Discussion on openbmc issue #430

Patrick Williams patrick at stwcx.xyz
Fri Aug 19 03:44:50 AEST 2016 

On Tue, Aug 16, 2016 at 05:05:58PM +0530, tomjose wrote:
> 
> Thanks Patrick for your feedack. I have mentioned my responses inline.
> 
> On Friday 12 August 2016 07:47 PM, Patrick Williams wrote:
> > Tom,
> >
> > Thanks for sending this out to the broader community.
> >
> > Few comments below...
> >
> > On Fri, Aug 12, 2016 at 07:26:24PM +0530, tomjose wrote:
> >> *Registering Callback Routines:-*
> >> -----------------------------------------------
> >> 1) Open the IPMI library path(/usr/lib/phosphor-host-ipmid)
> > I would prefer we have a new directory '/usr/lib/phosphor-net-ipmid' for
> > the RMCP libraries.  We can create symlinks between the two repos as
> > appropriate.
> >
> > The reason for this is two-fold:
> >     1) I suspect there will be some of the OEM commands that we will want
> >        to expose in-band only.
> >     2) There are commands that may want similarly excluded from the
> >        in-band path due to security concerns (even though we have the
> >        white-list support).
> >
> > We might want to have a '/usr/lib/ipmid-providers' as the default
> > install location for all providers and then symlink into both
> > phosphor-net and phosphor-host as appropriate.
> In the proposal, i had mentioned there is a provision to add channel 
> restrictions to each command.
> There are 3 variants available: execute on any channel, execute in-band 
> only and execute on lan only.
> The channel restriction would be evaluated before each command is executed.
> I hope this would meet the same requirements.

I would rather not codify that in the provider itself.  By using
symlinks we allow the system engineers to specify different behavior for
their system without having to modify code.  ie. through .bbappend
changes to the recipe.

> >> *SessionLess Commands :-
> >> *-------------------------------------*
> >> *
> >> This would mention whether the command can be executed without a
> >> session. For example
> >> Get Channel Capabilities can be executed without a session.
> > How do we identify session-less commands?  Should this be an enhancement
> > to the registration API?
> The session less commands are mentioned in the IPMI specification.
> Examples are Get Channel Authentication Capabilites, Activate Session 
> command etc.

I meant how are they identified by the provider?  You could want to
implement an OEM command that is session-less.  We need that identified
by the provider when they do registration?

> The privilege levels attributed to each command is mentioned in the 
> specification.
> It is mentioned in the specification Table G-1,(Command Number 
> Assignments and
> Privilege Levels). The providers should provide these as registration 
> parameters
> when the callbacks are registered.

Ok.  Those can be default groups.  Isn't there also a mechanism to
create custom groups with IPMI?  Since we plan to map IPMI users back to
PAM users, do we also need to map roles back to PAM groups?

-- 
Patrick Williams
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20160818/e99f4889/attachment.sig>

More information about the openbmc mailing list