PrivilegeRegistry for POST a new session

AMI_alvin
Minnow

Posts: 20

PrivilegeRegistry for POST a new session Jan 17, 2020 10:22:34 GMT

Quote

Post by AMI_alvin on Jan 17, 2020 10:22:34 GMT

Hi all,

As the definitation of Redfish Spec, POST a new session to Sessions Service should not be authenticated. But Redfish_1.0.3_PrivilegeRegistry.json defines the privilege for "SessionCollection", only "ConfigureManager" can POST to Session Service.

So my question is : Is this a conflict between Redfish Spec and PrivilegeRegistry ?

Here is the description from Redfish Spec v1.8.0 - 13.3.1. HTTP header security :

• All write requests to Redfish objects shall be authenticated, i.e., POST, PUT/PATCH, and DELETE, except for

◦ The POST operation to the Sessions service/object needed for authentication

And here is the SessionService part of Redfish_1.0.3_PrivilegeRegistry.json :

Entity: "SessionService",

OperationMap: {

....
POST: [

{

Privilege: [

"ConfigureManager"

]

}

....

Thank you,
Alvin

Last Edit: Jan 20, 2020 2:00:20 GMT by AMI_alvin

mraineri Administrator Posts: 1,125	PrivilegeRegistry for POST a new session Jan 17, 2020 15:26:13 GMT Quote Select Post Deselect Post Link to Post Back to Top Post by mraineri on Jan 17, 2020 15:26:13 GMT Thanks for catching that. We've actually published a fix for that a few months ago in Redfish_1.0.4_PrivilegeRegistry.json. In the newer version of the registry, the "POST" privilege is set to "Login".

AMI_alvin
Minnow

Posts: 20

PrivilegeRegistry for POST a new session Jan 20, 2020 2:32:51 GMT

Quote

Post by AMI_alvin on Jan 20, 2020 2:32:51 GMT

Jan 17, 2020 15:26:13 GMT mraineri said:

Thanks for catching that. We've actually published a fix for that a few months ago in Redfish_1.0.4_PrivilegeRegistry.json. In the newer version of the registry, the "POST" privilege is set to "Login".

Hi,

Thanks for your reply. I also checked the Redfish_1.0.4_PrivilegeRegistry.json, but the "POST" privilege of SessionService is still set to "ConfigureManager", not "Login". And I think it should be "NoAuth" based on the description of Redfish Sepc.

Here is the SessionService part of Redfish_1.0.4_PrivilegeRegistry.json :

Entity: "SessionService",



OperationMap: {



...

POST: [



    {



        Privilege: [



            "ConfigureManager"



        ]



    }
]

...

Last Edit: Jan 20, 2020 3:12:07 GMT by AMI_alvin

jautor
Administrator

Posts: 519

PrivilegeRegistry for POST a new session Jan 27, 2020 21:42:31 GMT AMI_alvin likes this

Quote

Post by jautor on Jan 27, 2020 21:42:31 GMT

Jan 20, 2020 2:32:51 GMT AMI_alvin said:

Jan 17, 2020 15:26:13 GMT mraineri said:

Thanks for catching that. We've actually published a fix for that a few months ago in Redfish_1.0.4_PrivilegeRegistry.json. In the newer version of the registry, the "POST" privilege is set to "Login".

Hi,

Thanks for your reply. I also checked the Redfish_1.0.4_PrivilegeRegistry.json, but the "POST" privilege of SessionService is still set to "ConfigureManager", not "Login". And I think it should be "NoAuth" based on the description of Redfish Sepc.

Here is the SessionService part of Redfish_1.0.4_PrivilegeRegistry.json :

Entity: "SessionService",



OperationMap: {



...

POST: [



    {



        Privilege: [



            "ConfigureManager"



        ]



    }
]

...

That's actually correct, because the NoAuth access applies to the SessionCollection for POST, not the SessionService. The specification statement you quoted has been revised in the next release of the specification to better state this.

Jeff

mraineri
Administrator

Posts: 1,125

PrivilegeRegistry for POST a new session Jan 28, 2020 20:23:36 GMT

Quote

Post by mraineri on Jan 28, 2020 20:23:36 GMT

I cannot find that exact phrase in the current version of the specification; I went back a few versions and still couldn't locate the phrase "POST a new session to Sessions Service should not be authenticated". The currently language I see points to the Session Services's Session Collection, which is correct.

Post by AMI_alvin on Jan 17, 2020 10:22:34 GMT

Post by mraineri on Jan 17, 2020 15:26:13 GMT

Post by AMI_alvin on Jan 20, 2020 2:32:51 GMT

Post by jautor on Jan 27, 2020 21:42:31 GMT

Post by mraineri on Jan 28, 2020 20:23:36 GMT