Post by AMI_Mani on Jul 28, 2023 17:11:19 GMT
Hi,
As per specification, there is no authentication required for Service root
7.2.3 Service root request
The root URL for Redfish version 1.x services shall be /redfish/v1/ .
The service returns the ServiceRoot resource, as defined by this specification, as a response for the root URL.
Services shall not require authentication to retrieve the service root and /redfish resources.
Based on above we can return response with correct username, invalid password and with invalid user with password, with noauth also. If return response is incorrect, please let us know
When we are giving default username, default password where passwordchangerequiredattribute is true(after flashing BMC) for service root , do we need to return 403 or 200 with response
As per specification, it specifies few URI's only to return response and for all remaining URI needs to return 403. In this case returning 403 to service root is acceptable or needs to return response with default password
13.5.3 Password change required handling
The service may require that passwords assigned by the manufacturer be changed by the end user prior to
accessing the service. In addition, administrators may require users to change their account's password upon first
access.
The ManagerAccount resource contains a PasswordChangeRequired boolean property to enable this functionality.
Resources that have the property set to true shall require the user to change the write-only Password property in
that resource before access is granted. Manufacturers including user credentials for the service may use this method
to force a change to those credentials before access is granted.
When a client accesses the service by using credentials from a ManagerAccount resource that has a
PasswordChangeRequired value of true , the service shall allow:
• A session login and include a @message.ExtendedInfo object in the response containing the
PasswordChangeRequired message from the Base Message Registry. This indicates to the client that their
session is restricted to performing only the password change operation before access is granted.
• A GET operation on the ManagerAccount resource associated with the account.
• A PATCH operation on the ManagerAccount resource associated with the account to update the Password
property. If the value of Password is changed, the service shall also set the PasswordChangeRequired property to
false .
For all other operations, the service shall respond with the HTTP 403 Forbidden status code and include a
@message.ExtendedInfo object that contains the PasswordChangeRequired message from the Base Message Registry.
Thanks,
Mani
As per specification, there is no authentication required for Service root
7.2.3 Service root request
The root URL for Redfish version 1.x services shall be /redfish/v1/ .
The service returns the ServiceRoot resource, as defined by this specification, as a response for the root URL.
Services shall not require authentication to retrieve the service root and /redfish resources.
Based on above we can return response with correct username, invalid password and with invalid user with password, with noauth also. If return response is incorrect, please let us know
When we are giving default username, default password where passwordchangerequiredattribute is true(after flashing BMC) for service root , do we need to return 403 or 200 with response
As per specification, it specifies few URI's only to return response and for all remaining URI needs to return 403. In this case returning 403 to service root is acceptable or needs to return response with default password
13.5.3 Password change required handling
The service may require that passwords assigned by the manufacturer be changed by the end user prior to
accessing the service. In addition, administrators may require users to change their account's password upon first
access.
The ManagerAccount resource contains a PasswordChangeRequired boolean property to enable this functionality.
Resources that have the property set to true shall require the user to change the write-only Password property in
that resource before access is granted. Manufacturers including user credentials for the service may use this method
to force a change to those credentials before access is granted.
When a client accesses the service by using credentials from a ManagerAccount resource that has a
PasswordChangeRequired value of true , the service shall allow:
• A session login and include a @message.ExtendedInfo object in the response containing the
PasswordChangeRequired message from the Base Message Registry. This indicates to the client that their
session is restricted to performing only the password change operation before access is granted.
• A GET operation on the ManagerAccount resource associated with the account.
• A PATCH operation on the ManagerAccount resource associated with the account to update the Password
property. If the value of Password is changed, the service shall also set the PasswordChangeRequired property to
false .
For all other operations, the service shall respond with the HTTP 403 Forbidden status code and include a
@message.ExtendedInfo object that contains the PasswordChangeRequired message from the Base Message Registry.
Thanks,
Mani
