Re: Action Required: Bugzilla - API Authentication changes
On 01. 02. 22 14:25, Pierre-Yves Chibon wrote: On Tue, Feb 01, 2022 at 01:41:01PM +0100, Miro Hrončok wrote: On 01. 02. 22 13:37, Fabio Valentini wrote: Hi Miro, Thanks for forwarding this announcement. Apparently the talk about "improving communication between RHBZ and the Fedora Project" has not born fruit yet. ;) Well the announcement was public, I recommend subscribing to https://listman.redhat.com/mailman/listinfo/bugzilla-announce-list if you interact with bugzilla a lot. Do we know if any of our tools and scripts that interact with RHBZ will get broken by this? I assume you have an eye on at least some of the releng scripts (FTI, FTBFS, etc.). I will check. I think it's all broken. But what about fedora-review? fedora-create-review? The tool that syncs assignees from dist-git to RHBZ? No idea. Most of these tools are written in python and as the email says, the most recent version of python-bugzilla works fine (which is already in Fedora and EPEL - stable). So as long as your systems are up to date, it should be somewhat transparent. I don't think this is is correct. If the python-bugzilla-powered script uses username and password, it is still impacted. The following files in the infra ansible repo seem to use it: roles/fas_server/files/export-bugzilla roles/distgit/pagure/templates/pagure-sync-bugzilla.py.j2 The following file uses it in the releng repo: https://pagure.io/releng/blob/main/f/scripts/ftbfs_weekly_reminder.py -- Miro Hrončok -- Phone: +420777974800 IRC: mhroncok ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: [Bugzilla-announce-list] Action Required: Bugzilla - API Authentication changes
Jeff Fearn replied to my email, but he only copied the internal bugzilla-list, because he wanted to include security details and didn't feel comfortable doing that on a public list. I've selected the most important parts of his replies and deleted the rest. Please see his responses below: On Wed, Feb 9, 2022 at 1:37 PM Jeff Fearn wrote: > On 9/2/2022 20:33, Kamil Paral wrote: > > initially I (and not just me) read the email as "update to the latest > > python-bugzilla and you'll be fine". But after I played with > > bugzilla.stage, and read the announcement more carefully, it seems that > the > > only possible authentication method is now using the bugzilla api key, > i.e. > > using the username + password login is no longer possible (for API > access). > > Is that correct? > > Yes this is correct. > > > I do have several concerns regarding that. The change seems too sudden > and > > a lot of Fedora tooling interacts with bugzilla. > > This has been discussed for some time on the internal bugzilla-list. > > [snip] > > > So, basically two questions: > > 1. Why are we given so little time to react? Can this change wait at > least > > until F36 is released (around the end of April), so that the Anaconda and > > ABRT teams (as well as others) can incorporate the changes > > The time line was based on the feedback we got on bugzilla-list. > Technically it's a pretty easy change and no one raised these kinds of > issues. > > People with blockers should send a mail to bugzilla-list, or open a > ticket, with all the gory details, and we can mash it out. > > The list is better IMO because there are people from other teams who can > contribute to the discussion. > > > 2. Is there a good enough justification for completely banning > > username+password authentication? Because this will have a strong impact > on > > Fedora quality by reducing the amount of crash reports which we receive, > I > > can't imagine it any other way. > > This change is driven by security of credentials > [snip] > Based on Jeff's responses, I'd encourage teams, which own a high-impact application/tooling affected by this change and can't react quickly enough, to post into the internal bugzilla-list and discuss this issue. The deadline could be possibly extended if there are good reasons for it, it seems. Teams without access to the internal bugzilla-list can open a bugzilla ticket (against the Bugzilla product) or contact Jeff directly, I assume. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: [Bugzilla-announce-list] Action Required: Bugzilla - API Authentication changes
