How restrict read access to djangopypi2?

Question

I need to set up a private PyPI repository. I've realized there are a lot of them to choose from, and after surfing around, I chose djangopypi2 since I found their installation instructions the clearest and the project is active.

I have never used Django before, so the question might really be a Django question. I followed the instructions and started up the application with this command:

$ gunicorn_django djangopypi2.website.settings

The repository is working as I want. After configuring '~/.pypirc', I can upload packages using:

$ python setup.py sdist upload -r local

And after configuring '~/.pip/pip.conf' with 'extra-index-url' I can install packages using:

$ pip install <package-name>

However, anyone can browse and download my packages. Authentication seems to only be needed for uploading packages. I tried using this example to require login to all pages: Best way to make Django's login_required the default

And set this:

LOGIN_REQUIRED_URLS = (
    r'/(.*)$',
)

LOGIN_REQUIRED_URLS_EXCEPTIONS = (
    r'/users/login(.*)$', 
    r'/users/logout(.*)$',
)

Now the webgui requires login on all pages, so that part works as expected, but I am not able to use the pip and upload utilities from the command-line anymore.

I tried 'pip install xxx' using the extra-index-url setting in 'pip.conf' like this:

extra-index-url = http://username:password@127.0.0.1:8000/simple/

but it says 'No distributions at all found for xxx'

'python setup.py sdist upload' gives:

Submitting dist/xxx-0.0.1.tar.gz to http://127.0.0.1:8000/
Upload failed (302): FOUND

So the question is, how do I enable authentication to work from 'pip' and 'python setup.py register/upload'?

Answer 1

If it's really localhost which you want this to run on, instead of using access control, I'd bind gunicorn_django to the loopback interface:

gunicorn_django -b 127.0.0.1:80 djangopypi2.website.settings

That way, no other machine can access the service.

I'm skeptical that you can get pip to authenticate, see this question .

Answer 2

I didn't manage to set up djangopypi2 as I wanted. I tried to setup a lot of other pypi servers, such as PloneSoftwareCenter, mypypi, djangopypi, chishop, pypi-server, ClueReleaseManager, eggbasket etc. But they either didn't have the functionality I needed, either installation failed because dependencies where broken, either they didn't have installation instructions I could follow, or documentation how to use it, so I ended up making a simpler solution which works for me.

I didn't really need the 'python setup.py upload -r private' part to work for me, as I am using a wrapper script for publishing my python packages. So instead I just added a -p (private) option to the script, which just builds and scp's the package to the packages directory of my server.

For making pip install to work, I created a cgi script that creates links to the packages the way pip wants them. After this, for pip install to install from my private repository, I just add the following to my pip.conf:

$ cat ~/.pip/pip.conf
[global]
extra-index-url = https://username:password@pypi.example.com/simple/

This works for me, however it would have been nice to have an interface such as pypi.python.org, but where you could also restrict users which modules they should have access to. So I would still be interested if anyone have set up a solution with an existing pypi server software which works like this.