|
|
Post by ratagupt on Jun 11, 2022 2:44:42 GMT
Hi Team,
We have a requirement that we don't want to support authentication and as well as SSL support in our web server due to our system requirement, I am not sure this requirement is unique to us or it is generic one.
Say if we have to support this, I was thinking that we don't need to support the following redfish schema.
No-Auth:
Account service
ManagerAccount
ManagerAccountCollection
Role
Session Service
No-SSL:
Certificate Service
Certificate location
Certificate collection
Certificate
NOTE: In our system - web server doesn't support the SSL, and the system is not having any other services which uses certificates.
Ratan
|
|
|
|
Post by mraineri on Jun 13, 2022 13:20:05 GMT
At least at this time, the Redfish Specification requires support for HTTP Basic Auth and Redfish Sessions in addition to TLS support. However, whether a user chooses to make use of these items is entirely up to them; the only requirement we have in the specification today in regards to this is the client must provide some sort of authentication header: "An authentication header shall accompany every request that establishes a secure channel."
If these are internal interfaces where end users will not have exposure, you can certainly make adjustments as you see fit. However, anything that might be exposed to a general user would encounter interoperability issues based on the requirements in the specification today. |
|
|
|
Post by josephreynolds1 on Jun 14, 2022 20:46:59 GMT
I am trying to understand the use case. Is this for a device which has limited compute capacity? For example, a small device implements a very basic HTTP server which omits support for compute-expensive operations (as you listed in your original question)?
I can see a use case for a limited-function device to follow the Redfish URIs and Redfish schema, but omit transport layer security, session management, and access checks. It would operate as-if the client had a session which did not need to be created, never expired, and has access to every operation.
When viewed from this perspective, are you asking if you can implement the Redfish Data Model (per DSP0266) without implementing the rest of the spec?
Or are you asking the Redfish forum to create a "Redfish-lite" spec?
For example, a "Redfish-lite" spec would require things like:
- The Redfish service root is present.
- All supported URIs adhere to the Redfish spec with respect to odata and schemas. (Do you intend to implement other parts of the Redfish spec such as schemas and @odata?)
And make the following requirements optional:
- The AccountService is optionally provided. If omitted, the session service shall not require credentials to create a session.
- The SessionService is optionally provided. If omitted, no session is needed to access resources, and all Redfish operations shall require no authority.
- Transport layer security is optional. Data may be carried in cleartext.
|
|
|
|
Post by jautor on Jun 14, 2022 21:36:26 GMT
Similar comments as Joseph - is this "lite" functionality just for a particular user / use case or truly for whole device? I can see a lightweight device that "doesn't need" all that support. But there's also a potential class of user that just needs read-only access to some amount of data (thinking an IoT sensor), while the device/service still has the robust security for other users with read-write access for configuration purposes...
Jeff
|
|
|
|
Post by josephreynolds1 on Jun 15, 2022 16:53:21 GMT
I have another (bad) idea to address part of your requirements.
Implement a fully-compliant Redfish service which:
1. Implements some trivial services AccountService (readonly) and SessionService (allows no sessions to be created).
2. Then modify your operation-to-privilege mapping for the operations you want to expose, that is, specifically, require no privileges for the operations you want to be readable to everyone.
In this way, an unauthenticated client can perform operations without having to login.
I suspect this violates the spirit of the Redfish spec. I would prefer to implement something and say it "complies with the Redfish Data Model".
(Note this approach does not address your transport layer security (TLS aka SSL) question.)
|
|
|
|
Post by ratagupt on Jun 23, 2022 10:40:42 GMT
Thanks Joseph, Jeff,
Yes I think what I was looking is lite redfish where we don't need to do the authentication and secure session between the trusted entity.
Consider a platform which has a platform BMC which is connected to the out of band management port, and one or more satellite BMCs which are connected to the platform BMC via an interface that can run the TCP/IP stack (for eg USB). So, these BMCs could talk Redfish to each other in theory.
In this use case we don't need the authentication and SSL from platform BMC to the satellite BMC
However when the external user talks to the platform BMC entity that channel is secure and authenticated.
SystemUser----Secure/authenticated---->platform BMC----NoSSL/NO-AUTH----->satellite BMC
I had the following asks from the DMTF If my server don't implement the following endpoints
in case of No-Auth:
Account service
ManagerAccount
ManagerAccountCollection
Role
Session Service
in case of No-SSL:
Certificate Service
Certificate location
Certificate collection
Certificate
Will it be considered as a violation of spec? I was just confirming it.
