[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Tracing the client-side authn subsystem's work.

From: C. Michael Pilato <cmpilato_at_collab.net>
Date: Wed, 22 May 2013 15:44:18 -0400

Playing with my 'auth-notification' branch a few minutes ago, I
enabled the notifications (via an environment variable) and ran an
update command across all the items in my ~/projects directory. The
resulting notification-filled trace is kinda cool. Nice to finally
see where my authn subsystem interactions are happening for once!

   $ SVN_AUTH_NOTIFY=yes svn up * --config-dir=/tmp/foo
   Updating 'asf-committers':
   Credentials acquired (Plaintext (SSL server trust))
   Credentials acquired (Gnome Keyring (simple))
   At revision 41815.
   Updating 'cmpilato':
   Credentials acquired (Plaintext (SSL server trust))
   Credentials acquired (Gnome Keyring (simple))
   At revision 23.
   Updating 'dist-subversion':
   Credentials acquired (Plaintext (SSL server trust))
   At revision 2033.
   Updating 'private-subversion':
   Credentials acquired (Auth Baton Cache)
   Credentials acquired (Auth Baton Cache)
   At revision 41815.
   Updating 'serf':
   Credentials acquired (Plaintext (SSL server trust))
   At revision 1869.
   Skipped 'spec.subversion'
   Skipped 'spec.viewvc'
   Updating 'subversion':
   Credentials acquired (Auth Baton Cache)
   At revision 1485359.
   Updating 'svnbook':
   Credentials acquired (Plaintext (SSL server trust))
   Credentials acquired (Auth Baton Cache)
   Credentials acquired (Auth Baton Cache)
   Credentials acquired (Auth Baton Cache)
   Credentials acquired (Auth Baton Cache)

   Fetching external item into 'svnbook/branches/1.4/ru/nb-bin':
   Credentials acquired (Auth Baton Cache)
   Credentials acquired (Auth Baton Cache)
   Credentials acquired (Auth Baton Cache)
   Credentials acquired (Auth Baton Cache)
   External at revision 2339.

   At revision 4500.
   Updating 'svnedge':
   Credentials acquired (Plaintext (SSL server trust))
   Authentication realm: <https://ctf.open.collab.net:443> Authorization R
   ealm
   Password for 'cmpilato':

   Credentials acquired (Plaintext (prompt))
   Credentials stored (Gnome Keyring (simple))
   At revision 3592.
   Updating 'teamforge':
   Credentials acquired (Auth Baton Cache)
   Credentials acquired (Auth Baton Cache)
   Credentials acquired (Auth Baton Cache)
   Credentials acquired (Auth Baton Cache)

   Fetching external item into 'teamforge/trunk/core/mod_authnz_ctf/source':
   Credentials acquired (Auth Baton Cache)
   Credentials acquired (Auth Baton Cache)
   External at revision 518.

   At revision 59618.
   Updating 'viewvc':
   Authentication realm: <http://viewvc.tigris.org:80> CollabNet Subversion
   Repository
   Password for 'cmpilato':

   Credentials acquired (Plaintext (prompt))
   Credentials stored (Gnome Keyring (simple))
   Credentials acquired (Auth Baton Cache)
   Credentials stored (Gnome Keyring (simple))

   Fetching external item into 'viewvc/tags/1.1.18/templates-contrib':
   Credentials acquired (Auth Baton Cache)
   Credentials stored (Gnome Keyring (simple))
   External at revision 2847.

   Credentials acquired (Auth Baton Cache)
   Credentials stored (Gnome Keyring (simple))

   Fetching external item into 'viewvc/tags/1.1.19/templates-contrib':
   Credentials acquired (Auth Baton Cache)
   Credentials stored (Gnome Keyring (simple))
   External at revision 2883.

   Credentials acquired (Auth Baton Cache)
   Credentials stored (Gnome Keyring (simple))

   Fetching external item into 'viewvc/branches/1.0.x/templates-contrib':
   Credentials acquired (Auth Baton Cache)
   Credentials stored (Gnome Keyring (simple))
   External at revision 2904.

   Credentials acquired (Auth Baton Cache)
   Credentials stored (Gnome Keyring (simple))

   Fetching external item into 'viewvc/branches/1.1.x/templates-contrib':
   Credentials acquired (Auth Baton Cache)
   Credentials stored (Gnome Keyring (simple))
   External at revision 2904.

   Credentials acquired (Auth Baton Cache)
   Credentials stored (Gnome Keyring (simple))

   Fetching external item into 'viewvc/tags/1.1.10/templates-contrib':
   Credentials acquired (Auth Baton Cache)
   Credentials stored (Gnome Keyring (simple))
   External at revision 2534.

   Credentials acquired (Auth Baton Cache)
   Credentials stored (Gnome Keyring (simple))

   Fetching external item into 'viewvc/trunk/templates-contrib':
   Credentials acquired (Auth Baton Cache)
   Credentials stored (Gnome Keyring (simple))
   External at revision 2904.

   At revision 2904.
   Summary of updates:
     Updated 'asf-committers' to r41815.
     Updated 'cmpilato' to r23.
     Updated 'dist-subversion' to r2033.
     Updated 'private-subversion' to r41815.
     Updated 'serf' to r1869.
     Updated 'subversion' to r1485359.
     Updated 'svnbook' to r4500.
     Updated 'svnedge' to r3592.
     Updated 'teamforge' to r59618.
     Updated 'viewvc' to r2904.
   Summary of conflicts:
     Skipped paths: 2

Of particular interest to me, though, is the handling of externals.
My viewvc sparse checkout has quite a few intra-repos externals
defined in it. As such, all the authn credentials should be
identical. But as you can see, Subversion is repeatedly fetching --
and re-storing -- these credentials from the Gnome Keyring. Weird (to
me, at least).

I suspect that what's happening is this: The authn code always tries to
first store credentials in the provider that provided them and, failing
that, iterates over providers of the same cred kind until one of them
successfully stores the creds. In this case, it was the prompt provider
that first fetched the creds (because I used --config-dir to point to an
empty configuration directory) and the auth baton cache that did so
thereafter. But neither of those *stores* creds, so time after time
Subversion tries to store them in the first available provider that *can* --
the Gnome Keyring provider.

That's my guess, at least.

I wonder -- is there any interest in having this functionality in our trunk
and productizing it a bit? It's all callback-based, so third-party clients
could hook into the notification system, too. (Cc:ing Philip especially, as
he's expressed irritation at the opacity of our authn subsystem before, too.)

-- 
C. Michael Pilato <cmpilato_at_collab.net>
CollabNet   <>   www.collab.net   <>   Enterprise Cloud Development

Received on 2013-05-22 21:44:55 CEST

This is an archived mail posted to the Subversion Dev mailing list.