<div dir="ltr"><br><div class="gmail_quote">---------- Forwarded message ----------<br>From: <b class="gmail_sendername">Chris Spencer</b> <span dir="ltr"><<a href="mailto:chrisspen@gmail.com">chrisspen@gmail.com</a>></span><br>Date: Wed, Feb 15, 2017 at 11:50 AM<br>Subject: Re: [<a href="mailto:users@bb.net">users@bb.net</a>] How do you pass through authentication from Apache?<br>To: Pierre Tardy <<a href="mailto:tardyp@gmail.com">tardyp@gmail.com</a>><br><br><br><div dir="ltr"><div><div>So if I use RemoteUserAdmin, Buildbot shouldn't render the login dropdown form at all?<br><br></div>This is my auth config:<br><br> authz = util.Authz(<br> allowRules=[<br> util.StopBuildEndpointMatcher(<wbr>role="admins"),<br> util.<wbr>ForceBuildEndpointMatcher(<wbr>role="admins"),<br> util.<wbr>RebuildBuildEndpointMatcher(<wbr>role="admins")<br> ],<br> roleMatchers=[<br> util.RolesFromEmails(admins=["<a href="mailto:myuser@mydomain.com" target="_blank"><wbr>myuser@mydomain.com</a>"])<br> ]<br> )<br> c['www'] = dict(<br> port=8010,<br> plugins=dict(waterfall_view={}<wbr>, console_view={}),<br> auth=util.RemoteUserAuth(),<br> authz=authz,<br> )<br><br></div>but when I restart Buildbot, it shows "Anonymous" in the upper right-hand side of the screen, and if I click on it, it shows a login form. How do I stop Buildbot from rendering this?<br></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Feb 15, 2017 at 11:09 AM, Pierre Tardy <span dir="ltr"><<a href="mailto:tardyp@gmail.com" target="_blank">tardyp@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">The goal of <span style="color:rgb(33,33,33)">RemoteUserAuth is to disable completely the login UI of buildbot, and let apache handle the authentication alone.</span><div><span style="color:rgb(33,33,33)"><br></span></div><div><span style="color:rgb(33,33,33)">Buildbot will get a header from Apache telling it which user is actually logged in.</span></div><div><br></div><div>If you configured your apache correctly, you should never achive to get the buildbot UI unless you get a browser-based login prompt.</div><div> <span style="color:rgb(33,33,33)"> Require valid-user is if I understand correctly what is need to implement such thing</span></div><div><span style="color:rgb(33,33,33)"><br></span></div><div><span style="color:rgb(33,33,33)">Also, please note that apache requires a specific configuration to allow websocket to work correctly</span></div><div><font color="#212121"><a href="http://docs.buildbot.net/latest/manual/cfg-www.html#reverse-proxy-configuration" target="_blank">http://docs.buildbot.net/lates<wbr>t/manual/cfg-www.html#reverse-<wbr>proxy-configuration</a></font><br></div><div><font color="#212121"><br></font></div><br class="m_-278056431799619187m_822982456694559957gmail_msg" style="color:rgb(33,33,33)"></div><div class="m_-278056431799619187HOEnZb"><div class="m_-278056431799619187h5"><br><div class="gmail_quote"><div dir="ltr">Le mer. 15 févr. 2017 à 17:02, Chris Spencer <<a href="mailto:chrisspen@gmail.com" target="_blank">chrisspen@gmail.com</a>> a écrit :<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr" class="m_-278056431799619187m_822982456694559957gmail_msg"><div class="m_-278056431799619187m_822982456694559957gmail_msg"><div class="m_-278056431799619187m_822982456694559957gmail_msg"><div class="m_-278056431799619187m_822982456694559957gmail_msg"><div class="m_-278056431799619187m_822982456694559957gmail_msg">I'm not sure I understand. Anonymous users can definitely still see the site from Apache in 0.9.*. I'm looking at my Buildbot server right now as an anonymous user. It seems to hide a lot of details for anonymous users, but it's still rendering the basic site, listing builders and recent builds. By "show no output" I mean it should only render a login page and nothing else if the user is not authenticated.<br class="m_-278056431799619187m_822982456694559957gmail_msg"><br class="m_-278056431799619187m_822982456694559957gmail_msg"></div>I tried the util.RemoteUserAuth but it doesn't seem to do anything. Buildbot still requires I login via the on-screen user login dropdown, and ignores the basic Http login I give to Apache.<br class="m_-278056431799619187m_822982456694559957gmail_msg"><br class="m_-278056431799619187m_822982456694559957gmail_msg"></div>Oddly, it also seems to ignore util.HTPasswdAuth(). If I enter a username/password that I added to my htpasswd file into Buildbot's login form, Buildbot still won't let me login through its web interface. Is there some trick to getting an htpasswd file to work with Buildbot? There are no errors reported in the twistd.log.