<div class="socmaildefaultfont" dir="ltr" style="font-family:Arial, Helvetica, sans-serif;font-size:10pt" ><div class="socmaildefaultfont" dir="ltr" style="font-family:Arial, Helvetica, sans-serif;font-size:10pt" ><div dir="ltr" style="font-family:Arial, Helvetica, sans-serif;font-size:10pt" ><div dir="ltr" ><div><span style="color:#0e101a;" ><span style="font-family:Arial,sans-serif;" ><span style="font-size:10.0pt;" >Redfish defines a PrivilegeRegistry (</span></span></span><a href="https://redfish.dmtf.org/registries/Redfish_1.1.0_PrivilegeRegistry.json" style="outline:none;" target="_blank" ><span style="color:#4a6ee0;" ><span data-preserver-spaces="true" style="outline:none;" >https://redfish.dmtf.org/registries/Redfish_1.1.0_PrivilegeRegistry.json</span></span></a><span data-preserver-spaces="true" style="outline:none;" >). This Privilege Registry defines which privilege(s) are needed to access the URI. There was work here by Ed to have bmcweb automatically use this PrivilegeRegistry, </span><a href="https://github.com/openbmc/bmcweb/commit/ed3982131dcef2b499da36e674d2d21b2289ef29" style="outline:none;" target="_blank" ><span style="color:#4a6ee0;" ><span data-preserver-spaces="true" style="outline:none;" >https://github.com/openbmc/bmcweb/commit/ed3982131dcef2b499da36e674d2d21b2289ef29</span></span></a><span data-preserver-spaces="true" style="outline:none;" >. The commits below change bmcweb to match the PrivilegeRegistry. They include two breaking Operator role changes (3 and 4).</span></div>
<div> </div>
<div><span data-preserver-spaces="true" style="outline:none;" ><span style="color:#0e101a;" ><span style="font-family:Arial,sans-serif;" ><span style="font-size:10.0pt;" >1) Fix Log_services privileges</span></span></span></span></div>
<div><span style="color:#0e101a;" ><span style="font-family:Arial,sans-serif;" ><span style="font-size:10.0pt;" ><a href="https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/45125" style="outline:none;" target="_blank" ><span style="color:#4a6ee0;" ><span data-preserver-spaces="true" style="outline:none;" >https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/45125</span></span></a></span></span></span></div>
<div><span data-preserver-spaces="true" style="outline:none;" ><span style="color:#0e101a;" ><span style="font-family:Arial,sans-serif;" ><span style="font-size:10.0pt;" >This change allows Admin, Operator, and Readonly users to access Crashdump data and related entries. Before this change, only an admin role user could access Crashdump data and related entries (LogService, LogEntryCollection, and LogEntry). Operator users only had access to log entries(LogEntry). </span></span></span></span></div>
<div> </div>
<div><span data-preserver-spaces="true" style="outline:none;" ><span style="color:#0e101a;" ><span style="font-family:Arial,sans-serif;" ><span style="font-size:10.0pt;" >2) Fix BIOS privileges</span></span></span></span></div>
<div><span style="color:#0e101a;" ><span style="font-family:Arial,sans-serif;" ><span style="font-size:10.0pt;" ><a href="https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/45470" style="outline:none;" target="_blank" ><span style="color:#4a6ee0;" ><span data-preserver-spaces="true" style="outline:none;" >https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/45470</span></span></a></span></span></span></div>
<div><span data-preserver-spaces="true" style="outline:none;" ><span style="color:#0e101a;" ><span style="font-family:Arial,sans-serif;" ><span style="font-size:10.0pt;" >This change allows Admin and operator users to Reset bios. Before this change, only an admin role user had that privilege.</span></span></span></span></div>
<div> </div>
<div><strong style="outline:none;" ><span data-preserver-spaces="true" style="outline:none;" ><span style="color:#0e101a;" ><span style="font-family:Arial,sans-serif;" ><span style="font-size:10.0pt;" >Note:</span></span></span></span></strong><span data-preserver-spaces="true" style="outline:none;" ><span style="color:#0e101a;" ><span style="font-family:Arial,sans-serif;" ><span style="font-size:10.0pt;" > Above 1) and 2) changes are backward compatible because that change does not restrict any original user from access.</span></span></span></span></div>
<div> </div>
<div><span data-preserver-spaces="true" style="outline:none;" ><span style="color:#0e101a;" ><span style="font-family:Arial,sans-serif;" ><span style="font-size:10.0pt;" >3) Fix certificate_service privileges</span></span></span></span></div>
<div><span style="color:#0e101a;" ><span style="font-family:Arial,sans-serif;" ><span style="font-size:10.0pt;" ><a href="https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/45470" style="outline:none;" target="_blank" ><span style="color:#4a6ee0;" ><span data-preserver-spaces="true" style="outline:none;" >https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/45470</span></span></a></span></span></span></div>
<div><span data-preserver-spaces="true" style="outline:none;" ><span style="color:#0e101a;" ><span style="font-family:Arial,sans-serif;" ><span style="font-size:10.0pt;" >This change allows only Admin users to Generate CSR certificates and restrict Operator users.</span></span></span></span></div>
<div> </div>
<div><span data-preserver-spaces="true" style="outline:none;" ><span style="color:#0e101a;" ><span style="font-family:Arial,sans-serif;" ><span style="font-size:10.0pt;" >4) Fix Ethernet privileges</span></span></span></span></div>
<div><span style="color:#0e101a;" ><span style="font-family:Arial,sans-serif;" ><span style="font-size:10.0pt;" ><a href="https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/45469" style="outline:none;" target="_blank" ><span style="color:#4a6ee0;" ><span data-preserver-spaces="true" style="outline:none;" >https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/45469</span></span></a></span></span></span></div>
<div><span data-preserver-spaces="true" style="outline:none;" ><span style="font-family:Arial,sans-serif;" ><span style="font-size:10.0pt;" >This change allows only Admin </span></span><span style="outline:none;" ><span data-preserver-spaces="true" style="outline:none;background-attachment:scroll;background-position-x:0%;background-position-y:0%;" >users </span></span><span data-preserver-spaces="true" style="outline:none;" >to post, patch, and delete on VLAN Network Interface Collection and restrict Operator users. Same for the EthernetInterfaces patch method.</span></span></div>
<div> </div>
<div><strong style="outline:none;" ><span data-preserver-spaces="true" style="outline:none;" ><span style="color:#0e101a;" ><span style="font-family:Arial,sans-serif;" ><span style="font-size:10.0pt;" >Note:</span></span></span></span></strong><span data-preserver-spaces="true" style="outline:none;" ><span style="color:#0e101a;" ><span style="font-family:Arial,sans-serif;" ><span style="font-size:10.0pt;" > Above 3) and 4) change are </span></span></span><strong style="outline:none;" ><span data-preserver-spaces="true" style="outline:none;" ><span style="font-family:Arial,sans-serif;" >not</span></span></strong> <strong style="outline:none;" ><span data-preserver-spaces="true" style="outline:none;" ><span style="font-family:Arial,sans-serif;" >backward compatible</span></span></strong><span data-preserver-spaces="true" style="outline:none;" > because it restricts Operator user from its ability. Does this break anyone? Is anyone opposed to these changes?</span></span></div>
<div> </div></div></div></div></div><BR>
<BR>