[users at bb.net] Fwd: How do you pass through authentication from Apache?

Chris Spencer chrisspen at gmail.com
Wed Feb 15 16:53:12 UTC 2017


---------- Forwarded message ----------
From: Chris Spencer <chrisspen at gmail.com>
Date: Wed, Feb 15, 2017 at 11:50 AM
Subject: Re: [users at bb.net] How do you pass through authentication from
Apache?
To: Pierre Tardy <tardyp at gmail.com>


So if I use RemoteUserAdmin, Buildbot shouldn't render the login dropdown
form at all?

This is my auth config:

    authz = util.Authz(
      allowRules=[
        util.StopBuildEndpointMatcher(role="admins"),
        util.ForceBuildEndpointMatcher(role="admins"),
        util.RebuildBuildEndpointMatcher(role="admins")
      ],
      roleMatchers=[
        util.RolesFromEmails(admins=["myuser at mydomain.com"])
      ]
    )
    c['www'] = dict(
        port=8010,
        plugins=dict(waterfall_view={}, console_view={}),
        auth=util.RemoteUserAuth(),
        authz=authz,
    )

but when I restart Buildbot, it shows "Anonymous" in the upper right-hand
side of the screen, and if I click on it, it shows a login form. How do I
stop Buildbot from rendering this?

On Wed, Feb 15, 2017 at 11:09 AM, Pierre Tardy <tardyp at gmail.com> wrote:

> The goal of RemoteUserAuth is to disable completely the login UI of
> buildbot, and let apache handle the authentication alone.
>
> Buildbot will get a header from Apache telling it which user is actually
> logged in.
>
> If you configured your apache correctly, you should never achive to get
> the buildbot UI unless you get a browser-based login prompt.
>              Require valid-user  is if I understand correctly what is
> need to implement such thing
>
> Also, please note that apache requires a specific configuration to allow
> websocket to work correctly
> http://docs.buildbot.net/latest/manual/cfg-www.html#reverse-
> proxy-configuration
>
>
>
> Le mer. 15 févr. 2017 à 17:02, Chris Spencer <chrisspen at gmail.com> a
> écrit :
>
>> I'm not sure I understand. Anonymous users can definitely still see the
>> site from Apache in 0.9.*. I'm looking at my Buildbot server right now as
>> an anonymous user. It seems to hide a lot of details for anonymous users,
>> but it's still rendering the basic site, listing builders and recent
>> builds. By "show no output" I mean it should only render a login page and
>> nothing else if the user is not authenticated.
>>
>> I tried the util.RemoteUserAuth but it doesn't seem to do anything.
>> Buildbot still requires I login via the on-screen user login dropdown, and
>> ignores the basic Http login I give to Apache.
>>
>> Oddly, it also seems to ignore util.HTPasswdAuth(). If I enter a
>> username/password that I added to my htpasswd file into Buildbot's login
>> form, Buildbot still won't let me login through its web interface. Is there
>> some trick to getting an htpasswd file to work with Buildbot? There are no
>> errors reported in the twistd.log.
>>
>> This is my Apache config:
>>
>>     <VirtualHost *:80>
>>
>>         ProxyPass / http://127.0.0.1:8010/
>>
>>         <Location />
>>             AuthType Basic
>>             AuthName "Buildbot"
>>             AuthUserFile /usr/local/myproject/src/buildbot/htpasswd
>>             Require valid-user
>>         </Location>
>>
>>     </VirtualHost>
>>
>>
>> On Wed, Feb 15, 2017 at 3:50 AM, Pierre Tardy <tardyp at gmail.com> wrote:
>>
>> Hi Chris,
>> What you are looking for is theRemoteUserAuth plugin
>> http://buildbot.readthedocs.io/en/latest/manual/cfg-www.html
>> #buildbot.www.auth.RemoteUserAuth
>>
>> There is no more support for combination useHttpHeader + HTPasswdAprAuth,
>> which allowed apache authentication + anonymous access.
>> I am not sure exactly if this is what you mean by "show no output to an
>> anonymous user"
>>
>> Pierre
>>
>> Le mer. 15 févr. 2017 à 07:21, Chris Spencer <chrisspen at gmail.com> a
>> écrit :
>>
>> In 0.8.*, I was using http authentication in Apache to collect the
>> username/password and pass that through to Buildbot. I was doing that with:
>>
>>     authz_cfg=authz.Authz(
>>         auth=auth.HTPasswdAprAuth('.htpasswd')),
>>         useHttpHeader=True,
>>         ...
>>     )
>>
>> However, in 0.9.*, there doesn't appear to be a HTPasswdAprAuth class or
>> a useHttpHeader option. Is there still a way to setup this type of
>> authentication?
>>
>> My goal is to show no output to an anonymous user.
>>
>> _______________________________________________
>> users mailing list
>> users at buildbot.net
>> https://lists.buildbot.net/mailman/listinfo/users
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.buildbot.net/pipermail/users/attachments/20170215/1980b4bc/attachment.html>


More information about the users mailing list