On 2/9/22 14:30, Adam Williamson wrote: > On Wed, 2022-02-09 at 17:44 +, Daniel P. Berrangé wrote: >> >> I've not seen this kind of auth dance implemented in any software >> other than TV streaming apps, and not bugzilla and not any other >> bug tracker I've come across. So it is not a practical solution >> today, more of a thought experiment on how API tokens could >> possibly be made less awful to acquire for something like Anaconda >> or Abrt. > > Firefox does something similar for signing new instances of Firefox > into your account for syncing. I've also seen it on a couple other > things but can't quite put my finger on what at the moment. > > The other way we handle something like this is for FAS authentication; > if you try and use e.g. the Bodhi CLI client without being logged in, > it will print a browser URL and try to open a browser at that URL > automatically, you log in through the browser and a key/token is made > available to the app to store for future non-interactive logins. For Bodhi Kerberos seems like a more elegant solution tbh. > But really, the problem here is not so much "let's come up with an > elegant design" as "um it seems like things are going to break > catastrophically in 19 days, we need to do something really quite > urgently to make that not happen". Why does all authentication need to go through a browser? 2FA requirements? -- Sincerely, Demi Marie Obenour (she/her/hers) OpenPGP_0xB288B55FFF9C22C1.asc Description: OpenPGP public key OpenPGP_signature Description: OpenPGP digital signature ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: [Bugzilla-announce-list] Action Required: Bugzilla - API Authentication changes
On Wed, Feb 09, 2022 at 17:44:35 +, "Daniel P. Berrangé" wrote: Using API tokens over username/password is a good thing from a security POV, but as you say, the process of creating the token and getting it over to the client is horribly user unfriendly. That depends on ypur threat model. If you aren't using third party apps, this doesn't provide much security benefit. For Fedora people are generally going to be using apps provided by Fedora, so not trusting them with your Fedora credentials seems pointless. Though that is from the perspective of someone who treats Fedora and Red Hat as being in the same security domain. That might not be the model that Red Hat employees take. For them Fedora might be considered a third party. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: [Bugzilla-announce-list] Action Required: Bugzilla - API Authentication changes
st 9. 2. 2022 o 20:37 Adam Williamson napísal(a): > On Wed, 2022-02-09 at 20:27 +0100, Michal Srb wrote: > > st 9. 2. 2022 o 19:39 Michael Catanzaro > napísal(a): > > > > > > > > Am I right to suspect that ABRT bug reports are going to disappear for > > > the foreseeable future? > > > > > > > Nope, we are working on a fix. > > That's great news, but since AFAICT this fix is not even proposed as a > PR for upstream libreport yet, we still seem to be cutting things > rather fine on the timeline. > > Per the current timeline, there are 19 days before an attempt to log in > with username and password will fail and cause your password to be > invalidated. Is the libreport fix going to be finished, tested, merged, > released, and an update pushed stable for all distributions that > include it, all within 19 days? > Fingers crossed. > > What do we do about the problem Kamil pointed out, that there are > current Fedora (and RHEL?) installer images out there with current > libreport baked in, which will offer username/password login for bug > reporting forever, and we have no way to change that? > Yes, that is a problem. Unfortunately I don't see any way to fix Fedora images that are already out there. In RHEL, the option to report to Bugzilla should be available only in pre-release images, i.e. not in GA'ed ones. But this is something we need to confirm with anaconda. I think Bugzilla could automatically send emails that would explain the situation and next steps, if people try to use username+password after the deadline. Such clarity might help to mitigate the problem a bit. Thanks, Michal > -- > Adam Williamson > Fedora QA > IRC: adamw | Twitter: adamw_ha > https://www.happyassassin.net > > ___ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: [Bugzilla-announce-list] Action Required: Bugzilla - API Authentication changes
On Wed, 2022-02-09 at 20:27 +0100, Michal Srb wrote: > st 9. 2. 2022 o 19:39 Michael Catanzaro napísal(a): > > > > > Am I right to suspect that ABRT bug reports are going to disappear for > > the foreseeable future? > > > > Nope, we are working on a fix. That's great news, but since AFAICT this fix is not even proposed as a PR for upstream libreport yet, we still seem to be cutting things rather fine on the timeline. Per the current timeline, there are 19 days before an attempt to log in with username and password will fail and cause your password to be invalidated. Is the libreport fix going to be finished, tested, merged, released, and an update pushed stable for all distributions that include it, all within 19 days? What do we do about the problem Kamil pointed out, that there are current Fedora (and RHEL?) installer images out there with current libreport baked in, which will offer username/password login for bug reporting forever, and we have no way to change that? -- Adam Williamson Fedora QA IRC: adamw | Twitter: adamw_ha https://www.happyassassin.net ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: [Bugzilla-announce-list] Action Required: Bugzilla - API Authentication changes