The second ask is, can we think on runtime control of this, where system can go from auth/ssl to no-auth/no-ssl and vice versa,
|
|
|
|
Post by mraineri on Jun 24, 2022 19:43:24 GMT
Technically yes, it is a spec violation. However, like with other semantics with internal channels, since you have full control over the interface, you really can do whatever you want. Redfish as far as the standard goes really focuses on the public facing interface.
For your other question about runtime control, no that is not in place today and would require further discussion. However, clients have the option for using TLS or authentication in their requests. External users are allowed to connect via HTTP and bypass TLS if they so choose. We also have this requirement in the spec: "Services shall authenticate all write requests to Redfish resources". This means that GET operations technically are allowed to be unauthenticated if your privilege registry allows for it.
|
|
|
|
Post by ratagupt on Jun 29, 2022 6:27:46 GMT
@mike thanks for your response.
>For your other question about runtime control, no that is not in place today and would require further discussion.
It makes sense if we are considering the use case of internal channel with redfish. I understand that current redfish spec supports HTTP but in that case the redfish server doesn't need to implement the following
Certificate Service
Certificate location
Certificate collection
Certificate
If there are no other network services where the certificates are required.
Now coming back to authentication part: Right now the spec says
> "Services shall authenticate all write requests to Redfish resources"
In our use case which I explained above, we don't need our internal client (which is part of the system) to be authenticated, I know till now standard focuses on the public facing interface where we require some form of authentication before client does any write request.
Can we accommodate this use case also in the standard if there are other company's who have some form of similar use cases.
|
|
|
|
Post by ratagupt on Jun 29, 2022 6:28:19 GMT
@mike thanks for your response. > For your other question about runtime control, no that is not in place today and would require further discussion. It makes sense if we are considering the use case of internal channel with redfish. I understand that current redfish spec supports HTTP but in that case the redfish server doesn't need to implement the following Certificate Service Certificate location Certificate collection Certificate If there are no other network services where the certificates are required. Now coming back to authentication part: Right now the spec says > "Services shall authenticate all write requests to Redfish resources" In our use case which I explained above, we don't need our internal client (which is part of the system) to be authenticated, I know till now standard focuses on the public facing interface where we require some form of authentication before client does any write request. Can we accommodate this use case also in the standard if there are other company's who have some form of similar use cases. |
|
|
|
Post by jautor on Jun 30, 2022 0:40:37 GMT
Now coming back to authentication part: Right now the spec says > "Services shall authenticate all write requests to Redfish resources" In our use case which I explained above, we don't need our internal client (which is part of the system) to be authenticated, I know till now standard focuses on the public facing interface where we require some form of authentication before client does any write request. Can we accommodate this use case also in the standard if there are other company's who have some form of similar use cases. There's two levels here, one that probably takes some minor tweaks to the specification to ensure it's well understood, and another level that require a lot more discussion... If you're just trying to avoid the "overhead" (in every sense of the word) of the secure protocol, and effectively just want to "turn off that support" for your configuration, I can see that as a valid use case and it's probably not unique to you. And again, if these internal interface(s) aren't available to the public / end user - there's no harm in violating the specification regardless. But I assume that the satellite BMC code is supposed to be "Redfish standard conforming" (because it wasn't written solely for this configuration) and may be used in other configurations where that security is desired/required, then I understand why you want that code to pass conformance tests. So that said, as long as the secure protocols and authentication methods, as called out in the specification, are actually supported by the implemented, but are "turned off" for your configuration (hopefully using Redfish methods), then I could see the group working through whatever changes / clarifications are necessary to allow for that... But if the goal is to produce a satellite BMC firmware that does NOT contain the support for authentication or HTTPS at all - that is a very different animal. We would probably be talking about a new "class" of device and/or specification - because I believe the standards group would have difficulty enabling a completely insecure implementation to claim to be "conforming to the Redfish specification". The simple analogy is: All the doors in the building have to have locks. But it's acceptable for the building owner to leave all those doors unlocked (and even put up signs that say "This door to remain Unlocked") so no one has to deal with the keys and the hassle. Jeff |
|
|
|
Post by ratagupt on Jun 30, 2022 10:48:06 GMT
> So that said, as long as the secure protocols and authentication methods, as called out in the specification, are actually supported by the implemented, but are "turned off" for your configuration (hopefully using Redfish methods), then I could see the group working through whatever changes / clarifications are necessary to allow for that...
Our use case is exactly the same, Some redfish method through which we can turn off/on this feature.
> But if the goal is to produce a satellite BMC firmware that does NOT contain the support for authentication or HTTPS at all - that is a very different animal.
Nopes, we don't want this.
|
|
