"Authentication failed" error on push behind apache proxy

[Stefan]

Hi,

I have a weird problem. I've got rhodecode setup behinde a https apache proxy:

<Location /rhodecode >

  ProxyPass http://127.0.0.1:5000/rhodecode timeout=14400

  ProxyPassReverse http://127.0.0.1:5000/rhodecode

  SetEnvIf X-Url-Scheme https HTTPS=1

    SSLRequireSSL

    Order deny,allow

    AuthBasicProvider file ldap

    AuthType Basic

    AuthName "..."

    AuthBasicAuthoritative  off

    AuthUserFile ...

    AuthGroupFile ...

    AuthzLDAPAuthoritative off

    AuthLDAPURL ...

    require valid-user

  RequestHeader unset X-Forwarded-User

  RewriteEngine On

  RewriteCond %{LA-U:REMOTE_USER} (.+)

  RewriteRule .* - [E=RU:%1]

  RequestHeader set X-Forwarded-User %{RU}e

</Location>

Access to the webinterface works, pulling works. But when I push I get the following:

hg push

pushing to ...

searching for changes

1 changesets found

abort: authorization failed

It works when I push directly to rhodecode (127.0.0.1:5000)

Error logs of apache or rhodecode show nothing special.

Do you have any idea what is going on here?

Thanks

Stefan

[Stefan]

I forgot to mention, that it used to work with 1.6rc. Current used version is 1.7.1, I unfortunately don't know at which point it actually broke.

[Stefan]

So after further investigation it turns out, for some reason values in the server's repository hgrc file are preventing a successful push.

I have 

allow_push = <name>

in there, which seems to be the reason for the "authentication failed!" error, even though I authenticate with <name>. If I remove that line or change it to 

allow_push = *

pushing works, which is weird, as I thought authentication is managed directly in rhodecode and what is also weird is that it works without apache in the middle.

Any ideas? Is the hgrc of the repository on the server still used by rhodecode?

Thanks

Stefan

[Marcin Kuzminski]

Hi,

yes rhodecode can read hgrc files and actually passes that into mercurial. We might document that better to don't make people confused. The auth etc is done via rhodecode indeed but it was mercurial itself throwing auth failures after rhodecode authenticated it correctly.

Cheers

Marcin Kuzminski

--
You received this message because you are subscribed to the Google Groups "rhodecode" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rhodecode+...@googlegroups.com.
To post to this group, send email to rhod...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Stefan]

So is everything put into the hgrc file working for that repository? Hooks, etc?

Thanks

Stefan

[Marcin Kuzminski]

yes all except extensions should be working

Marcin Kuzminski

[Stefan]

So in that case it seems there is a bug in rhodecode when using external authentication (e.g. through apache), as it seems the authenticated user name is not forwarded to mercurial, otherwise the authentication error would not occur. It works when directly authenticating in rhodecode though.

Regards

Stefan

[Marcelo Bissaro]

 Hi everbody,
 
 I think it should be related to an issue that I saw on 1.6.0.

 I have some git hooks configured on my repos that requires the submitter's username to gather its email from LDAP server, generate some reports, etc...
 
 On 1.4.0 I used RHODECODE_EXTRAS environment variable. My script is wrote on Perl, and using some regular expression it was able to extract the username from RHODECODE_EXTRAS value.
 
 But since 1.6.0 it is not working anymore, and my git hooks can't figure out the submitter's username.
 
 Is it related to this HG issue somehow?

 My Rhodecode is also working under Apache2.

Thanks,
Marcelo

[Marcelo Bissaro]

 After another debug section, I figured out that RHODECODE_EXTRAS is not available anymore.
 
 My Perl script algorithm looks like this:

my $rhodecode_extras = eval "(exists $ENV{RHODECODE_EXTRAS}) ? $ENV{RHODECODE_EXTRAS} : 'empty'"
my $username = isolate_username_from_rhodecode_extras_raw_value

 The problem is that '$rhodecode_extras' value on this case is 'empty'. Because $ENV{RHODECODE_EXTRAS} does not exist.

 If I can read the submiter's username from any other way, please let me know :)

[Marcelo Bissaro]

 Hi all,
 
 Sorry for all those emails in sequence... But it is for a good reason now :)
 
 After some more debug, I found that RHODECODE_EXTRAS does not exist, but RC_SCM_DATA does. So, I've changed my Perl script to extract the username from RC_SCM_DATA environment variable, instead of RHODECODE_EXTRAS and it worked.
 
 Is that expected? I mean, the RHODECODE_EXTRAS being removed between 1.4.0 and 1.6.0?

Regards,
Marcelo

[Marcin Kuzminski]

HI,

yes that's correct we unified that logic for GIT and HG, so for both you can access the env variables. Additionally they store more info now like IP. 

Marcin Kuzminski

[Marcin Kuzminski]

I would need to check where mercurial expect the user in their ACL hooks, but they should be propagated to mercurial. If we have time i'll investigate this.

Cheers

Marcin Kuzminski