Issue with initial root object retrieval

Question

Issue with initial root object retrieval

wagadugu0 opened this issue 2 years ago · 2 comments

I'm trying out a very basic connection to our Redfish device. The connection has been verified by both Postman and curl.

        self.base_url = "https://" + host_ip
        self.username = "root"
        self.password = "password$$$"
        self.default_prefix="/redfish/v1"

        self.robj = redfish.redfish_client(base_url=self.base_url,
                                           username=self.username,
                                           password=self.password,
                                           default_prefix=self.default_prefix)

With this call, I get 401 returned after it tries to call get_root_object() (v1.py, line 496). I stepped through the code all the way down to where it sends out the HTTP request (sessions.py, Session.request()) and see that the username and password do not get included in the outgoing packet.

I manually stub in the username and password into a tuple for the auth parameter and then the connection succeeds because now an Authorization header is correctly inserted into the outgoing packet.

        # Create the Request.
        req = Request(
            method=method.upper(),
            url=url,
            headers=headers,
            files=files,
            data=data or {},
            json=json,
            params=params or {},
            auth=auth,
            cookies=cookies,
            hooks=hooks,
        )

        req.auth = ('root', 'password$$$')

Is this a bug, or am I using this interface incorrectly?

Answer 1 · 2022-11-10T13:14:05.000Z

This looks like a bug with the implementation you're using. The Redfish service root is expected to be available without any credentials provided (it's one of the few URIs in Redfish that's accessible without any credentials).

The following text is in the "Resource and operation authentication requirements" clause of the spec:

Redfish resources shall not be available as unauthenticated, except for:
• The service root to identify the device and service locations.
• The Redfish metadata document to get resource types.
• The OData service document for compatibility with OData clients.
• The Redfish OpenAPI YAML document for compatibility with OpenAPI clients.
• The version object at /redfish

Answer 2 · 2022-11-10T16:19:13.000Z

Good catch! I confirmed this with Postman by turning off the authentication. I now get an "access denied" message at the root node.

I'll close the issue. Thanks.