On Wed, 2022-02-09 at 17:44 +, Daniel P. Berrangé wrote: > > I've not seen this kind of auth dance implemented in any software > other than TV streaming apps, and not bugzilla and not any other > bug tracker I've come across. So it is not a practical solution > today, more of a thought experiment on how API tokens could > possibly be made less awful to acquire for something like Anaconda > or Abrt. Firefox does something similar for signing new instances of Firefox into your account for syncing. I've also seen it on a couple other things but can't quite put my finger on what at the moment. The other way we handle something like this is for FAS authentication; if you try and use e.g. the Bodhi CLI client without being logged in, it will print a browser URL and try to open a browser at that URL automatically, you log in through the browser and a key/token is made available to the app to store for future non-interactive logins. But really, the problem here is not so much "let's come up with an elegant design" as "um it seems like things are going to break catastrophically in 19 days, we need to do something really quite urgently to make that not happen". -- Adam Williamson Fedora QA IRC: adamw | Twitter: adamw_ha https://www.happyassassin.net ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: [Bugzilla-announce-list] Action Required: Bugzilla - API Authentication changes
st 9. 2. 2022 o 19:39 Michael Catanzaro napísal(a): > > Am I right to suspect that ABRT bug reports are going to disappear for > the foreseeable future? > Nope, we are working on a fix. Thanks, Michal > > ___ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: [Bugzilla-announce-list] Action Required: Bugzilla - API Authentication changes
Am I right to suspect that ABRT bug reports are going to disappear for the foreseeable future? ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: [Bugzilla-announce-list] Action Required: Bugzilla - API Authentication changes
On Wed, Feb 09, 2022 at 11:33:24AM +0100, Kamil Paral wrote: > However, even if Anaconda changes the bug reporting mechanism and asks the > user to create an API key first, and then provide it to Anaconda, I fear > that this will have a devastating impact on the number of bug reports that > we receive. It is quite different to fill out a username and a password > (which you already remember or have it stored, but is of a reasonable > length), from going to bugzilla (on a different computer, because your > current one is crashed during installation), creating a new api key (you > can't even display your existing ones, so you must have them stored > separately or always create a new one), and then retyping a 40-character > random string from one computer to another. Who will have the dedication to > do this "stuff"? And possibly repeatedly, in case of more crashes? (Even > we, the QA team, will hate this. You can't always easily share your > clipboard into a VM with the installation environment, or when using bare > metal, and if we have to retype a 40-character random string several times > per day, because we made the installer crash, that's going to severely > impact us on multiple levels). Using API tokens over username/password is a good thing from a security POV, but as you say, the process of creating the token and getting it over to the client is horribly user unfriendly. This feels like a similar problem space to that of signing onto a streaming service, with an app on your smart TV. In the streaming apps I've used this is quite user friendly. The (client) app displays a short unique code (presumably acquired from thue server), which is effectively a one time code to identify that client. The user logs in to the service on their laptop/tablet/mobile, does authentication in whatever way they need to (username / password or a software 2fa, or a hardware token, etc). They then just enter the unique code shown on the TV, thus associating the device with their account and the device is now automagically logged on. I'm assuming that what's going on here is that when you enter the one time identity code, the service is effectively creating an API token behind the scenes in your account, and handing that back to the TV app client. I do wonder what security people think of this kind of approach. To be a significant benefit the one time codes have to be fairly short and simple to type in on your separate browser. So there's still a tradeoff between the amount of entropy they have and the usability. In all the cases I've seen though, the codes are noticably simpler/shorter than a typical API token would be. I'm guessing the very short validity time of these one time tokens lets them get away with having less entropy, than a long lived API token needs. I've not seen this kind of auth dance implemented in any software other than TV streaming apps, and not bugzilla and not any other bug tracker I've come across. So it is not a practical solution today, more of a thought experiment on how API tokens could possibly be made less awful to acquire for something like Anaconda or Abrt. Regards, Daniel -- |: https://berrange.com -o-https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o-https://fstop138.berrange.com :| |: https://entangle-photo.org-o-https://www.instagram.com/dberrange :| ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: [Bugzilla-announce-list] Action Required: Bugzilla - API Authentication changes
