[ECODP-dev] test machine to release 00.09.03 with CKAN security patch (ODP-300 & ODP-291 support)
John Glover
john.glover at okfn.org
Tue Oct 22 09:49:15 UTC 2013
Hi Bert,
> * Can you provide a detailed updated on what you have changed?
> Also "breaks some redirects" ... that part requires some more
explanation.
There are redirects in a few places in CKAN, in particular when you click
the 'login' or 'logout' buttons, you are redirected to different pages (eg:
'profile'). These use the value of ckan.site_url in the config, so if it is
set to an internal IP address, then users will be redirected to a link that
they can't access.
> * About the nginx: this is the configuration that has been provided to
us. So we where not aware that this happened.
> Can your provide the detailed rules that are to be changed?
The following lines in the NGINX config tell NGINX to bypass cache for the
old 'auth_tkt' cookie:
proxy_cache_bypass $cookie_auth_tkt;
proxy_no_cache $cookie_auth_tkt;
In release 09 this cookie is called 'ckan', so when caching is enabled
those lines need to be changed to:
proxy_cache_bypass $cookie_ckan;
proxy_no_cache $cookie_ckan;
Note that these lines occur in multiple NGINX location blocks. You may need
to clear the NGINX cache before changes take effect (or wait for the
timeout).
Regards,
John
On 21 October 2013 17:32, Darwin Peltan <darwin.peltan at okfn.org> wrote:
> Hi Bert,
>
> I'm glad it's clear now. When do you think you'd be able to get us access
> to the test data please? This is obviously quite urgent now.
>
> Thanks,
>
> Darwin
>
> *Darwin Peltan*
>
> *Project Manager | skype: darwinp | twitter: @darwin<http://twitter.com/darwin>
> *
>
> *The Open Knowledge Foundation <http://okfn.org/>*
>
> *Empowering through Open Knowledge*
>
> *http://okfn.org/ | @okfn <http://twitter.com/OKFN> | OKF on Facebook<https://www.facebook.com/OKFNetwork> |
> Blog <http://blog.okfn.org/> | Newsletter<http://okfn.org/about/newsletter>
> *
> *
> CKAN | http://ckan.org | @ckanproject <http://twitter.com/ckanproject> |open source data management platform
> *
>
>
> On 21 October 2013 16:12, Bert Van Nuffelen <
> bert.van.nuffelen at tenforce.com> wrote:
>
>> Hi Darwin,
>>
>>
>> On the call we discussed the need for a release 00.09.00x version. Not
>> the need for the data. Maybe obvious for you, not for me.
>>
>> best,
>>
>> Bert
>>
>>
>> 2013/10/21 Darwin Peltan <darwin.peltan at okfn.org>
>>
>>> Hi Bert,
>>>
>>> This was requested in my email on Monday 14th of October on the thread
>>> about ODP-291 copied below and we also discussed it in the call.
>>>
>>> Best,
>>>
>>> Darwin
>>>
>>> -----------
>>>
>>> This would require a change to one of the Python files - This could be
>>> supplied as a patch but this is obviously more risky that going through the
>>> whole release cycle. Whichever approach is taken we would need 10F to
>>> create a test environment with the latest version of release 09 installed
>>> and a up to date copy of the live DB so the change can be verified with
>>> realistic test data before being delivered to the PO.
>>>
>>> -----------------
>>>
>>> *Darwin Peltan*
>>>
>>> *Project Manager | skype: darwinp | twitter: @darwin<http://twitter.com/darwin>
>>> *
>>>
>>> *The Open Knowledge Foundation <http://okfn.org/>*
>>>
>>> *Empowering through Open Knowledge*
>>>
>>> *http://okfn.org/ | @okfn <http://twitter.com/OKFN> | OKF on
>>> Facebook <https://www.facebook.com/OKFNetwork> | Blog<http://blog.okfn.org/> |
>>> Newsletter <http://okfn.org/about/newsletter>*
>>> *
>>> CKAN | http://ckan.org | @ckanproject <http://twitter.com/ckanproject> |open source data management platform
>>> *
>>>
>>>
>>> On 21 October 2013 15:59, Bert Van Nuffelen <
>>> bert.van.nuffelen at tenforce.com> wrote:
>>>
>>>> Hi Darwin,
>>>>
>>>> I promised you last week a release 00.09.00. Which I did. On tuesday
>>>> there was not requested by you that it would contain a "production" copy of
>>>> the database. I am actually surprised myself by your question.
