Page MenuHomePhabricator

Cannot clone public repository over HTTP anonymously.
Closed, ResolvedPublic

Description

Since the new management UI (T10922: Upgrading: New Repository UI, APIs, and URI management), we can no longer access our anonymous access repositories over HTTP.

Reproduction steps:

  • For a Phabricator-hosted repository, click manage repository
  • Go to policies
  • Set visible to "Public (no login required)"
  • Attempt to clone the repository over HTTP
    • git clone http://phabricator.internal/diffusion/CALLSIGN/callsign.git

Expected result:

  • Git clone is successful

Actual result:

The only way I have been able to get anonymous HTTP cloning to work is by enabling diffusion.allow-http-auth first, however the docs at https://secure.phabricator.com/book/phabricator/article/diffusion_hosting/ state I should be able to leave this option disabled for anonymous access (specifically the first sentence under "Configuring HTTP which says: "If you plan to serve repositories over authenticated HTTP, you need to set diffusion.allow-http-auth in Config. If you don't plan to serve repositories over HTTP (or plan to use only anonymous HTTP) you can leave this setting disabled.").

Leaving this diffusion.allow-http-auth enabled is not ideal for us because it allows all of our repositories to be cloned over HTTP, not just the ones that we have given anonymous access to. This also causes issues to us that are similarly described in T10517: Make Harbormaster build variables extensible where the default {repository.uri} becomes the HTTP URI instead of the git URI which breaks how we use Harbormaster today.

Versions:

phabricator 08bea1d363fd6b51098b6687f0c7603b2a7f2faa (Thu, May 19)
arcanist 2234c8cacc21ce61c9c10e8e5918b6a63cc38fc8 (Mon, May 16)
phutil bd56873ae4c0f77d1fabc66289b62dfaa2ca56b5 (Thu, May 19)
disqus 6720f9c7bbbed4a2e87ab8bfef9fa6d74bd48626 (Dec 22 2015)

Event Timeline

tail updated the task description. (Show Details)
epriestley triaged this task as Normal priority.
epriestley added a project: Diffusion.

This should be fixed in HEAD of master. Thanks for the report! Let us know if you run into anything else.

This doesn't work again.

Tested on (stable) Promote 2017 Week 29

This might be useful debugging information:

>> export GIT_CURL_VERBOSE=1
>> git clone http://phabricator.internal/diffusion/TRACTORAPI/tractor-api.git
Cloning into 'tractor-api'...
* Couldn't find host phabricator.internal in the .netrc file; using defaults
* About to connect() to phabricator.internal port 80 (#0)
*   Trying 10.11.45.21... * Connected to phabricator.internal (10.11.45.21) port 80 (#0)
> GET /diffusion/TRACTORAPI/tractor-api.git/info/refs?service=git-upload-pack HTTP/1.1
User-Agent: git/2.14.1
Host: phabricator.internal
Accept: */*
Accept-Encoding: gzip
Accept-Language: en-US, *;q=0.9
Pragma: no-cache

* HTTP 1.0, assume close after body
< HTTP/1.0 500 Error 1: sudo: a password is required
< Date: Wed, 23 Aug 2017 16:52:45 GMT
< Server: Apache/2.4.6 (CentOS) PHP/5.4.16
< X-Powered-By: PHP/5.4.16
< Content-Encoding: gzip
< Vary: Accept-Encoding
< Content-Length: 62
< Connection: close
< Content-Type: text/html; charset=UTF-8
< 
* Expire cleared
* Closing connection #0
fatal: unable to access 'http://phabricator.internal/diffusion/TRACTORAPI/tractor-api.git/': The requested URL returned error: 500

If you believe you've found a bug in Phabricator, please follow the instructions in Contributing Bug Reports to file a report.

debugging troubleshooting

I'm not sure it's a bug. The error message was surprising; HTTP/1.0 500 Error 1: sudo: a password is required. I see a matching error message in Q261. The solution there seems to be allowing the webserver process owner to have sudo rights. I now found there are docs on the subject diffusion_hosting#configuring-sudo.

We'll verify the config is setup correctly.

Sorry to leave this hanging, but the issue was with our server configuration. We did not have the correct sudo rights confgured