<br class="m_-278056431799619187m_822982456694559957gmail_msg"><br class="m_-278056431799619187m_822982456694559957gmail_msg"></div>This is my Apache config:<br class="m_-278056431799619187m_822982456694559957gmail_msg"><br class="m_-278056431799619187m_822982456694559957gmail_msg"> <VirtualHost *:80><br class="m_-278056431799619187m_822982456694559957gmail_msg"><br class="m_-278056431799619187m_822982456694559957gmail_msg"> ProxyPass / <a href="http://127.0.0.1:8010/" class="m_-278056431799619187m_822982456694559957gmail_msg" target="_blank">http://127.0.0.1:8010/</a><br class="m_-278056431799619187m_822982456694559957gmail_msg"> <br class="m_-278056431799619187m_822982456694559957gmail_msg"> <Location /><br class="m_-278056431799619187m_822982456694559957gmail_msg"> AuthType Basic<br class="m_-278056431799619187m_822982456694559957gmail_msg"> AuthName "Buildbot"<br class="m_-278056431799619187m_822982456694559957gmail_msg"> AuthUserFile /usr/local/myproject/src/build<wbr>bot/htpasswd<br class="m_-278056431799619187m_822982456694559957gmail_msg"> Require valid-user<br class="m_-278056431799619187m_822982456694559957gmail_msg"> </Location><br class="m_-278056431799619187m_822982456694559957gmail_msg"><br class="m_-278056431799619187m_822982456694559957gmail_msg"> </VirtualHost><br class="m_-278056431799619187m_822982456694559957gmail_msg"></div><div class="m_-278056431799619187m_822982456694559957gmail_msg"><div class="m_-278056431799619187m_822982456694559957gmail_msg"><br class="m_-278056431799619187m_822982456694559957gmail_msg"></div></div></div><div class="gmail_extra m_-278056431799619187m_822982456694559957gmail_msg"><br class="m_-278056431799619187m_822982456694559957gmail_msg"><div class="gmail_quote m_-278056431799619187m_822982456694559957gmail_msg">On Wed, Feb 15, 2017 at 3:50 AM, Pierre Tardy <span dir="ltr" class="m_-278056431799619187m_822982456694559957gmail_msg"><<a href="mailto:tardyp@gmail.com" class="m_-278056431799619187m_822982456694559957gmail_msg" target="_blank">tardyp@gmail.com</a>></span> wrote:<br class="m_-278056431799619187m_822982456694559957gmail_msg"><blockquote class="gmail_quote m_-278056431799619187m_822982456694559957gmail_msg" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr" class="m_-278056431799619187m_822982456694559957gmail_msg">Hi Chris,<div class="m_-278056431799619187m_822982456694559957gmail_msg">What you are looking for is theRemoteUserAuth plugin</div><div class="m_-278056431799619187m_822982456694559957gmail_msg"><a href="http://buildbot.readthedocs.io/en/latest/manual/cfg-www.html#buildbot.www.auth.RemoteUserAuth" class="m_-278056431799619187m_822982456694559957gmail_msg" target="_blank">http://buildbot.readthedocs.io<wbr>/en/latest/manual/cfg-www.html<wbr>#buildbot.www.auth.RemoteUserA<wbr>uth</a></div><div class="m_-278056431799619187m_822982456694559957gmail_msg"><br class="m_-278056431799619187m_822982456694559957gmail_msg"></div><div class="m_-278056431799619187m_822982456694559957gmail_msg">There is no more support for combination <span style="color:rgb(33,33,33)" class="m_-278056431799619187m_822982456694559957gmail_msg">useHttpHeader + </span><span style="color:rgb(33,33,33)" class="m_-278056431799619187m_822982456694559957gmail_msg">HTPasswdAprAuth, which allowed apache authentication + anonymous access.</span></div><div class="m_-278056431799619187m_822982456694559957gmail_msg"><span style="color:rgb(33,33,33)" class="m_-278056431799619187m_822982456694559957gmail_msg">I am not sure exactly if this is what you mean by "</span><span style="color:rgb(33,33,33)" class="m_-278056431799619187m_822982456694559957gmail_msg">show no output to an anonymous user"</span></div><div class="m_-278056431799619187m_822982456694559957gmail_msg"><br class="m_-278056431799619187m_822982456694559957gmail_msg"></div><div class="m_-278056431799619187m_822982456694559957gmail_msg">Pierre</div></div><br class="m_-278056431799619187m_822982456694559957gmail_msg"><div class="gmail_quote m_-278056431799619187m_822982456694559957gmail_msg"><div class="m_-278056431799619187m_822982456694559957gmail_msg"><div class="m_-278056431799619187m_822982456694559957m_-3118950937979415985h5 m_-278056431799619187m_822982456694559957gmail_msg"><div dir="ltr" class="m_-278056431799619187m_822982456694559957gmail_msg">Le mer. 15 févr. 2017 à 07:21, Chris Spencer <<a href="mailto:chrisspen@gmail.com" class="m_-278056431799619187m_822982456694559957gmail_msg" target="_blank">chrisspen@gmail.com</a>> a