Bug 1575998 - CentOS: dnf can't handle password-protected repos
Summary: CentOS: dnf can't handle password-protected repos
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: dnf
Version: rawhide
Hardware: Unspecified
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Marek Blaha
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords: Triaged
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-05-08 13:51 UTC by Adam Thompson
Modified: 2018-06-28 08:16 UTC (History)
8 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2018-06-28 08:16:21 UTC


Attachments (Terms of Use)
logfile showing lack of login (7.70 KB, text/plain)
2018-05-10 21:37 UTC, Adam Thompson
no flags Details

Description Adam Thompson 2018-05-08 13:51:29 UTC
Description of problem:


Version-Release number of selected component (if applicable):
dnf-2.7.5-10.el7.noarch

How reproducible:
Always

Steps to Reproduce:
1. Create a yum.repo file with "username" and "password" directives
2. Run any dnf command
3. Watch it fail

Actual results:
"Failed to synchronize cache for repo 'bareos-latest', disabling."

Expected results:
Should send userid and password in reponse to HTTP Basic Auth challenge from webserver hosting the repo.

Additional info:
Workaround is to embed the username and password in the baseurl, which appears to work OK, but this contradicts 10+ years of instructions hanging around in various places on the 'net.  POLA is definitely violated, and not everyone will understand how to urlencode their userid & password.

Comment 1 Adam Thompson 2018-05-08 13:55:59 UTC
/etc/yum.repos.d/bareos-latest.conf:
***
[bareos-latest]
name=bareos-latest
type=rpm-md
baseurl=https://avantsysadm%40avant.ca:********@download.bareos.com/bareos/release/latest/CentOS_7/
gpgcheck=1
gpgkey=https://download.bareos.com/bareos/release/latest/CentOS_7/repodata/repomd.xml.key
enabled=1
***

Instructions provided to users (in the same vein as every other vendor with a password-protected repo) have always been to use a baseurl of "https://download.bareos.com/bareos/release/latest/CentOS_7/" and to add a "username=avantsysadm@avant.ca" and "password=*******" lines to the repo file.

I should have titled the bug "dnf breaks backward compatibility for password-protected repos" but I didn't think of that when I was typing it, sorry.

Comment 2 Marek Blaha 2018-05-10 11:50:43 UTC
Hi, username / password in the repo config should work (i.e. this functionality is implemented). Please can you run any dnf command exclusively on this repo (e.g. dnf list --refresh --repo bareos-latest --available) and check dnf.librepo.log file? For root user, log file is located in /var/log/dnf.librepo.log, for ordinary user in /var/tmp/dnf-username-xxx/dnf.librepo.log. I suspect there could be an another problem then username/password with this repo.

This is my quick experiment with the localy configured password protected repo.
/etc/yum.repos.d/dummyrepo.conf:
[dummyrepo]
name=Dummy repo
baseurl=http://localhost/dummyrepo/
enabled=1
gpgcheck=0
username=user
password=pwd

and this is what I've dumped on network when running the dnf command:
GET /dummyrepo/repodata/repomd.xml HTTP/1.1
Host: localhost
Authorization: Basic dXNyOnB3ZA==
User-Agent: dnf/2.7.5
Accept: */*
Cache-Control: no-cache
Pragma: no-cache

Comment 3 Adam Thompson 2018-05-10 21:37 UTC
Created attachment 1434566 [details]
logfile showing lack of login

Comment 4 Adam Thompson 2018-05-10 21:38:16 UTC
One possible difference is http vs https  - dunno if it makes any difference or not.

Comment 5 Marek Blaha 2018-05-11 05:37:48 UTC
I've contacted bareos, because without active subscription I'm not able to test access to download.bareos.com.

Comment 6 Marek Blaha 2018-05-14 09:00:49 UTC
Thanks for reporting, we really had an issue with password protected repos in dnf.

This PR should fix the bug in upstream: https://github.com/rpm-software-management/dnf/pull/1088

Comment 7 Jaroslav Mracek 2018-06-28 08:16:21 UTC
The issue is solved by dnf-3.0.1-1 that was released into rawhide.


Note You need to log in before you can comment on or make changes to this bug.