On Tue, Feb 1, 2022 at 3:30 AM Jeff Fearn wrote: > Tl;dr From Monday 28th February, applications making API calls to > Bugzilla may no longer authenticate using passwords or supplying API > keys in call parameters. Instead, API keys must be supplied in the > Authorization header. > > Support for using the Authorization header has been deployed to all Red > Hat Bugzilla instances. You can change your code at any time and not > have to wait for the old methods to be disabled. > > We will require all authenticated API usage to use this new method; this > will break API access to Red Hat Bugzilla for any tools that don't use > the Authorization header [1]. > > If you are not certain your tooling authenticates using this header then > you need to take action to confirm it does and to modify your tooling to > use it if it doesn't. > > This new method does away with logging in and out of the API and uses > API_KEYs in a standard Authorization header. This header needs to be > sent with every call to the API. > > The old methods will be disabled on a rolling basis across the RHBZ > servers. > > Target Dates: > > https://bugzilla.stage.redhat.com - Mon 07th Feb 00:00 UTC > https://bugzilla.redhat.com - Mon 28th Feb 00:00 UTC > Hello Jeff, initially I (and not just me) read the email as "update to the latest python-bugzilla and you'll be fine". But after I played with bugzilla.stage, and read the announcement more carefully, it seems that the only possible authentication method is now using the bugzilla api key, i.e. using the username + password login is no longer possible (for API access). Is that correct? I do have several concerns regarding that. The change seems too sudden and a lot of Fedora tooling interacts with bugzilla. Even worse, there are some tools which will get downright broken or massively impacted with no option to fix that. The first one that comes to mind is the Anaconda installer. If there's a crash during installation, it asks the user for username+password bugzilla credentials to report a bug. This can't get fixed for F35, because the installer images are already created, there is no update mechanism. So we'll lose all installer bug reports (unless reported manually) starting Feb 28th. This could be improved in F36, which is currently scheduled for a release on April 19th. However, even if Anaconda changes the bug reporting mechanism and asks the user to create an API key first, and then provide it to Anaconda, I fear that this will have a devastating impact on the number of bug reports that we receive. It is quite different to fill out a username and a password (which you already remember or have it stored, but is of a reasonable length), from going to bugzilla (on a different computer, because your current one is crashed during installation), creating a new api key (you can't even display your existing ones, so you must have them stored separately or always create a new one), and then retyping a 40-character random string from one computer to another. Who will have the dedication to do this "stuff"? And possibly repeatedly, in case of more crashes? (Even we, the QA team, will hate this. You can't always easily share your clipboard into a VM with the installation environment, or when using bare metal, and if we have to retype a 40-character random string several times per day, because we made the installer crash, that's going to severely impact us on multiple levels). This same issue is shared with Fedora's crash reporting tool, ABRT. Any time something crashes on the desktop, the user is suggested to submit a bug report. Instead of providing the username+password, the user will have to go through the api key creation motions. But at least this time the api key can be remembered by ABRT. But again I fear we'll lose a considerable amount of bug reports. Instead of removing obstacles, we're adding them. And as before, the change is too sudden, the ABRT team might not be able to react in time and we'll lose all bug reports starting Feb 28th. So, basically two questions: 1. Why are we given so little time to react? Can this change wait at least until F36 is released (around the end of April), so that the Anaconda and ABRT teams (as well as others) can incorporate the changes? 2. Is there a good enough justification for completely banning username+password authentication? Because this will have a strong impact on Fedora quality by reducing the amount of crash reports which we receive, I can't imagine it any other way. PS: This is also sent to the Fedora devel list, I hope you can reply there as well. It can be done from the web interface, if you prefer [1]. Thanks, Kamil Páral Fedora QE [1] https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/ ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct:
