Bitten Plug-in cannot access SVN repos - 403: Forbidden error

[bitten@…]

I'm not sure how the Bitten Plugin (as opposed to bitten-slave) access the SVN repos path set in the recipe but it seems to me that if your repos is behind HTTP auth there needs to be some way to set the username/password, or have I mised something?

Below are the errors I get. Everything works fine (bitten-slave starts up) until the recipe that uses the repos path is activated, and everything works fine in a Trac install that has a SVN repos without HTTP Auth.

All Trac instances are 0.10.4 with Bitten-0.6dev_r519-py2.5.egg

$ bitten-slave --version
bitten-slave 0.6dev-r519
$ bitten-slave -v http://imp.xxxxxx.com/code/randd/builds
[DEBUG   ] Configured packages: {}
[DEBUG   ] Sending slave configuration: <slave name="xxxxxx-vm"><platform processor="">i686</platform><os version="2.6.22-14-generic" family="posix">Linux</os></slave>
[DEBUG   ] Sending POST request to 'http://imp.xxxxxx.com/code/randd/builds'
[INFO    ] No pending builds

Activate the reciepe in the Admin interface:

$ bitten-slave -v http://imp.xxxxxx.com/code/randd/builds
[DEBUG   ] Configured packages: {}
[DEBUG   ] Sending slave configuration: <slave name="xxxxxx-vm"><platform processor="">i686</platform><os version="2.6.22-14-generic" family="posix">Linux</os></slave>
[DEBUG   ] Sending POST request to 'http://imp.xxxxxx.com/code/randd/builds'
[WARNING ] Server returned error 403: Forbidden
[ERROR   ] HTTP Error 403: Forbidden
[DEBUG   ] Removing temporary directory /tmp/bittenZmhLA7

In the trac.log:

$ tail -f UNIX/share/trac/randd/log/trac.log
2008-02-03 13:31:46,383 Trac[main] WARNING: 403 Forbidden (403 Forbidden (Insufficient permissions to access /path/in/repos))

Trac itself accesses the repos as normal for Browse Source, etc, i.e. on the filesystem not over http.

A standard SVN checkout from the command line works fine too - how does Bitten Plugin get the credentials to access the SVN repos?

[timn]

We had the same issue. The solution that we currently use: we created a bitten-slave (unix) user. That user was used once to checkout the code manually and to store the credentials. Now when the bitten slave runs, it can used the stored credentials.

Although this is not a real solution it's a workaround until that gets fixed.

[mikael.karon@…]

There is an option to make bitten-slave authenticate with a specific user (--user=someuser --password=somepassword), but this won't be used unless the target path requires authentication, which in turn results in bitten thinking you are unauthenticated.

The solution is to require authentication on the /project/builds path.

[anonymous]

Thanks mikael,

adding the Location Match? rule below to my Apache 2 configuration did the trick :

NameVirtualHost *:80
<VirtualHost *:80>
[...]
        <Location /projects>
                SetHandler mod_python
                SetEnv PYTHON_EGG_CACHE /tmp/python-egg-cache
                PythonHandler trac.web.modpython_frontend
                PythonOption TracEnvParentDir /home/svn/trac-data
                PythonOption TracUriRoot /projects
        </Location>

        <LocationMatch "/projects/[^/]+/builds">
                AuthType Basic
                AuthName "Trac"
                AuthUserFile /home/svn/trac-data/trac-passwd
                Require valid-user
        </LocationMatch>
</VirtualHost>

Note: for this to work, your Trac instance must be configured to use Ht Passwd Store?.

[ptekchand_rz2games_com]

This also helped get around "HTTP 401: Authorization Required"

C:\bitten>bitten-slave --user=slaveuser --password=password --verbose https://bittenmaster/trac/project/builds
[DEBUG   ] Enabling authentication with username 'slaveuser'
Enabling authentication with username
[DEBUG   ] Configured packages: {}
[DEBUG   ] Sending slave configuration: <slave name="bittenslave"><platform processor=""/><os version="2003Server" family="nt">Windows</os></slave>
[DEBUG   ] Sending POST request to 'http://bittenmaster/trac/project/builds'
[INFO    ] Build pending at http://bittenmaster/trac/project/builds/1
[DEBUG   ] Sending GET request to 'http://bittenmaster/trac/project/builds/1'
[WARNING ] Server returned error 401: Authorization Required
[ERROR   ] HTTP Error 401: Authorization Required
[DEBUG   ] Removing temporary directory c:\docume~1\slaveuser\locals~1\temp\3\bittenvaxokh

(project, host and user names edited)

[osimons]

Slave performs checkout itself, so the trick with having the slave perform checkout and storing credentials is a good solution. As for the general problem of Bitten authentication, that is the topic of #208.

The <svn:zzzz/> commands now also supports username & password arguments in recipe, and together with local slave configuration this can also be configured for each slave by using username="${svn.username}" and having [svn] username = someone in config file. That has the downside of transmitting the data to the master in plaintext, and where it gets stored as slave property and logged with debug logging...

That is not by any means ideal, and perhaps slave should support a special [local] config section for settings that can be used by slave for local operations, but are excluded from the information transmitted and used by master? Or something similar and predictable that makes storing sensitive information in local file more acceptable? Ideas?