Plan to unify REST authentication?

Ed Tanous ed.tanous at intel.com
Tue Jan 15 04:17:39 AEDT 2019 

On 1/9/19 2:53 PM, Joseph Reynolds wrote:
> The project's direction is to move exclusively to BMCWeb (and 
> discontinue using nginx) and Redfish (and discontinue using 
> phosphor-rest).

This is my long term goal as well, and how Intel systems currently
operate (despite the bugs it currently causes)

>   Note that the BMCWeb C++ Phosphor REST implementation 
> does not yet offer the same functions as provided by the Python-based 
> phosphor-rest-server APIs, and work is in-progress to achieve required 
> functions in bmcweb [5] and phosphor-objmgr [6].
The c++ mapper was merged already, and seems to be stable.
>   Development work might 
> happen like this (the staging plan):
>
> 1. Continue working on BMCWeb Phosphor REST functions until 
> openbmc-test-automation [7] tests pass.
> 2. Change the meta-ibm layer to use BMCWeb with BMCWEB_ENABLE_DBUS_REST, 
> and discontinue using nginx.

A possible path for this step is staged here:

https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/14171

> 3. Continue adding Redfish functions to BMCWeb until we no longer need 
> Phosphor REST functions.

This point warrants much greater discussion, but I think we need to get
through 1 and 2 before we start diving into the details on how to
execute moving phosphor REST to Redfish.

> 4. Change the meta-ibm layer so BMCWeb no longer uses 
> BMCWEB_ENABLE_DBUS_REST by default.

I'm not following this one.  I suspect you meant to say the opposite?

> When this is all done, we will have achieved the goal of using BMCWeb 
> and Redfish exclusively.
>
> Note that the Redfish REST APIs and the Phosphor REST APIs use different 
> authentication mechanisms.  Both take your username and password but 
> return different credentials (which are needed for subsequent privileged 
> access).  For Redfish, posting to /redfish/v1/SessionService/Sessions 
> returns a session id and an X-Auth-Token [8].  For Phosphor REST, 
> posting to /login returns a Session Cookie [2].

Bmcweb also supports the /login api, which takes the same parameters,
and returns the same data.  The only functional difference is that it
implement CSRF prevention, which requires a second token to be issued
along with the cookie, to avoid XSS and CSRF attacks.  This makes it
incompatible in a minor way.  For testing, it's disableable through the
option BMCWEB_INSECURE_DISABLE_CSRF_PREVENTION.

In the bmcweb model, session information is shared across the whole
application, so websocket, REST, KVM, and KVM sessions all share the
same tokens and login mechanisms, which allows more compatibility with
applications, and allows users to pick the login mechanism that works
best for their application.

> Applications such as the phosphor-webui web application and xcat 
> currently use the Phosphor REST APIs, but will begin to use the Redfish 
> REST APIs, perhaps using both sets of APIs in the same application.   
> Will they need to login to both sets of REST APIs?
In the "bmcweb is the only webserver" model, no, it wouldn't be required to.
>
> In this context, what is the plan to unify the authentication scheme?  I 
> heard something about changing BMCWeb's version of the Phosphor REST 
> APIs so that when you post to /login, you get the same credentials as 
> from /redfish/v1/SessionService/Sessions.  Will I be able to login using 
> /login and use Redfish APIs, and vice-versa?

Already implemented, and has been for some time.

https://github.com/openbmc/bmcweb/blob/4ae611d9de1504b68f521e9837ddb97e0dc89d27/include/token_authorization_middleware.hpp#L274

>
> - Joseph
> __________
>
> [BMCWeb]: https://github.com/openbmc/bmcweb/blob/master/README.md
> [nginx]: https://www.nginx.com/
> [phosphor-webui]: 
> https://github.com/openbmc/phosphor-webui/blob/master/README.md
> [xcat]: https://xcat.org/
> [1]: https://github.com/openbmc/bmcweb/blob/master/CMakeLists.txt
> [2]: https://github.com/openbmc/docs/blob/master/rest-api.md
> [3]: 
> https://github.com/openbmc/meta-ibm/blob/master/recipes-httpd/nginx/files/nginx.conf
> [4]: https://github.com/openbmc/phosphor-rest-server
> [5]: https://gerrit.openbmc-project.xyz/#/q/project:openbmc/bmcweb
> [6]: 
> https://gerrit.openbmc-project.xyz/#/q/project:openbmc/phosphor-objmgr
> [7]: 
> https://github.com/openbmc/openbmc-test-automation/blob/master/README.md
> [8]: https://github.com/openbmc/docs/blob/master/REDFISH-cheatsheet.md
>

More information about the openbmc mailing list