Re: Action Required: Bugzilla - API Authentication changes
On Wed, Feb 9, 2022, 07:44 Mattia Verga via devel < devel@lists.fedoraproject.org> wrote: > So, I've updated review-stats container to run on F34 with > python-bugzilla 3.2.0, but it still authenticate using > username+password. Is that enough to avoid authentication errors and > user ban or I need to change the authentication method? > >From what we've seen with Blockerbugs app ( https://pagure.io/fedora-qa/blockerbugs/issue/230 ; https://pagure.io/fedora-qa/blockerbugs/issue/231 ) , it seems you won't be able to use username+password at all and bugzilla api key will be the only api-friendly method of auth. You can give it a shot with testing bugzilla: https://bugzilla.stage.redhat.com/ The error text that Bugzilla throws back at us when trying to login with username/pass is: You have attempted to access the API either using an unsupported method or > using one or more unsupported parameters. You must use the 'Authorization' > header to authenticate to the API and you must remove all unsupported > parameters from the query. The unsupported parameters are: Bugzilla_login, > Bugzilla_password, Bugzilla_token, Bugzilla_api_key. See > https://bugzilla.stage.redhat.com/docs/en/html/api/core/v1/general.html#authentication > for details on using the 'Authorization' header. at > /usr/share/perl5/vendor_perl/SOAP/Lite.pm line 2855. ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Action Required: Bugzilla - API Authentication changes
So, I've updated review-stats container to run on F34 with python-bugzilla 3.2.0, but it still authenticate using username+password. Is that enough to avoid authentication errors and user ban or I need to change the authentication method? Mattia ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Action Required: Bugzilla - API Authentication changes
Dne 01. 02. 22 v 12:37 Miro Hrončok napsal(a): Target Dates: https://bugzilla.stage.redhat.com - Mon 07th Feb 00:00 UTC https://bugzilla.redhat.com - Mon 28th Feb 00:00 UTC This is challenging. Especially when the support in python-bugzilla landed just few weeks ago. I would really expect at least one full release of Fedora as transitient period. Miroslav ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Action Required: Bugzilla - API Authentication changes
Miro Hrončok wrote: > From: Jeff Fearn […] > If you attempt to use an old method to authenticate to the API after this > change has been made, the API_KEY or password supplied will be treated as > potentially compromised and invalidated immediately. If you supplied your > password then you will need to follow the forgot password process to reset > it. If you supplied an API_KEY it will have been banned and you will need > to generate a new API_KEY in the UI. > > This invalidation will happen every time an attempt to use an outdated > authentication method is detected. Wow! This is *extremely* unfriendly and unhelpful. There really needs to be at least a transition period where the old methods fail with an error without invalidating the credentials! Kevin Kofler ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Action Required: Bugzilla - API Authentication changes
On 2/1/22 7:37 AM, Fabio Valentini wrote: > On Tue, Feb 1, 2022 at 12:37 PM Miro Hrončok wrote: >> >> Forwarded Message >> Subject: [Bugzilla-announce-list] Action Required: Bugzilla - API >> Authentication changes >> Date: Tue, 1 Feb 2022 12:28:13 +1000 >> From: Jeff Fearn >> To: bugzilla-announce-l...