Mapping LDAP group to user roles
Tom Joseph
tomjose at linux.vnet.ibm.com
Tue Aug 21 22:13:51 AEST 2018
Hello,
We have a requirement to assign role to the LDAP users, so certain
operations can be restricted for users without admin permissions.
The proposal is to assign role for the LDAP groups. The LDAP user will
inherit the role assigned to the LDAP group.
To start off the plan is to have two roles, the admin role and the user
role. The role will be consumed by the
phosphor-rest-server and screen the REST api based on HTTP verbs.The
user role will permit only REST API's with GET verb.
The admin role will permit all the HTTP verbs.
With this in background, i am proposing a D-Bus API to implement the
LDAP group to role mapping. The CreateGroupRole method
can be used to create a mapping between the LDAP group and the role.
This will create the object with the group name like
/xyx/openbmc_project/ldap/<group_name> which will implement the
GroupEntry interface that has the role attribute.
Let me know the thoughts about this proposal.
https://gerrit.openbmc-project.xyz/#/c/openbmc/phosphor-dbus-interfaces/+/12027/
Regards,
Tom
More information about the openbmc
mailing list