HostInterface AuthenticationModes question

AMI_archerwen
Guppy

Posts: 69

HostInterface AuthenticationModes question May 26, 2023 13:45:46 GMT

Quote

Post by AMI_archerwen on May 26, 2023 13:45:46 GMT

Hi,

If the "AuthenticationModes" is "AuthNone".
And we assume the Hostinterface though the USB Network Interface and IP is "169.254.xxx.xxx".
If the local user want to GET some resource except /redfish/v1/ with IP - "169.254.xxx.xxx".
I think the local user still need to provide the Basic Authorization to GET a resource (except /redfish/v1/) via 169.254.xxx.xxx, right?
Like GET 169.254.xxx.xxx/redfish/v1/Account with a Basic Authorization (Username: admin, Password: admin).

And if we use this IP for doing BIOS-BMC hand shake.
Is it means need to use the Role from "AuthNoneRoleId" to create another account for push BIOS data to Redfish.
If so, what is the different between "AuthNone" and "BasicAuth"?
Could you kindly help to figure out?

Thanks,
Archer.

Last Edit: May 26, 2023 13:46:24 GMT by AMI_archerwen

mraineri
Administrator

Posts: 1,050

HostInterface AuthenticationModes question May 26, 2023 16:58:53 GMT

Quote

Post by mraineri on May 26, 2023 16:58:53 GMT

The intent is AuthNone is used to allow requests without any sort of authentication. There are types of users that do not want to specify credentials on their host interface, so if the interface is set to AuthNone, the user does not need to provide any credentials for any operations. You might restrict this to a ReadOnly type of access based on the "AuthNoneRoleId" setting; perhaps a user performing GET requests to query system status doesn't want to incur the penalty of authentication over the host interface, but more privileged operations (like modifying user accounts), require credentials to be sent.

The intent of BasicAuth is to show that the interface will accept requests containing HTTP basic authentication headers.

AMI_archerwen
Guppy

Posts: 69

HostInterface AuthenticationModes question May 29, 2023 12:58:48 GMT

Quote

Post by AMI_archerwen on May 29, 2023 12:58:48 GMT

Hi,

So you mean "AuthNoneRoleId" need to be shows if our "AuthenticationMode" is "AuthNone".
And "AuthNoneRoleId" can be "Administarator", "ReadOnly" or any role we want to specific.
Then if we GET/POST/PATCH/DELETE any resource (by using curl or Postman) with hostinterface IP "169.254.xxx.xxx", the user do not need give the authorization.
It totally depend on the privilege of "AuthNoneRoleId".

Ex.
if is "Administrator", user can do anything (GET/POST/PATCH/DELETE) without authorization.
If is "Operator", user can only GET without authorization.

Is my understanding correct?

Last Edit: May 29, 2023 13:00:04 GMT by AMI_archerwen

mraineri
Administrator

Posts: 1,050

HostInterface AuthenticationModes question May 30, 2023 12:58:35 GMT

Quote

Post by mraineri on May 30, 2023 12:58:35 GMT

That's right; since in the "AuthNone" case no credentials are passed (meaning no "Authorization" or "X-Auth-Token" headers are in the request), you still need to be able to map the request to a role since there's no account with which to associate the request, which is where AuthNoneRoleId is needed. You can limit the scope of what that type of access can do just like your examples show.

AMI_archerwen Guppy Posts: 69	HostInterface AuthenticationModes question May 31, 2023 3:34:33 GMT Quote Select Post Deselect Post Link to Post Back to Top Post by AMI_archerwen on May 31, 2023 3:34:33 GMT Got it. Thanks.

Post by AMI_archerwen on May 26, 2023 13:45:46 GMT

Post by mraineri on May 26, 2023 16:58:53 GMT

Post by AMI_archerwen on May 29, 2023 12:58:48 GMT

Post by mraineri on May 30, 2023 12:58:35 GMT

Post by AMI_archerwen on May 31, 2023 3:34:33 GMT