@redhat.com >> >> Tl;dr From Monday 28th February, applications making API calls to Bugzilla >> may >> no longer authenticate using passwords or supplying API keys in call >> parameters. Instead, API keys must be supplied in the Authorization header. >> >> Support for using the Authorization header has been deployed to all Red Hat >> Bugzilla instances. You can change your code at any time and not have to wait >> for the old methods to be disabled. >> >> We will require all authenticated API usage to use this new method; this will >> break API access to Red Hat Bugzilla for any tools that don't use the >> Authorization header [1]. >> >> If you are not certain your tooling authenticates using this header then you >> need to take action to confirm it does and to modify your tooling to use it >> if >> it doesn't. >> >> This new method does away with logging in and out of the API and uses >> API_KEYs >> in a standard Authorization header. This header needs to be sent with every >> call to the API. >> >> The old methods will be disabled on a rolling basis across the RHBZ servers. >> >> Target Dates: >> >> https://bugzilla.stage.redhat.com - Mon 07th Feb 00:00 UTC >> https://bugzilla.redhat.com - Mon 28th Feb 00:00 UTC >> >> IMPORTANT >> >> If you attempt to use an old method to authenticate to the API after this >> change has been made, the API_KEY or password supplied will be treated as >> potentially compromised and invalidated immediately. If you supplied your >> password then you will need to follow the forgot password process to reset >> it. >> If you supplied an API_KEY it will have been banned and you will need to >> generate a new API_KEY in the UI. >> >> This invalidation will happen every time an attempt to use an outdated >> authentication method is detected. >> >> If you are using python-bugzilla you need to upgrade to version 3.2.0 which >> will automatically use the new method of authentication. >> >> If you are using other tools you will need to look into how they work and see >> how to adjust them to use the Authorization header instead of the other >> parameters. >> >> If you need assistance understanding how to update your applications, please >> reach out to us by the following means. >> >> - If you have an active subscription via https://access.redhat.com/support/ >> >> - If you are a Red Hat Partner then please contact your partner >> representative >> >> - Or email us at bugzilla-ow...@redhat.com >> >> The Red Hat Bugzilla Team. > > Hi Miro, > > Thanks for forwarding this announcement. > Apparently the talk about "improving communication between RHBZ and > the Fedora Project" has not born fruit yet. ;) > RHBZ devs contacted me twice about this change: once in the fall, which is when I added support to python-bugzilla git, and once in January requesting I push a release. crobinso + python-bugzilla != fedora, but there was some proactive communication Thanks, Cole ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Action Required: Bugzilla - API Authentication changes
On Tue, Feb 01, 2022 at 02:25:36PM +0100, Pierre-Yves Chibon wrote: > On Tue, Feb 01, 2022 at 01:41:01PM +0100, Miro Hrončok wrote: > > On 01. 02. 22 13:37, Fabio Valentini wrote: > > > Hi Miro, > > > > > > Thanks for forwarding this announcement. > > > Apparently the talk about "improving communication between RHBZ and > > > the Fedora Project" has not born fruit yet. ;) > > > > Well the announcement was public, I recommend subscribing to > > https://listman.redhat.com/mailman/listinfo/bugzilla-announce-list if you > > interact with bugzilla a lot. > > > > > Do we know if any of our tools and scripts that interact with RHBZ > > > will get broken by this? > > > I assume you have an eye on at least some of the releng scripts (FTI, > > > FTBFS, etc.). > > > > I will check. I think it's all broken. > > > > > But what about fedora-review? fedora-create-review? The tool that > > > syncs assignees from dist-git to RHBZ? > > > > No idea. > > Most of these tools are written in python and as the email says, the most > recent > version of python-bugzilla works fine (which is already in Fedora and EPEL - > stable). > > So as long as your systems are up to date, it should be somewhat transparent. abrt-gui on up-to-date Fedora 35 still asks for Username and Password in Bugzilla configuration panel. No mention of API keys. -- Tomasz Torcz 72->| 80->| to...@pipebreaker.pl 72->| 80->| ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Action Required: Bugzilla - API Authentication changes
On Tue, Feb 01, 2022 at 01:41:01PM +0100, Miro Hrončok wrote: > On 01. 02. 22 13:37, Fabio Valentini wrote: > > Hi Miro, > > > > Thanks for forwarding this announcement. > > Apparently the talk about "improving communication between RHBZ and > > the Fedora Project" has not born fruit yet. ;) > > Well the announcement was public, I recommend subscribing to > https://listman.redhat.com/mailman/listinfo/bugzilla-announce-list if you > interact with bugzilla a lot. > > > Do we know if any of our tools and scripts that interact with RHBZ > > will get broken by this? > > I assume you have an eye on at least some of the releng scripts (FTI, > > FTBFS, etc.). > > I will check. I think it's all broken. > > > But what about fedora-review? fedora-create-review? The tool that > > syncs assignees from dist-git to RHBZ? > > No idea. Most of these tools are written in python and as the email says, the most recent version of python-bugzilla works fine (which is already in Fedora and EPEL - stable). So as long as your systems are up to date, it should be somewhat transparent. Pierre ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Action Required: Bugzilla - API Authentication changes
