction.</div><div><br></div><div>You can in theory configure read restrictions in buildbot nine, however this is not supported by the UI, and might give you strange results.</div><div><br></div><div>Pierre</div></div><br><div class="gmail_quote"><div dir="ltr">Le ven. 19 août 2016 à 11:57, Narunas Krasauskas <<a href="mailto:narun4sk@gmail.com">narun4sk@gmail.com</a>> a écrit :<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi bb-users,<div><br></div><div>At present I'm exploring Buildbot version 0.8.14, which I have installed via pip.</div><div><br></div><div>After reading: <a href="http://docs.buildbot.net/current/manual/cfg-statustargets.html?highlight=authz#webstatus-configuration-parameters" target="_blank">http://docs.buildbot.net/current/manual/cfg-statustargets.html?highlight=authz#webstatus-configuration-parameters</a></div><div><br></div><div>I ended with the following config:</div><div><br></div><div><div>auth_usr = auth.BasicAuth([('usr', 'pwd')])</div><div><br></div><div>authz_cfg=authz.Authz(</div><div> auth=auth_usr,<br></div><div> view = 'auth',</div><div> forceBuild = 'auth',</div><div> forceAllBuilds = False,</div><div> pingBuilder = False,</div><div> gracefulShutdown = False,</div><div> pauseSlave = 'auth',</div><div> stopBuild = 'auth',</div><div> stopAllBuilds = False,</div><div> cancelPendingBuild = 'auth',</div><div> cancelAllPendingBuilds = False,</div><div> stopChange = 'auth',</div><div> cleanShutdown = True,</div><div> showUsersPage = False,</div><div>)</div></div><div><br></div><div><div>c['status'].append(</div><div> html.WebStatus(</div><div> http_port='tcp:8010:interface=46.101.x.x',</div><div> authz=authz_cfg,</div><div> change_hook_auth=['file:changehook.passwd'],</div><div> change_hook_dialects={'gitlab': True},</div><div> )<br></div><div>)</div></div><div><br></div><div><br></div><div>Such config at a first glance work in a way you would expect it to and restrict user access to urls such as <a href="http://46.101.x.x:8010/builders" target="_blank">http://46.101.x.x:8010/builders</a>.</div><div><br></div><div>However if I specify URL in full: <a href="http://46.101.x.x:8010/builders/my-builder/builds/0/steps/git/logs/stdio" target="_blank">http://46.101.x.x:8010/builders/my-builder/builds/0/steps/git/logs/stdio</a></div><div><br></div><div>I get full access to the details, regardless the fact that I'm logged off. Just to prove myself that I'm not insane and that I'm not experiencing some kind of browser cache issue I've tried to open that url in the different browser and it worked.</div><div><br></div><div>Same applies to the /json. I don't have to be logged in to browse through developer emails, server IP addresses and ports, revision IDs and other vital information.</div><div><br></div><div><br></div><div>Currently the only way I can think of to enhance security is to put Buildbot behind reverse proxy...</div><div><br></div><div>Has security never been the main goal of the Buildbot, or have I just found a nasty bug?</div><div><br></div><div><br></div><div>Thanks</div><div><br></div><div>Narunas</div><div><br></div></div>
_______________________________________________<br>
users mailing list<br>
<a href="mailto:users@buildbot.net" target="_blank">users@buildbot.net</a><br>
<a href="https://lists.buildbot.net/mailman/listinfo/users" rel="noreferrer" target="_blank">https://lists.buildbot.net/mailman/listinfo/users</a></blockquote></div>