Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]

37 Authorization

37.1 OBS Authorization Methods

Each package is signed with a PGP key to allow checking its integrity on user's machines.

37.1.1 Default Mode

OBS provides its own user database which can also store a password. The authentication to the API happens via HTTP BASIC AUTH. See the API documentation to find out how to create, modify or delete user data. Also a call for changing the password exists.

37.1.2 Proxy Mode

The proxy mode can be used for esp. secured instances, where the OBS web server shall not get connected to the network directly. There are authentication proxy products out there which do the authentication and send the user name via an HTTP header to OBS. This also has the advantage that the user password never reaches OBS.

37.1.3 LDAP Mode

LDAP authentication code is still part of OBS, but due to the lack of any test cases it is currently not recommended to use it.

37.2 OBS Token Authorization

OBS provides a mechanism to create tokens for specific operations. This can be used to allow certain operations in the name of a user to others. This is esp. useful when integrating external infrastructure. The create token should be kept secret by default, but it can also be revoked at any time if it became obsolete or leaked.

37.2.1 Managing User Tokens

Tokens always belong to a user. A list of active tokens can be viewed using

osc token
osc token --delete <TOKEN>

37.2.2 Executing an Action

A token can be used to execute specific operations. This can be a source service trigger, a rebuild call, or release action. The setup needs to be prepared for the action. For example a source service for that can be setup with:

osc add git://....

The best way to create a token is bind it to a specific package. The advantage is that the operation is limited to that package, so less bad things can happen when the token leaks.

osc token --create <PROJECT> <PACKAGE>

Also, you do not need to specify the package at execution time. But keep in mind that such form only works when you run it on an as checkout of a package. Both commands below do the same thing but in a different way:

osc token --trigger <TOKEN>
osc api -X POST /trigger/runservice?token=<TOKEN>

A token can be registered as generic token, means allowing to execute all source services in OBS if the user has permissions. You can create such a token by skipping project/package on creation command:

osc token --create

In this case, you are forced to specify project/package along with the token. On the other hand, you are not limited from where you execute it. Again, two examples doing same thing:

osc token --trigger <TOKEN> <PROJECT> <PACKAGE>
curl -H "Authorization: Token <TOKEN>" -X POST https://$obs_instance/trigger/runservice?project=<PROJECT>&package=<PACKAGE>

You can also limit the token to a specific package. The advantage is that the operation is limited to that package, so less bad things can happen when the token leaks. Also you do not need to specify the package on execution time. Create and execute it with:

osc token --create <PROJECT> <PACKAGE>
osc token --trigger <TOKEN>
curl -H "Authorization: Token <TOKEN>" -X POST /trigger/runservice

A token to rebuild a package can be created and trigger by

osc token --opertion rebuild --create <PROJECT> <PACKAGE>
osc token --operation rebuild --trigger <TOKEN>
curl -H "Authorization: Token <TOKEN>" -X POST https://$obs_instance/trigger/rebuild

A token to release a package can be created and trigger by

osc token --opertion release --create <PROJECT> <PACKAGE>
osc token --operation release --trigger <TOKEN>
curl -H "Authorization: Token <TOKEN>" -X POST https://$obs_instance/trigger/release
Print this page