Plan to unify REST authentication?

Joseph Reynolds jrey at linux.vnet.ibm.com
Thu Jan 10 09:53:48 AEDT 2019


What is the plan to unify the Redfish and Phosphor REST authentication 
mechanisms?

Here is my understanding:

OpenBMC has two different HTTP servers which serve two different sets of 
REST APIs:
1. BMCWeb serves Redfish REST APIs (when BMCWEB_ENABLE_REDFISH is used 
[1]) and serves Phosphor REST APIs [2] (when BMCWEB_ENABLE_DBUS_REST is 
used [1]) via a C++ implementation in bmcweb.
2. The meta-ibm nginx configuration [3] serves Redfish (via BMCWeb 
listening at port 8082) and serves Phosphor REST APIs (via the 
Python-based phosphor-rest-server [4] listening at port 8081).

The project's direction is to move exclusively to BMCWeb (and 
discontinue using nginx) and Redfish (and discontinue using 
phosphor-rest).  Note that the BMCWeb C++ Phosphor REST implementation 
does not yet offer the same functions as provided by the Python-based 
phosphor-rest-server APIs, and work is in-progress to achieve required 
functions in bmcweb [5] and phosphor-objmgr [6].  Development work might 
happen like this (the staging plan):

1. Continue working on BMCWeb Phosphor REST functions until 
openbmc-test-automation [7] tests pass.
2. Change the meta-ibm layer to use BMCWeb with BMCWEB_ENABLE_DBUS_REST, 
and discontinue using nginx.
3. Continue adding Redfish functions to BMCWeb until we no longer need 
Phosphor REST functions.
4. Change the meta-ibm layer so BMCWeb no longer uses 
BMCWEB_ENABLE_DBUS_REST by default.

When this is all done, we will have achieved the goal of using BMCWeb 
and Redfish exclusively.

Note that the Redfish REST APIs and the Phosphor REST APIs use different 
authentication mechanisms.  Both take your username and password but 
return different credentials (which are needed for subsequent privileged 
access).  For Redfish, posting to /redfish/v1/SessionService/Sessions 
returns a session id and an X-Auth-Token [8].  For Phosphor REST, 
posting to /login returns a Session Cookie [2].

Applications such as the phosphor-webui web application and xcat 
currently use the Phosphor REST APIs, but will begin to use the Redfish 
REST APIs, perhaps using both sets of APIs in the same application.   
Will they need to login to both sets of REST APIs?

In this context, what is the plan to unify the authentication scheme?  I 
heard something about changing BMCWeb's version of the Phosphor REST 
APIs so that when you post to /login, you get the same credentials as 
from /redfish/v1/SessionService/Sessions.  Will I be able to login using 
/login and use Redfish APIs, and vice-versa?

- Joseph
__________

[BMCWeb]: https://github.com/openbmc/bmcweb/blob/master/README.md
[nginx]: https://www.nginx.com/
[phosphor-webui]: 
https://github.com/openbmc/phosphor-webui/blob/master/README.md
[xcat]: https://xcat.org/
[1]: https://github.com/openbmc/bmcweb/blob/master/CMakeLists.txt
[2]: https://github.com/openbmc/docs/blob/master/rest-api.md
[3]: 
https://github.com/openbmc/meta-ibm/blob/master/recipes-httpd/nginx/files/nginx.conf
[4]: https://github.com/openbmc/phosphor-rest-server
[5]: https://gerrit.openbmc-project.xyz/#/q/project:openbmc/bmcweb
[6]: 
https://gerrit.openbmc-project.xyz/#/q/project:openbmc/phosphor-objmgr
[7]: 
https://github.com/openbmc/openbmc-test-automation/blob/master/README.md
[8]: https://github.com/openbmc/docs/blob/master/REDFISH-cheatsheet.md



More information about the openbmc mailing list