API authentication
Joseph Reynolds
jrey at linux.ibm.com
Tue Mar 19 01:58:33 AEDT 2019
On 2019-03-18 05:35, Brad Bishop wrote:
> I am looking for ideas on how to implement a mechanism to restrict
> access to
> specific methods of a service/API (e.g. Redfish).
>
> This would be orthogonal to role-based authorization - e.g. the
> authorization
> would be provided by someone other than the system administrator - e.g.
> the
> system manufacturer.
Is this a followup to the March 4 OpenBMC Community call?
https://github.com/openbmc/openbmc/wiki/Weekly-Community-Telecon
My understanding is that we would design and code the BMC with functions
for things like manufacturing test and specialized diagnostics ...
functions which could harm the device, etc. So we want the functions
to be present for manufacturing test and service calls, but locked out
for all other users. Is that what this mechanism is for?
- Joseph
> I think I want OAuth for this with these definitions:
>
> resource owner: system manufacturer
> client: any user of the API (could be application specific but not
> required)
> resource: data flowing over the API being authorized
>
> Could the system manufacturer authorize clients on non-internet
> connected BMCs?
>
> Is there a better way to go about this?
>
> Does anyone have any experience with something like this? I would love
> to be
> pointed to further reading, code, or just your thoughts in general.
>
> thx - Brad
More information about the openbmc
mailing list