[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: in OpenShift 4.2, /apis is not accessible to anonymous users. Workarounds?



There is no plan to switch to 401.

On Thu, Oct 3, 2019 at 10:44 AM Jean-Francois Maury <jmaury redhat com> wrote:
According to the spec, it's wrong to return 403 in this case. Please re read my wording from the spec.
Should I understand that there is no plan at all to switch to 401 ?

Jeff

On Thu, Oct 3, 2019 at 3:46 PM David Eads <deads redhat com> wrote:
The 403 is intentional.  The user has been authenticated as anonymous, so a 401 isn't returned.  Kubernetes and OpenShift both return 403 when a user (even anonymous) attempts to access a forbidden resource regardless of whether it even exists.

On Wed, Oct 2, 2019 at 4:06 PM Jean-Francois Maury <jmaury redhat com> wrote:
We are trying to adapt our library but found the following problem: when we issue a call to /apis or some of the discovery endpoint without authentication info; OCP returns 403 instead of 401.
According to the HTTP spec,403 should not be repeated and authentication will not help (see https://tools.ietf.org/html/rfc2616#section-10.4.4)

So is it on purpose or is this going to be fixed ?

Jeff

On Tue, Oct 1, 2019 at 5:56 PM Andre Dietisheim <adietish redhat com> wrote:

Hi Akram

Thanks for the answer. Insightful.
For now we can't easily switch libraries given the extent of usage and amount of work to migrate.

Cheers
André

Am 01.10.19 um 16:34 schrieb Akram Ben Aissi:
Hi André,

indeed this is the new default. And, historically, because of a CVE raising an issue about it, dropping discovery of /api has been removed but then temporary restored in 4.1 and removed in 4.2.

On the Jenkins plugins we were about to fix similar issues, cause /oapi was deprecated in OCP 4.2 . We depends on kubernetes-client Java library which fixed this.
https://github.com/fabric8io/kubernetes-client/issues/1587 and follow the different PR. If you depend on this library also, maybe you have your fix in a recent version.

Otherwise, IIRC, the eclipse plugin required credentials (or a token) to connect to openshift server, so in your case, you maybe "just" need to use them to then get the endpoints.

Akram


Le mar. 1 oct. 2019 à 15:38, Andre Dietisheim <adietish redhat com> a écrit :
Hi

In OpenShift 4.2 "/apis" started only being accessible to authorized
users. This causes troubles for the Eclipse tooling and the java client
library openshift-restclient-java
(https://github.com/openshift/openshift-restclient-java) which tries to
discover endpoints before authenticating.

Thus my question(s):

* Is this the new default?
* if this restriction is deliberate, what's the reasoning behind it?
* Is there a workaround?

Thanks for your answers!
André

_______________________________________________
dev mailing list
dev lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
_______________________________________________
dev mailing list
dev lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev


--

Jeff Maury

Manager, DevTools

Red Hat EMEA

jmaury redhat com   

_______________________________________________
dev mailing list
dev lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev


--

Jeff Maury

Manager, DevTools

Red Hat EMEA

jmaury redhat com   


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]