Can't access RC using auth_token after update

David's Avatar

David

31 Oct, 2018 06:09 PM

Hi,

We updated from RC CE 4.4.2 to 4.13.3 last week. We have some deployment scripts that call Rhodecode using wget and an auth_token to pull raw file data. It was working fine until the update.

  • The user has full permissions on the repo.
  • The auth_token is set to never expire and has the VCS role (was working fine previously).
  • The authentication plugins enabled are: egg:rhodecode-enterprise-ce#ldap, egg:rhodecode-enterprise-ce#rhodecode, and egg:rhodecode-enterprise-ce#token.
  • Our rhodecode.ini file contains the following line: api_access_controllers_whitelist = ChangesetController:changeset_patch, ChangesetController:changeset_raw, FilesController:raw, FilesController:archivefile

Yet our script still gets redirected to the login page when a URL like this is called:
https://our-rc-server.com/path/to/repo/raw/default/path/to/file?auth_token=<our token>

What else could I be missing?

Thanks!
David

  1. Support Staff 1 Posted by develop on 31 Oct, 2018 08:02 PM

    develop's Avatar

    Hi David,

    I guess it might be related to that at certain release we introduced token roles. Can you check if the token used has a "WEB" role or "ALL" ?

    Also turning on the debug log-level should show you exactly the reason why the token was rejected in authentication chain.

  2. 2 Posted by David on 31 Oct, 2018 09:47 PM

    David's Avatar

    Thanks for the quick response!

    I've tried tokens of type ALL, VCS (which is what I was using previously), and WEB/HTTP. All currently fail.

    Here's the stuff in the log when I make this call:
    2018-10-31 14:33:12.720 WARNI [rhodecode.lib.auth] view:RepoFilesView:repo_file_rawdoes *NOT* match any entry in whitelist: ['ChangesetController:changeset_patch', 'ChangesetController:changeset_raw', 'FilesController:raw', 'FilesController:archivefile'] 2018-10-31 14:33:12.721 WARNI [rhodecode.lib.auth] user <AuthUser('id:8[retail_web_push] ip:172.16.1.142 auth:False')> authenticating with:AUTH_TOKEN_AUTH NOT authenticated on func: RepoFilesView:repo_file_raw: IP_ACCESS:True AUTH_TOKEN_ACCESS:False

    I tried adding "RepoFilesView:repo_file_raw" to the access whitelist, but that didn't help. I also restarted the instance to make sure the change took effect. But no luck, still get bounced to the login page.

    I've attached my rhodecode.ini file for reference if that helps (had to zip it to get past your file upload checker).

    Any other suggestions are appreciated.

    Thanks!

  3. Support Staff 3 Posted by develop on 31 Oct, 2018 11:49 PM

    develop's Avatar

    ok, so after adding: RepoFilesView:repo_file_raw is it the same message ?

    THere are some views that changed, but afair our system should translate old entries into new ones.

  4. 4 Posted by David on 01 Nov, 2018 12:03 AM

    David's Avatar

    The error in the logs is now:
    2018-10-31 16:58:08.272 WARNI [rhodecode.lib.auth] AUTH TOKEN ****b70b *NOT* valid 2018-10-31 16:58:08.273 WARNI [rhodecode.lib.auth] user <AuthUser('id:8[retail_web_push] ip:172.16.1.142 auth:False')> authenticating with:AUTH_TOKEN_AUTH NOT authenticated on func: RepoFilesView:repo_file_raw: IP_ACCESS:True AUTH_TOKEN_ACCESS:False

    But that token is newly generated and I triple-checked it. I tried the old one as well with the same result.

    I am positive that user has read/write permissions on the repo I'm reading from.

    Other ideas?

  5. Support Staff 5 Posted by develop on 01 Nov, 2018 07:13 PM

    develop's Avatar

    Not sure what might be the problem...

    Tokens are stored encrypted, but if the enryption would fail somehow the error woudl be different.

    • no one else reported such problem
    • we tested it again on latest release (beside automated tests) and it works as expected...

    Did you try to enable DEBUG log-level to see more detailes before the WARNI message ?

  6. 6 Posted by David on 01 Nov, 2018 11:33 PM

    David's Avatar

    I enabled full debugging and have attached the log file from a failed call. Hard to tell where the issue is, but maybe you have a keener eye for spotting the problem?

    Thanks again!
    David

  7. Support Staff 7 Posted by develop on 02 Nov, 2018 07:29 AM

    develop's Avatar

    There seems to be a problem with the attachment. It's only 1 we see with the .ini file.

    Best,

  8. 8 Posted by David on 02 Nov, 2018 06:06 PM

    David's Avatar

    Oops...sorry. I mis-named file. The contents are actually the log. Re-sending with the proper filename.

  9. Support Staff 9 Posted by develop on 02 Nov, 2018 08:35 PM

    develop's Avatar

    Ok,

    It looks like a token role mismatch.

    Row (50, 8, u'68851284c0e1a6535408555be068c1ffe952b70b', u'updated', -1.0, u'token_role_vcs'
    

    Please make sure token used is token_role_web

    Best,

  10. 10 Posted by David on 02 Nov, 2018 09:22 PM

    David's Avatar

    Thanks! Can you clarify what that means or how I can accomplish that? I've tried with token types ALL, VCS, and WEB/HTTP. None of those worked. Is there somewhere else the role for the token is set?

  11. Support Staff 11 Posted by develop on 03 Nov, 2018 08:42 AM

    develop's Avatar

    No, the token role can be set inside the web-ui.

    Is that token is displayed as a web type? in user auth tokens page?

    From logs we can only see this token: 68851284c0e1a6535408555be068c1ffe952b70b
    I guess it comes from automated task, but here the error is obvious it's not correct type.

    Can you try different token? And then maybe send the logs because here as i mentioned this is token mismatch.

  12. 12 Posted by David on 05 Nov, 2018 11:12 PM

    David's Avatar

    Thanks again!

    I deleted all of the auth tokens I generated, including the one referenced above, and then created a new one of type "All". It worked! Wondering if something got messed up in the database -- perhaps an index or something -- and deleting the problematic records frixed the issue.

    Anyway, I appreciate your consistent help.

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:

»

Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac