search

devpi / devpi-ldap

Plugin for devpi-server which provides LDAP authentication.
36 stars 20 forks source link

can't push as ldap user #17

Closed eukaryote closed 9 years ago

eukaryote commented 9 years ago

I'm using the latest devpi and devpi-ldap at pypi as of a few days ago, and have devpi-ldap configured correctly, I believe. I'm able to run devpi-ldap and authenticate, and I do see the correct groups in the output that comes from LDAP in the response.

I created a user account for myself after logging in using my ldap credentials, and then created an index as that user, but when I try to push from my personal index to an index that the root user owns, I get the following:

» devpi push mypackage-0.1.0 root/dev
PUSH https://example.com/myuser/dev
401 Unauthorized: user u'myuser' cannot upload to u'root/dev'

I don't see any extra information in the logs with --debug enabled, and the 'root/dev' is one that specifies:

» devpi getjson /root/dev
{
    "result": {
        "acl_upload": [
            "root",
            ":developer"
        ],
        "bases": [
            "root/prod"
        ],
        "projects": [],
        "pypi_whitelist": [
            "*"
        ],
        "type": "stage",
        "uploadtrigger_jenkins": null,
        "volatile": true
    },
    "type": "indexconfig"
}

When I authenticate using the devpi-ldap script, it shows that I'm in the 'developer' group, which as I understand things should allow me to be able to push to the '/root/dev' index, given that acl_upload is 'root' or ':developer'.

Am I overlooking anything or should this should be working for me? Is there any way for me to check what groups devpi thinks I belong to apart from the devpi-ldap script, which does show me being in the 'developer' group, or anything I can try?

I am starting two instances of devpi-server on different hosts with --ldap-config /abs/path/to/devpi-ldap.yml --restrict-modify root,:developer on both (one is configured as master, one as replica), and everything else appears to be working fine. I can upload directly to the index that doesn't allow me to push to it when logged in as the same user, so it seems that the acl_upload is being obeyed for uploads but not for pushing between indexes.

fschulze commented 9 years ago

Could you try adding your username to acl_upload? I'm pretty sure it's a bug for the push command in devpi-server, it seems like it's checking the username directly instead of the general permissions.

fschulze commented 9 years ago

See https://bitbucket.org/hpk42/devpi/pull-request/206/fix-devpi-ldap-issue17-the-push-command/diff

eukaryote commented 9 years ago

I just got in to work and verified that the push does work when the username is included, as you suspected.

Thanks so much for making that pull request, and so quickly too! I'll check out the source from bitbucket and apply the pull request to verify there are no other issues.

eukaryote commented 9 years ago

Confirming that it does work using the ':developer' group perm in acl_upload when pushing.

Thanks again for the fix and for this really great software!

fschulze commented 9 years ago

Fixed in devpi-server 2.1.5.