Page MenuHomePhabricator
Create Task
Maniphest T7343

arc install-certificate doesn't work with bot users
Closed, DuplicatePublic
Actions

Description

For background on this issue, see my comments on this blog post.

I create a bot user in Phabricator and now I want to set up arc on a remote host to be able to talk to Phabricator as that bot user.

I follow the Arcanist Quick Start guide and see that I need to install a certificate for my bot user as such:

arc install-certificate

The problem is that this command returns some very confusing instructions.

Trying to connect to server...
LOGIN TO PHABRICATOR
Open this page in your browser and login to Phabricator if necessary:

    http://phabricator.my.server.com/conduit/login/

Then paste the API Token on that page below.

    Paste API Token from that page:

If I follow these instructions, I end up setting up arc to authenticate as myself and not the bot user, which isn't what I want.

So I go to the settings page for my bot user on Phabricator and copy the Arcanist Certificate on there to paste into arc install-certificate.

When I try that I get:

Usage Exception: The token "tokenlongerthan32charsanddoesntbeginwithcli-..." is not formatted correctly.
API tokens should be 32 characters long. 
Make sure you visited the correct URI and copy/pasted the token correctly.

Apparently, the correct procedure to get arc to authenticate as your bot user is to create an .arcrc file on the remote host you are setting up and fill in these values:

{
  "hosts": {
    "http:\/\/phabricator.my.server.com\/api\/": {
      "user": "my-bot-user",
      "cert": "verylongtokenthatdoesntnecessarilybeginwiththeletterscli"
    }
  }
}

I only found this out by asking on #phabricator on IRC. It wasn't documented in any obvious place.

This sounds like a flow that could definitely be improved.

Related Objects

Event Timeline

nchammas created this task.Feb 20 2015, 8:46 PM
nchammas raised the priority of this task from to Needs Triage.
nchammas updated the task description. (Show Details)
nchammas added a project: Arcanist.
nchammas added a subscriber: nchammas.
nchammas updated the task description. (Show Details)Feb 20 2015, 8:52 PM
avivey merged a task: T7288: configuring certificates for bots is hard/confusing.Feb 20 2015, 8:55 PM
avivey added subscribers: epriestley, avivey.
nchammas updated the task description. (Show Details)Feb 20 2015, 9:12 PM
joshuaspence added a subscriber: joshuaspence.Feb 20 2015, 9:42 PM
mbishopim3 added a subscriber: mbishopim3.Mar 11 2015, 2:41 AM
epriestley added a comment.May 4 2015, 3:12 PM

I'm just going to merge this into T5955 -- this is going to become:

$ echo {...} | arc call-conduit --conduit-token 'cli-abcdef' method.name

...once that's slightly further along. The version of that which works today is:

{
  "hosts": {
    "http://phabricator.my.server.com/api/": {
      "token": "cli-shorttokenwhichstartswithcli"
    }
  }
}

...but in the majority of cases I suspect --conduit-token will be significantly easier to use.

epriestley closed this task as a duplicate of T5955: Refactor Conduit auth to be stateless, token-based, and support wire encodings.May 4 2015, 3:12 PM
mbishopim3 added a comment.May 4 2015, 8:11 PM

--conduit-token would be the bee's knees for us, managing the .arcrc file with web users, file permissions, and all this other noise is a huge hassle.

Butt assigned this task to a.dzyuba.Jul 4 2015, 6:48 PM
epriestley removed a.dzyuba as the assignee of this task.Jul 4 2015, 6:56 PM
kongr45gpen awarded a token.Jan 22 2016, 11:04 PM
Phabricator · Built by Phacility