Forwarded Message Subject: [Bugzilla-announce-list] Action Required: Bugzilla - API Authentication changes Date: Tue, 1 Feb 2022 12:28:13 +1000 From: Jeff Fearn To: bugzilla-announce-l...@redhat.com Tl;dr From Monday 28th February, applications making API calls to Bugzilla may no longer authenticate using passwords or supplying API keys in call parameters. Instead, API keys must be supplied in the Authorization header. Support for using the Authorization header has been deployed to all Red Hat Bugzilla instances. You can change your code at any time and not have to wait for the old methods to be disabled. We will require all authenticated API usage to use this new method; this will break API access to Red Hat Bugzilla for any tools that don't use the Authorization header [1]. If you are not certain your tooling authenticates using this header then you need to take action to confirm it does and to modify your tooling to use it if it doesn't. This new method does away with logging in and out of the API and uses API_KEYs in a standard Authorization header. This header needs to be sent with every call to the API. The old methods will be disabled on a rolling basis across the RHBZ servers. Target Dates: https://bugzilla.stage.redhat.com - Mon 07th Feb 00:00 UTC https://bugzilla.redhat.com - Mon 28th Feb 00:00 UTC IMPORTANT If you attempt to use an old method to authenticate to the API after this change has been made, the API_KEY or password supplied will be treated as potentially compromised and invalidated immediately. If you supplied your password then you will need to follow the forgot password process to reset it. If you supplied an API_KEY it will have been banned and you will need to generate a new API_KEY in the UI. This invalidation will happen every time an attempt to use an outdated authentication method is detected. If you are using python-bugzilla you need to upgrade to version 3.2.0 which will automatically use the new method of authentication. If you are using other tools you will need to look into how they work and see how to adjust them to use the Authorization header instead of the other parameters. If you need assistance understanding how to update your applications, please reach out to us by the following means. - If you have an active subscription via https://access.redhat.com/support/ - If you are a Red Hat Partner then please contact your partner representative - Or email us at bugzilla-ow...@redhat.com The Red Hat Bugzilla Team. 1: https://bugzilla.redhat.com/docs/en/html/api/core/v1/general.html#authentication ___ devel-announce mailing list -- devel-announce@lists.fedoraproject.org To unsubscribe send an email to devel-announce-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel-announce@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Action Required: Bugzilla - API Authentication changes
On 01. 02. 22 13:37, Fabio Valentini wrote: Hi Miro, Thanks for forwarding this announcement. Apparently the talk about "improving communication between RHBZ and the Fedora Project" has not born fruit yet. ;) Well the announcement was public, I recommend subscribing to https://listman.redhat.com/mailman/listinfo/bugzilla-announce-list if you interact with bugzilla a lot. Do we know if any of our tools and scripts that interact with RHBZ will get broken by this? I assume you have an eye on at least some of the releng scripts (FTI, FTBFS, etc.). I will check. I think it's all broken. But what about fedora-review? fedora-create-review? The tool that syncs assignees from dist-git to RHBZ? No idea. -- Miro Hrončok -- Phone: +420777974800 IRC: mhroncok ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: Action Required: Bugzilla - API Authentication changes
On Tue, Feb 1, 2022 at 12:37 PM Miro Hrončok wrote: > > Forwarded Message > Subject: [Bugzilla-announce-list] Action Required: Bugzilla - API > Authentication changes > Date: Tue, 1 Feb 2022 12:28:13 +1000 > From: Jeff Fearn > To: bugzilla-announce-l...@redhat.com > > Tl;dr From Monday 28th February, applications making API calls to Bugzilla may > no longer authenticate using passwords or supplying API keys in call > parameters. Instead, API keys must be supplied in the Authorization header. > > Support for using the Authorization header has been deployed to all Red Hat > Bugzilla instances. You can change your code at any time and not have to wait > for the old methods to be disabled. > > We will require all authenticated API usage to use this new method; this will > break API access to Red Hat Bugzilla for any tools that don't use the > Authorization header [1]. > > If you are not certain your tooling authenticates using this header then you > need to take action to confirm