écrit :<br class="m_-278056431799619187m_822982456694559957gmail_msg"></div></div></div><blockquote class="gmail_quote m_-278056431799619187m_822982456694559957gmail_msg" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="m_-278056431799619187m_822982456694559957gmail_msg"><div class="m_-278056431799619187m_822982456694559957m_-3118950937979415985h5 m_-278056431799619187m_822982456694559957gmail_msg"><div dir="ltr" class="m_-278056431799619187m_822982456694559957m_-3118950937979415985m_6569449388219033462gmail_msg m_-278056431799619187m_822982456694559957gmail_msg"><div class="m_-278056431799619187m_822982456694559957m_-3118950937979415985m_6569449388219033462gmail_msg m_-278056431799619187m_822982456694559957gmail_msg"><div class="m_-278056431799619187m_822982456694559957m_-3118950937979415985m_6569449388219033462gmail_msg m_-278056431799619187m_822982456694559957gmail_msg">In 0.8.*, I was using http authentication in Apache to collect the username/password and pass that through to Buildbot. I was doing that with:<br class="m_-278056431799619187m_822982456694559957m_-3118950937979415985m_6569449388219033462gmail_msg m_-278056431799619187m_822982456694559957gmail_msg"><br class="m_-278056431799619187m_822982456694559957m_-3118950937979415985m_6569449388219033462gmail_msg m_-278056431799619187m_822982456694559957gmail_msg"> authz_cfg=authz.Authz(<br class="m_-278056431799619187m_822982456694559957m_-3118950937979415985m_6569449388219033462gmail_msg m_-278056431799619187m_822982456694559957gmail_msg"> auth=auth.HTPasswdAprAuth('.ht<wbr>passwd')),<br class="m_-278056431799619187m_822982456694559957m_-3118950937979415985m_6569449388219033462gmail_msg m_-278056431799619187m_822982456694559957gmail_msg"> useHttpHeader=True,<br class="m_-278056431799619187m_822982456694559957m_-3118950937979415985m_6569449388219033462gmail_msg m_-278056431799619187m_822982456694559957gmail_msg"> ...<br class="m_-278056431799619187m_822982456694559957m_-3118950937979415985m_6569449388219033462gmail_msg m_-278056431799619187m_822982456694559957gmail_msg"> )<br class="m_-278056431799619187m_822982456694559957m_-3118950937979415985m_6569449388219033462gmail_msg m_-278056431799619187m_822982456694559957gmail_msg"><br class="m_-278056431799619187m_822982456694559957m_-3118950937979415985m_6569449388219033462gmail_msg m_-278056431799619187m_822982456694559957gmail_msg"></div>However, in 0.9.*, there doesn't appear to be a HTPasswdAprAuth class or a useHttpHeader option. Is there still a way to setup this type of authentication?<br class="m_-278056431799619187m_822982456694559957m_-3118950937979415985m_6569449388219033462gmail_msg m_-278056431799619187m_822982456694559957gmail_msg"><br class="m_-278056431799619187m_822982456694559957m_-3118950937979415985m_6569449388219033462gmail_msg m_-278056431799619187m_822982456694559957gmail_msg"></div>My goal is to show no output to an anonymous user.<br class="m_-278056431799619187m_822982456694559957m_-3118950937979415985m_6569449388219033462gmail_msg m_-278056431799619187m_822982456694559957gmail_msg"><br class="m_-278056431799619187m_822982456694559957m_-3118950937979415985m_6569449388219033462gmail_msg m_-278056431799619187m_822982456694559957gmail_msg"></div></div></div>
______________________________<wbr>_________________<br class="m_-278056431799619187m_822982456694559957m_-3118950937979415985m_6569449388219033462gmail_msg m_-278056431799619187m_822982456694559957gmail_msg">
users mailing list<br class="m_-278056431799619187m_822982456694559957m_-3118950937979415985m_6569449388219033462gmail_msg m_-278056431799619187m_822982456694559957gmail_msg">
<a href="mailto:users@buildbot.net" class="m_-278056431799619187m_822982456694559957m_-3118950937979415985m_6569449388219033462gmail_msg m_-278056431799619187m_822982456694559957gmail_msg" target="_blank">users@buildbot.net</a><br class="m_-278056431799619187m_822982456694559957m_-3118950937979415985m_6569449388219033462gmail_msg m_-278056431799619187m_822982456694559957gmail_msg">
<a href="https://lists.buildbot.net/mailman/listinfo/users" rel="noreferrer" class="m_-278056431799619187m_822982456694559957m_-3118950937979415985m_6569449388219033462gmail_msg m_-278056431799619187m_822982456694559957gmail_msg" target="_blank">https://lists.buildbot.net/mai<wbr>lman/listinfo/users</a></blockquote></div>
</blockquote></div><br class="m_-278056431799619187m_822982456694559957gmail_msg"></div>
</blockquote></div>
</div></div></blockquote></div><br></div>
</div></div></div><br></div>