[Bugzilla-announce-list] Action Required: Bugzilla - API Authentication changes
Jeff Fearn
jfearn at redhat.com
Thu Feb 24 00:16:12 UTC 2022
On 1/2/2022 12:28, Jeff Fearn wrote:
> Tl;dr From Monday 28th February, applications making API calls to
> Bugzilla may no longer authenticate using passwords or supplying API
> keys in call parameters. Instead, API keys must be supplied in the
> Authorization header.
>
> Support for using the Authorization header has been deployed to all Red
> Hat Bugzilla instances. You can change your code at any time and not
> have to wait for the old methods to be disabled.
>
> We will require all authenticated API usage to use this new method; this
> will break API access to Red Hat Bugzilla for any tools that don't use
> the Authorization header [1].
>
> If you are not certain your tooling authenticates using this header then
> you need to take action to confirm it does and to modify your tooling to
> use it if it doesn't.
>
> This new method does away with logging in and out of the API and uses
> API_KEYs in a standard Authorization header. This header needs to be
> sent with every call to the API.
>
> The old methods will be disabled on a rolling basis across the RHBZ
> servers.
>
> Target Dates:
>
> https://bugzilla.stage.redhat.com - Mon 07th Feb 00:00 UTC
> https://bugzilla.redhat.com - Mon 28th Feb 00:00 UTC
>
> IMPORTANT
>
> If you attempt to use an old method to authenticate to the API after
> this change has been made, the API_KEY or password supplied will be
> treated as potentially compromised and invalidated immediately. If you
> supplied your password then you will need to follow the forgot password
> process to reset it. If you supplied an API_KEY it will have been banned
> and you will need to generate a new API_KEY in the UI.
>
> This invalidation will happen every time an attempt to use an outdated
> authentication method is detected.
>
> If you are using python-bugzilla you need to upgrade to version 3.2.0
> which will automatically use the new method of authentication.
>
> If you are using other tools you will need to look into how they work
> and see how to adjust them to use the Authorization header instead of
> the other parameters.
>
> If you need assistance understanding how to update your applications,
> please reach out to us by the following means.
>
> - If you have an active subscription via https://access.redhat.com/support/
>
> - If you are a Red Hat Partner then please contact your partner
> representative
>
> - Or email us at bugzilla-owner at redhat.com
>
> The Red Hat Bugzilla Team.
>
> 1:
> https://bugzilla.redhat.com/docs/en/html/api/core/v1/general.html#authentication
>
Hi, due to a bug in Red Hat Bugzilla some users have not been able to
create API keys, to give these users adequate time to prepare for this
change it will be postponed to Monday the 14th of March 2022 at UTC 00:00.
Additionally the automated disablement of API keys and passwords has
itself been disabled.
Cheers, Jeff.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/bugzilla-announce-list/attachments/20220224/8f11e705/attachment.sig>
More information about the Bugzilla-announce-list
mailing list