Mapping LDAP group to user roles

Tom Joseph tomjose at linux.vnet.ibm.com
Thu Aug 23 23:20:08 AEST 2018



On Tuesday 21 August 2018 08:51 PM, Tanous, Ed wrote:
>> We have a requirement to assign role to the LDAP users, so certain
>> operations can be restricted for users without admin permissions.
>>
> It would be great if you could document your proposal as a patch to the existing user management document here:
> https://github.com/openbmc/docs/blob/master/user_management.md
https://gerrit.openbmc-project.xyz/#/c/openbmc/docs/+/12091/
>
> It would make it much easier to see what changes you're proposing.  Given what already exists, your proposal is a little confusing, as there's already a mechanism to get group membership, and defined the user roles.  Are you proposing changing the existing interfaces to the new group collection type interface?  You're proposing two user roles, but we already have documented 4 user roles.  Is your proposal to delete two of them?
>
> I think all of these questions would be answered if you could update the document above with your proposed changes.
In phosphor-rest-server the requirement is to add two privilege roles, 
the admin and the user role. So the interface has two roles proposed. 
This can be extended in the future to include other privilege roles.




More information about the openbmc mailing list