Re: in OpenShift 4.2, /apis is not accessible to anonymous users. Workarounds?

2019-10-03 Thread Dan Winship
On 10/3/19 10:44 AM, Jean-Francois Maury wrote: > According to the spec, it's wrong to return 403 in this case. Please re > read my wording from the spec. RFC 2616 is the old version of the spec. The revised HTTP/1.1 spec text explicitly allows either 401 or 403 in this situation: RFC 7235, 3.1

Re: in OpenShift 4.2, /apis is not accessible to anonymous users. Workarounds?

2019-10-03 Thread Ben Parees
On Thu, Oct 3, 2019 at 11:30 AM David Eads wrote: > Yes, this is out of upstream, based on downstream choices we made five > years ago. > > This behavior is not considered a bug. When anonymous authentication is > enabled, you will only get a 401 if presenting an invalid token or expired >

Re: in OpenShift 4.2, /apis is not accessible to anonymous users. Workarounds?

2019-10-03 Thread David Eads
Yes, this is out of upstream, based on downstream choices we made five years ago. This behavior is not considered a bug. When anonymous authentication is enabled, you will only get a 401 if presenting an invalid token or expired certificate. When connecting anonymously, your connection

Re: in OpenShift 4.2, /apis is not accessible to anonymous users. Workarounds?

2019-10-03 Thread Ben Parees
On Thu, Oct 3, 2019 at 10:52 AM David Eads wrote: > There is no plan to switch to 401. > Would plans be created if a BZ were opened? Or this is an outright rejection of ever changing it because it's not deemed incorrect (or because "it's an api now and we can't change it") (Also i assume this

Re: in OpenShift 4.2, /apis is not accessible to anonymous users. Workarounds?

2019-10-03 Thread David Eads
There is no plan to switch to 401. On Thu, Oct 3, 2019 at 10:44 AM Jean-Francois Maury wrote: > According to the spec, it's wrong to return 403 in this case. Please re > read my wording from the spec. > Should I understand that there is no plan at all to switch to 401 ? > > Jeff > > On Thu, Oct

Re: in OpenShift 4.2, /apis is not accessible to anonymous users. Workarounds?

2019-10-03 Thread Jean-Francois Maury
According to the spec, it's wrong to return 403 in this case. Please re read my wording from the spec. Should I understand that there is no plan at all to switch to 401 ? Jeff On Thu, Oct 3, 2019 at 3:46 PM David Eads wrote: > The 403 is intentional. The user has been authenticated as

Re: in OpenShift 4.2, /apis is not accessible to anonymous users. Workarounds?

2019-10-03 Thread David Eads
The 403 is intentional. The user has been authenticated as anonymous, so a 401 isn't returned. Kubernetes and OpenShift both return 403 when a user (even anonymous) attempts to access a forbidden resource regardless of whether it even exists. On Wed, Oct 2, 2019 at 4:06 PM Jean-Francois Maury

Re: in OpenShift 4.2, /apis is not accessible to anonymous users. Workarounds?

2019-10-02 Thread Jean-Francois Maury
We are trying to adapt our library but found the following problem: when we issue a call to /apis or some of the discovery endpoint without authentication info; OCP returns 403 instead of 401. According to the HTTP spec,403 should not be repeated and authentication will not help (see

Re: in OpenShift 4.2, /apis is not accessible to anonymous users. Workarounds?

2019-10-01 Thread Andre Dietisheim
Hi Akram Thanks for the answer. Insightful. For now we can't easily switch libraries given the extent of usage and amount of work to migrate. Cheers André Am 01.10.19 um 16:34 schrieb Akram Ben Aissi: Hi André, indeed this is the new default. And, historically, because of a CVE raising an

Re: in OpenShift 4.2, /apis is not accessible to anonymous users. Workarounds?

2019-10-01 Thread Akram Ben Aissi
Hi André, indeed this is the new default. And, historically, because of a CVE raising an issue about it, dropping discovery of /api has been removed but then temporary restored in 4.1 and removed in 4.2. See this https://bugzilla.redhat.com/show_bug.cgi?id=1711533 On the Jenkins plugins we were

in OpenShift 4.2, /apis is not accessible to anonymous users. Workarounds?

2019-10-01 Thread Andre Dietisheim
Hi In OpenShift 4.2 "/apis" started only being accessible to authorized users. This causes troubles for the Eclipse tooling and the java client library openshift-restclient-java (https://github.com/openshift/openshift-restclient-java) which tries to discover endpoints before authenticating.