>>>>
>>>> best regards,
>>>>
>>>> Bert
>>>>
>>>>
>>>> 2013/10/21 Darwin Peltan <darwin.peltan at okfn.org>
>>>>
>>>>> Dear Bert,
>>>>>
>>>>> I have to say that I'm slightly taken aback by your email. Our joint
>>>>> customer has a major issue with the live version of their site. Just under
>>>>> a week ago we discussed the actions to resolve this and you agreed that you
>>>>> would set-up a test site with a copy of the production data. This is
>>>>> essential so that we can test our patch with realistic test data . Now
>>>>> after we've been waiting almost a week you tell us you can't do this
>>>>> because you can't access your own server?
>>>>>
>>>>> I'm sorry but please can you try again.
>>>>>
>>>>> Darwin
>>>>>
>>>>> *Darwin Peltan*
>>>>>
>>>>> *Project Manager | skype: darwinp | twitter: @darwin<http://twitter.com/darwin>
>>>>> *
>>>>>
>>>>> *The Open Knowledge Foundation <http://okfn.org/>*
>>>>>
>>>>> *Empowering through Open Knowledge*
>>>>>
>>>>> *http://okfn.org/ | @okfn <http://twitter.com/OKFN> | OKF on
>>>>> Facebook <https://www.facebook.com/OKFNetwork> | Blog<http://blog.okfn.org/> |
>>>>> Newsletter <http://okfn.org/about/newsletter>*
>>>>> *
>>>>> CKAN | http://ckan.org | @ckanproject <http://twitter.com/ckanproject>|open source data management platform
>>>>> *
>>>>>
>>>>>
>>>>> On 21 October 2013 14:54, Bert Van Nuffelen <
>>>>> bert.van.nuffelen at tenforce.com> wrote:
>>>>>
>>>>>> Hi John,
>>>>>>
>>>>>> That backup is on the 01.00.00 test system, which is unaccessible
>>>>>> because it sits on a machine with the same IP.
>>>>>> I propose you test and evaluate it with your own test data.
>>>>>>
>>>>>> kind regards,
>>>>>>
>>>>>> Bert
>>>>>>
>>>>>>
>>>>>>
>>>>>> 2013/10/16 John Glover <john.glover at okfn.org>
>>>>>>
>>>>>>> Hi Bert,
>>>>>>>
>>>>>>> Thanks. Could you also please load the most recent dump of the 09
>>>>>>> production database (the backups directory that Dimitrios mentioned before
>>>>>>> is no longer on the server)?
>>>>>>>
>>>>>>> I will investigate the issue with logging in after I have written
>>>>>>> and tested the patch.
>>>>>>>
>>>>>>> Regards,
>>>>>>> John
>>>>>>>
>>>>>>>
>>>>>>> On 16 October 2013 15:20, Bert Van Nuffelen <
>>>>>>> bert.van.nuffelen at tenforce.com> wrote:
>>>>>>>
>>>>>>>> Hi John and Darwin,
>>>>>>>>
>>>>>>>> 212.71.25.148 has been setup to release 00.09.03. + the suggested
>>>>>>>> changes to remove the https setup temporary.
>>>>>>>>
>>>>>>>> For ODP-300:
>>>>>>>>
>>>>>>>> There is a system admin user created api/api and a data publisher
>>>>>>>> bert/bert.
