|
|
Post by AMI_ElijahLiang on Sept 17, 2019 3:14:23 GMT
Hi, There are definitions of privilege about ServiceRoot in the Section 7.2.2 (Redfish 1.7.0 Spec) and Redfish_1.0.3_PrivilegeRegistry.json. Redfish 1.7.0 Spec defines ServiceRoot shall not require authentication. But PrivilegeRegistry defines ServiceRoot should require Login privilege. {
"Entity": "ServiceRoot",
"OperationMap": {
"GET": [
{
"Privilege": [
"Login"
]
}
]
}
}Please conclude which one should we follow for ServiceRoot. Many Thanks, Elijah |
|
|
|
Post by jautor on Sept 17, 2019 20:30:41 GMT
Elijah,
Thanks for reporting this - it does appear to be a bug in the PrivilegeRegistry. The specification is correct, the Service Root can be accessed without authentication.
We'll take a look at this and get this addressed in the next release of the schema.
Thanks again,
Jeff
|
|
|
|
Post by AMI_ElijahLiang on Sept 18, 2019 7:11:59 GMT
Hi Jeff,
Thank you for the clarification.
Regards,
Elijah
|
|
|
|
Post by jautor on Sept 24, 2019 23:48:01 GMT
Elijah,
We ran into an issue when attempting to fix this, and looking for any feedback.
Removing "Login" from the ServiceRoot map gives an empty entry:
{
"Entity": "ServiceRoot",
"OperationMap": {
"GET": [
{
"Privilege": []
}
]
}
}
We're concerned that this will cause confusion, so we're looking at creating a new "None" or "NoAuth" privilege:
{
"Entity": "ServiceRoot",
"OperationMap": {
"GET": [
{
"Privilege": [
"NoAuth"
]
}
]
}
}
But this is not really a privilege - it's indicating that no privileges are necessary to access. We can add that to the Privilege list, but there is concern that this may be just as confusing...
Anyone have input as to which way we should go to address this?
Jeff
|
|
|
|
Post by jautor on Oct 4, 2019 16:05:49 GMT
Elijah,
After further discussion with the group, we agreed that adding a new privilege of "NoAuth" to the privilege list was the best approach. That privilege will show up in the Privilege Registry for resources that can be accessed without authentication, but will never appear in a "Role" definition. This prevents the empty array case for ServiceRoot as discussed above. But one additional modification was made to that map - the "Login" privilege will remain, as that is also a valid privilege. We didn't want implementations to reject requests for ServiceRoot (or any other resource that doesn't require authentication) if valid credentials were provided.
So the updated Privilege Registry will have this entry:
"Entity": "ServiceRoot",
"OperationMap": {
"GET": [
{
"Privilege": [
"Login"
]
},
{
"Privilege": [
"NoAuth"
]
}
],
...
The creation of the "NoAuth" privilege and the updated Privilege Registry were both approved by the DMTF Redfish Forum and will appear in the next release of the Redfish Schema bundle and Redfish Registry bundle. Both of those are currently going through the approval and release cycle, but we wanted to get this answer posted without delay.
Jeff
|
|
|
|
Post by AMI_Mani on Jun 22, 2023 11:50:56 GMT
Hi Jeff,
Assume if we are getting request with invalid credential(Basic authentication) for service root, can we return response with 200(valid response with resource details) or return unauthorized with 401/403
Thanks,
Mani
|
|
|
|
Post by mraineri on Jun 22, 2023 12:14:47 GMT
We have this statement in the spec in the "Authentication requirements" with regards to the list of unauthenticated resources.
> Services may reject requests to the previous resources if invalid credentials are provided by the client.
It's up to you if you want to allow the request to proceed (200 OK) or simply reject it due to invalid credentials (401 Unauthorized).
|
|
