New ServiceRep role and privilege

Joseph Reynolds jrey at linux.ibm.com
Mon Jun 22 01:09:55 AEST 2020 

On 6/21/20 1:52 AM, Thomaiyar, Richard Marian wrote:
> Hi Joseph,
>
> I have added some more points on the use case,
>
> https://redfishforum.com/thread/333/proposed-new-servicerep-role-privilege?page=1&scrollTo=1178 
>
>
> have you made any proposal on it? Last time in security workgroup, i 
> didn't see much interest, but i am interested in getting it defined 
> and propose it to Redfish TF ?
>
> Let me know ?

Richard,  +openbmc

Thanks for your comments on thread/333 above.  I have some of the same 
questions as you.  I think our use cases have very much in common.  I 
had originally formulated ServiceRep and ManufacturingRep roles, with 
different privileges, but we converged them into the ServiceRep role 
that I am taking forward to Redfish.  First, I want to get a direction 
from the Redfish forum for how to handle our use cases.

I created a Redfish issue (https://github.com/DMTF/Redfish/issues/4057) 
to get a direction for adding the ServiceRep role and privilege.  This 
issue is readable only to DMTF Redfish members because the DMTF works 
privately.  I understand this issue will be discussed at the (private) 
Redfish forum meeting planned for this Tuesday June 23, 1-5pm CDT.  Can 
you attend or send a rep from your company?

- Joseph

>
> Regards,
>
> Richard
>
> On 6/4/2020 8:19 AM, Joseph Reynolds wrote:
>> On 6/3/20 9:31 PM, Joseph Reynolds wrote:
>>> This is a proposal to add a new ServiceRep role and a new 
>>> PerformService privilege to Redfish.  The motivation for this is 
>>> given in the "Isolate service privileges" email, as archived [1].
>>>
>>> To be clear: This email is asking the OpenBMC community for input 
>>> before approaching Redfish with a formal proposal. Would you be okay 
>>> with the changes described here, or do we have more considerations?
>>
>> I posted this topic to the Redfish forum to get their input: 
>> https://redfishforum.com/thread/333/proposed-new-servicerep-role-privilege
>>
>> - Joseph
>>
>>> The proposal
>>>
>>> 1. Add a new PerformService privilege with description: Can perform 
>>> service operations on components that this service manages.
>>> Reference: Update DSP2046 Redfish Resource and Schema Guide > 
>>> PrivilegeRegistry > Property details.
>>>
>>> 2. Add a new ServiceRep role with the same privileges as Operator, 
>>> plus the PerformService privilege.
>>> ServiceRep - Login, ConfigureComponents, ConfigureSelf, PerformService.
>>> Reference: DSP0266 Redfish Specification > Security Details > 
>>> Privilege model and authorization.
>>>
>>> 3. Update the Administrator role to optionally have the 
>>> PerformService privilege.  Make this an implementation decision 
>>> based on use case:
>>> - As an Administrator of a system that does not have dedicated 
>>> service personnel, I need the PerformService privilege so I don't 
>>> have to create a service account just to perform service operations.
>>> - As the OEM of a system that has dedicated service agents, I need 
>>> the Administrator to NOT have the PerformService privilege so they 
>>> cannot interfere with the service personnel.
>>>
>>> 4. Change various operations to require the PerformService 
>>> privilege.  For example, allow PATCH to an EthernetInterface 
>>> MACAddress.
>>>
>>> 4a. Reference: DSP8010 Redfish Schema > EthernetInterface.
>>> Change the MACAddress.readonly property to false.
>>>
>>> 4b. Reference: DSP8011 > Redfish PrivilegeRegistry > EthernetInterface.
>>> Add a PropertyOverride to target MACAddress for the PATCH operation: 
>>> require PerformService.
>>>
>>>
>>> Discussion points
>>>
>>> I believe this would be straightforward to implement in the BMCWeb 
>>> Redfish server [2].  For point 3 above (optionally assigning the 
>>> PerformService privileges), we can have an BMCWeb configuration 
>>> option or image feature.  I believe we need both use cases.
>>>
>>> Note that ServiceRep may need the ConfigureManagers privilege 
>>> depending on your service model.  Note also that a ServiceRep with 
>>> the ConfigureUsers privilege is really an Administrator with 
>>> additional powers, as discussed in the OpenBMC security working 
>>> group minutes [3] from 2019-11-21 and 2020-03-04. That may or may 
>>> not be what you want.  All kinds of fun here, we could even make 
>>> this configurable by the BMC admin. [4]
>>>
>>> To address how to protect against DSP2045 > "AccountService roles 
>>> allow an escalation of privileges", see discussion in the "Isolate 
>>> service privileges" email [1].
>>>
>>> The proposal described here does not fit neatly into the existing 
>>> Redfish model.  The PerformService privilege should optionally be 
>>> assigned to the Administrator role, depending on the use case. 
>>> Perhaps the Redfish spec could make that an implementation option. 
>>> Otherwise using a custom Role and OemPrivileges (as shown in the 
>>> DSP0266 > OEMSysAdminPriv example) would work.  We'll need to work 
>>> that out with Redfish.
>>>
>>> The alternate proposal using a custom Role & OemPrivileges would be:
>>> - Custom ServiceRep role, as above.
>>> - OemPrivilegePerformService, as above.
>>> - But with no changes to the Redfish spec.
>>> - A configuration option that determines whether or not 
>>> Administrator contains OemPrivilegePerformService.
>>>
>>> Is this the right way to think about alternate role and privilege 
>>> schemes, or is using custom roles and OemPrivileges the way to go?
>>>
>>> - Joseph
>>>
>>> [1]: https://lists.ozlabs.org/pipermail/openbmc/2020-June/021927.html
>>> [2]: https://github.com/openbmc/bmcweb
>>> [3]: 
>>> https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI
>>> [4]: Just joking.  That's extra works we don't need.
>>>
>>

More information about the openbmc mailing list