>>>>>>>> What we have now is that with this setup if you login as bert, then
>>>>>>>> clear your cookies in your browser and then login as api you see bert.
>>>>>>>> Secondly if Dimitrios logs in on another computer as api then he is
>>>>>>>> also 'bert'.
>>>>>>>>
>>>>>>>> I have the feeling that the suggestion for removing the https setup
>>>>>>>> have a drastic impact on the correct user management.
>>>>>>>>
>>>>>>>> best regards,
>>>>>>>>
>>>>>>>> Bert
>>>>>>>>
>>>>>>>> --
>>>>>>>> Bert Van Nuffelen
>>>>>>>>
>>>>>>>> Semantic Technologies Software Architect at TenForce
>>>>>>>> www.tenforce.be
>>>>>>>>
>>>>>>>> Bert.Van.Nuffelen at tenforce.com
>>>>>>>> Office: +32 (0)16 31 48 60
>>>>>>>> Mobile:+32 479 06 24 26
>>>>>>>> skype: bert.van.nuffelen
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Ecodp-dev mailing list
>>>>>>>> Ecodp-dev at lists.okfn.org
>>>>>>>> http://lists.okfn.org/mailman/listinfo/ecodp-dev
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Ecodp-dev mailing list
>>>>>>> Ecodp-dev at lists.okfn.org
>>>>>>> http://lists.okfn.org/mailman/listinfo/ecodp-dev
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Bert Van Nuffelen
>>>>>>
>>>>>> Semantic Technologies Software Architect at TenForce
>>>>>> www.tenforce.be
>>>>>>
>>>>>> Bert.Van.Nuffelen at tenforce.com
>>>>>> Office: +32 (0)16 31 48 60
>>>>>> Mobile:+32 479 06 24 26
>>>>>> skype: bert.van.nuffelen
>>>>>>
>>>>>> _______________________________________________
>>>>>> Ecodp-dev mailing list
>>>>>> Ecodp-dev at lists.okfn.org
>>>>>> http://lists.okfn.org/mailman/listinfo/ecodp-dev
>>>>>>
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Ecodp-dev mailing list
>>>>> Ecodp-dev at lists.okfn.org
>>>>> http://lists.okfn.org/mailman/listinfo/ecodp-dev
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Bert Van Nuffelen
>>>>
>>>> Semantic Technologies Software Architect at TenForce
>>>> www.tenforce.be
>>>>
>>>> Bert.Van.Nuffelen at tenforce.com
>>>> Office: +32 (0)16 31 48 60
>>>> Mobile:+32 479 06 24 26
>>>> skype: bert.van.nuffelen
>>>>
>>>> _______________________________________________
>>>> Ecodp-dev mailing list
>>>> Ecodp-dev at lists.okfn.org
>>>> http://lists.okfn.org/mailman/listinfo/ecodp-dev
>>>>
>>>>
>>>
>>> _______________________________________________
>>> Ecodp-dev mailing list
>>> Ecodp-dev at lists.okfn.org
>>> http://lists.okfn.org/mailman/listinfo/ecodp-dev
>>>
>>>
>>
>>
>> --
>> Bert Van Nuffelen
>>
>> Semantic Technologies Software Architect at TenForce
>> www.tenforce.be
>>
>> Bert.Van.Nuffelen at tenforce.com
>> Office: +32 (0)16 31 48 60
>> Mobile:+32 479 06 24 26
>> skype: bert.van.nuffelen
>>
>> _______________________________________________
>> Ecodp-dev mailing list
>> Ecodp-dev at lists.okfn.org
>> http://lists.okfn.org/mailman/listinfo/ecodp-dev
>>
>>
>
> _______________________________________________
> Ecodp-dev mailing list
> Ecodp-dev at lists.okfn.org
> http://lists.okfn.org/mailman/listinfo/ecodp-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.okfn.org/mailman/private/ecodp-dev/attachments/20131022/38f32033/attachment.html>
More information about the ecodp-dev
mailing list