On Tue, Feb 1, 2022 at 12:37 PM Miro Hrončok <mhroncok@xxxxxxxxxx> wrote: > > -------- Forwarded Message -------- > Subject: [Bugzilla-announce-list] Action Required: Bugzilla - API > Authentication changes > Date: Tue, 1 Feb 2022 12:28:13 +1000 > From: Jeff Fearn <jfearn@xxxxxxxxxx> > To: bugzilla-announce-list@xxxxxxxxxx > > Tl;dr From Monday 28th February, applications making API calls to Bugzilla may > no longer authenticate using passwords or supplying API keys in call > parameters. Instead, API keys must be supplied in the Authorization header. > > Support for using the Authorization header has been deployed to all Red Hat > Bugzilla instances. You can change your code at any time and not have to wait > for the old methods to be disabled. > > We will require all authenticated API usage to use this new method; this will > break API access to Red Hat Bugzilla for any tools that don't use the > Authorization header [1]. > > If you are not certain your tooling authenticates using this header then you > need to take action to confirm it does and to modify your tooling to use it if > it doesn't. > > This new method does away with logging in and out of the API and uses API_KEYs > in a standard Authorization header. This header needs to be sent with every > call to the API. > > The old methods will be disabled on a rolling basis across the RHBZ servers. > > Target Dates: > > https://bugzilla.stage.redhat.com - Mon 07th Feb 00:00 UTC > https://bugzilla.redhat.com - Mon 28th Feb 00:00 UTC > > IMPORTANT > > If you attempt to use an old method to authenticate to the API after this > change has been made, the API_KEY or password supplied will be treated as > potentially compromised and invalidated immediately. If you supplied your > password then you will need to follow the forgot password process to reset it. > If you supplied an API_KEY it will have been banned and you will need to > generate a new API_KEY in the UI. > > This invalidation will happen every time an attempt to use an outdated > authentication method is detected. > > If you are using python-bugzilla you need to upgrade to version 3.2.0 which > will automatically use the new method of authentication. > > If you are using other tools you will need to look into how they work and see > how to adjust them to use the Authorization header instead of the other parameters. > > If you need assistance understanding how to update your applications, please > reach out to us by the following means. > > - If you have an active subscription via https://access.redhat.com/support/ > > - If you are a Red Hat Partner then please contact your partner representative > > - Or email us at bugzilla-owner@xxxxxxxxxx > > The Red Hat Bugzilla Team. Hi Miro, Thanks for forwarding this announcement. Apparently the talk about "improving communication between RHBZ and the Fedora Project" has not born fruit yet. ;) Do we know if any of our tools and scripts that interact with RHBZ will get broken by this? I assume you have an eye on at least some of the releng scripts (FTI, FTBFS, etc.). But what about fedora-review? fedora-create-review? The tool that syncs assignees from dist-git to RHBZ? Fabio _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
