charliermarsh
commented
5 months ago Can you include the logs with the verbose flag on the latest version?
Open morotti opened 5 months ago
charliermarsh
commented
5 months ago Can you include the logs with the verbose flag on the latest version?
morotti
commented
5 months ago full logs on latest version
charliermarsh
commented
5 months ago Sorry, can you run again with RUST_LOG=trace and --verbose? I forgot the auth logging is at the tracing level.
charliermarsh
commented
5 months ago I think we didn't used to "try the request before adding auth", but we had to change it to do that for some reason? And that it matches pip? I can't remember the details. Zanie would know when they're back from vacation.
charliermarsh
commented
5 months ago There are a lot of details in #3130.
charliermarsh
commented
5 months ago Perhaps we should not apply that logic to netrc. IDK.
charliermarsh
commented
5 months ago \cc @zanieb for when you get back.
morotti
commented
5 months ago Submitting the debug logs with trace. Sorry for delay.
Note I am just sending the top of the logs, should be enough for this bug. The full log is very long and not sure the content is safe to share online.
on buggy version 0.1.42
on previous version that worked 0.1.33
You can see uv is making unauthenticated requests in the more recent versions. It shouldn't make unauthenticated requests when authentication is configured.
morotti
commented
5 months ago For more info, there are a few ways to pass authentication I can think of:
example netrc file
machine pypi.example.com
login login
password password--index-url https://login:password@pypi.example.com. That's granularity at the index level. It's possible to have different credentials for different indexes on the same domain. I think credentials should always be passed to all requests to that index.
zanieb
commented
5 months ago Sorry you're having problems with this! Apparently it's very very hard to satisfy all of the desired authentication schemes. I'll look into this we'll need to be very careful not to break the things we fixed in #3130.
fersarr
commented
2 months ago Hi! totally understand this "Apparently it's very very hard to satisfy all of the desired authentication schemes". So just wanted to ask if you were able to find a way for this, but totally understand it might not be simple. Is there any extra information we could provide to help?
zanieb
commented
2 months ago I think this is mostly a matter of doing something like #4583 so we can use credentials more aggressively.
Hello,
Authentication stopped working in uv 0.1.36, it's no longer able to install packages that requires authentication.
For context, we use a netrc to set credentials to access artifactory. Artifactory, nexus, and probably all the hosted equivalent in azure/aws/google do permissions depending on the user.
The index can have very fine grained permissions. The doom of my existence is packages that changed in permissions, getting reassigned to some organizations or becoming publicly visible to the whole company or not.
By the way if you have logic to do a first query to "test" the index and only do a second query with credentials on 401/403, this doesn't actually work because the first query will succeed but return (incomplete) content with only packages that are accessible without credentials. All queries must be authenticated.
DEBUG LOGS:
this one is a package that was previously publicly accessible in the repo and became restricted at some point.
the version 2020 is the last that was published and is accessible without authentication. uv can only see and install that one, which implies it did not pass credentials when making HTTP queries to the index.
I suspected a caching issue but setting
--no-cachedoesn't help. I think authentication is not passed at all.Thoughts?