Redfish: Design User authorization.
Tanous, Ed
ed.tanous at intel.com
Tue Feb 26 04:12:21 AEDT 2019
>
> Hi Ed,
>
> This mail is regarding the authorization support on Redfish.
>
Thanks for pushing forward on this. I think the best first step would be to review the patchset that's already in progress that's adding some infrastructure to do a lot of the things you're proposing. If you're proposing an alternative approach than the existing review, and I misunderstood, apologies.
https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/15813
I suspect the questions we need to answer are:
1. How do we determine a user's role?
2. Given that privilege is required to service every request, do we need to cache it, or can we go to dbus for every request?
3. How is the cache invalidated?
I think the bulk of the implementation will be filling out the method here:
https://github.com/openbmc/bmcweb/blob/a24526dcf9ad8de2f0bd9dbd5fc746a130351a22/redfish-core/include/privileges.hpp#L229
And moving roles away from the static implementation, as you've already determined.
Do you have any intention to implement PrivilegeRegistry?
Looking forward to seeing your work here.
-Ed
More information about the openbmc
mailing list