it does and to modify your tooling to use it if > it doesn't. > > This new method does away with logging in and out of the API and uses API_KEYs > in a standard Authorization header. This header needs to be sent with every > call to the API. > > The old methods will be disabled on a rolling basis across the RHBZ servers. > > Target Dates: > > https://bugzilla.stage.redhat.com - Mon 07th Feb 00:00 UTC > https://bugzilla.redhat.com - Mon 28th Feb 00:00 UTC > > IMPORTANT > > If you attempt to use an old method to authenticate to the API after this > change has been made, the API_KEY or password supplied will be treated as > potentially compromised and invalidated immediately. If you supplied your > password then you will need to follow the forgot password process to reset it. > If you supplied an API_KEY it will have been banned and you will need to > generate a new API_KEY in the UI. > > This invalidation will happen every time an attempt to use an outdated > authentication method is detected. > > If you are using python-bugzilla you need to upgrade to version 3.2.0 which > will automatically use the new method of authentication. > > If you are using other tools you will need to look into how they work and see > how to adjust them to use the Authorization header instead of the other > parameters. > > If you need assistance understanding how to update your applications, please > reach out to us by the following means. > > - If you have an active subscription via https://access.redhat.com/support/ > > - If you are a Red Hat Partner then please contact your partner representative > > - Or email us at bugzilla-ow...@redhat.com > > The Red Hat Bugzilla Team. Hi Miro, Thanks for forwarding this announcement. Apparently the talk about "improving communication between RHBZ and the Fedora Project" has not born fruit yet. ;) Do we know if any of our tools and scripts that interact with RHBZ will get broken by this? I assume you have an eye on at least some of the releng scripts (FTI, FTBFS, etc.). But what about fedora-review? fedora-create-review? The tool that syncs assignees from dist-git to RHBZ? Fabio ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Action Required: Bugzilla - API Authentication changes
Forwarded Message Subject: [Bugzilla-announce-list] Action Required: Bugzilla - API Authentication changes Date: Tue, 1 Feb 2022 12:28:13 +1000 From: Jeff Fearn To: bugzilla-announce-l...@redhat.com Tl;dr From Monday 28th February, applications making API calls to Bugzilla may no longer authenticate using passwords or supplying API keys in call parameters. Instead, API keys must be supplied in the Authorization header. Support for using the Authorization header has been deployed to all Red Hat Bugzilla instances. You can change your code at any time and not have to wait for the old methods to be disabled. We will require all authenticated API usage to use this new method; this will break API access to Red Hat Bugzilla for any tools that don't use the Authorization header [1]. If you are not certain your tooling authenticates using this header then you need to take action to confirm it does and to modify your tooling to use it if it doesn't. This new method does away with logging in and out of the API and uses API_KEYs in a standard Authorization header. This header needs to be sent with every call to the API. The old methods will be disabled on a rolling basis across the RHBZ servers. Target Dates: https://bugzilla.stage.redhat.com - Mon 07th Feb 00:00 UTC https://bugzilla.redhat.com - Mon 28th Feb 00:00 UTC IMPORTANT If you attempt to use an old method to authenticate to the API after this change has been made, the API_KEY or password supplied will be treated as potentially compromised and invalidated immediately. If you supplied your password then you will need to follow the forgot password process to reset it. If you supplied an API_KEY it will have been banned and you will need to generate a new API_KEY in the UI. This invalidation will happen every time an attempt to use an outdated authentication method is detected. If you are using python-bugzilla you need to upgrade to version 3.2.0 which will automatically use the new method of authentication. If you are using other tools you will need to look into how they work and see how to adjust them to use the Authorization header instead of the other parameters. If you need assistance understanding how to update your applications, please reach out to us by the following means. - If you have an active subscription via https://access.redhat.com/support/ - If you are a Red Hat Partner then please contact your partner representative - Or email us at bugzilla-ow...@redhat.com The Red Hat Bugzilla Team. 1: https://bugzilla.redhat.com/docs/en/html/api/core/v1/general.html#authentication ___ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure