User management via WebUI vs ipmitool
Thomaiyar, Richard Marian
richard.marian.thomaiyar at linux.intel.com
Fri Sep 27 03:49:21 AEST 2019
yes, this is known problem, and there are changes under review which
will fix the same as well. If i remember correctly, there should be an
issue already for this.
Issue: NoAccess is not in Redfish roles, and hence AccountService will
not be able to get users with that privilege.
Following changes under review will fix the same.
1. https://gerrit.openbmc-project.xyz/#/c/openbmc/bmcweb/+/23962/
2.https://gerrit.openbmc-project.xyz/#/c/openbmc/phosphor-user-manager/+/24784/
regards,
Richard
On 9/26/2019 3:02 PM, Rahul Maheshwari wrote:
> Gunnar
> I tested and found that this problem is only seen when we don't assign
> privilege to user after creating using IPMItool. See below steps for
> more details.
>
> Step to hit the problem and fix it up.
> 1. Create IPMI user using below command
> ipmitool -I lanplus -H <BMC_IP> -U root -P 0penBmc user set name 2
> user_ipmi
>
> 2. Login to GUI and navigate to user account page(here you will see no
> user exist message in GUI's user page)
>
> 3. Now assign any privilege to user using below command
> ipmitool -I lanplus -H <BMC_IP> -U root -P 0penBmc channel setaccess
> 1 2 privilege=2
>
> 4. Now refresh the GUI user page(here you will see that all users are
> visible now).
>
> This problem is not with Redfish as we are able to see all users
> after creating user using IPMI without any permission. So this seem
> like a problem which need to be fixed from GUI side.
>
> $ curl -k -H "X-Auth-Token: $bmc_token" -X GET
> https://${BMC_IP}/redfish/v1/AccountService/Accounts/
> {
> "@odata.context":
> "/redfish/v1/$metadata#ManagerAccountCollection.ManagerAccountCollection",
> "@odata.id <http://odata.id>": "/redfish/v1/AccountService/Accounts",
> "@odata.type": "#ManagerAccountCollection.ManagerAccountCollection",
> "Description": "BMC User Accounts",
> "Members": [
> {
> "@odata.id <http://odata.id>":
> "/redfish/v1/AccountService/Accounts/user_ipmi"
> },
> {
> "@odata.id <http://odata.id>":
> "/redfish/v1/AccountService/Accounts/root"
> }
> ],
> "Members at odata.count": 2,
> "Name": "Accounts Collection"
>
> Thanks
> Rahul
>
> On Thu, Sep 26, 2019 at 3:13 AM Gunnar Mills
> <gmills at linux.vnet.ibm.com <mailto:gmills at linux.vnet.ibm.com>> wrote:
>
>
> On 9/25/2019 5:20 AM, rgrs wrote:
>>
>> Is there any difference in user management from WebUI and ipmitool?
>> When I add user via WebUI, a user is created and deleted
>> immediately. Not sure why.
>
> The WebUI uses the Redfish API to create/update/delete users.
> https://github.com/openbmc/phosphor-webui/blob/418db63c77aad03fe3401c7acd9f9792fab96a68/app/common/services/api-utils.js#L616
>
> Ratan or Richard do you know what is going on here?
>
>> When I add user via IPMItool, users are getting added but WebUI
>> user configuration page is blank.
>
> I thought IPMI and Redfish users were treated the same in
> phosphor-user-manager.
>
> What version of OpenBMC?
>
>>
>> *_Logs:_*
>> *journalctl (User creation with WebUI):*
>> Sep 25 09:17:52 mybmc nslcd[1127]: [200854] <passwd="TestUser">
>> no available LDAP server found: Server is unavailable: Transport
>> endpoint is not connected
>> Sep 25 09:17:52 mybmc nslcd[1127]: [b127f8] <passwd=1000> no
>> available LDAP server found: Server is unavailable: Transport
>> endpoint is not connected
>> Sep 25 09:17:52 mybmc useradd[1816]: new user: name=TestUser,
>> UID=1000, GID=100, home=/home/TestUser, shell=/bin/sh
>> Sep 25 09:17:52 mybmc useradd[1816]: add 'TestUser' to group 'web'
>> Sep 25 09:17:52 mybmc useradd[1816]: add 'TestUser' to group
>> 'redfish'
>> Sep 25 09:17:52 mybmc useradd[1816]: add 'TestUser' to group
>> 'priv-admin'
>> Sep 25 09:17:52 mybmc useradd[1816]: add 'TestUser' to group 'ipmi'
>> Sep 25 09:17:52 mybmc useradd[1816]: add 'TestUser' to shadow
>> group 'web'
>> Sep 25 09:17:52 mybmc useradd[1816]: add 'TestUser' to shadow
>> group 'redfish'
>> Sep 25 09:17:52 mybmc useradd[1816]: add 'TestUser' to shadow
>> group 'priv-admin'
>> Sep 25 09:17:52 mybmc useradd[1816]: add 'TestUser' to shadow
>> group 'ipmi'
>> Sep 25 09:17:52 mybmc nscd[1092]: 1092 monitored file
>> `/etc/passwd` was written to
>> Sep 25 09:17:52 mybmc nscd[1092]: 1092 monitored file
>> `/etc/passwd` was moved into place, adding watch
>> Sep 25 09:17:52 mybmc nscd[1092]: 1092 monitored file
>> `/etc/group` was written to
>> Sep 25 09:17:52 mybmc nscd[1092]: 1092 monitored file
>> `/etc/group` was moved into place, adding watch
>> Sep 25 09:17:52 mybmc nscd[1092]: 1092 monitoring file
>> `/etc/passwd` (27)
>> Sep 25 09:17:52 mybmc nscd[1092]: 1092 monitoring directory
>> `/etc` (2)
>> Sep 25 09:17:52 mybmc nscd[1092]: 1092 monitoring file
>> `/etc/group` (28)
>> Sep 25 09:17:52 mybmc nscd[1092]: 1092 monitoring directory
>> `/etc` (2)
>> Sep 25 09:17:52 mybmc nscd[1092]: 1092 monitoring file
>> `/etc/passwd` (27)
>> Sep 25 09:17:52 mybmc nscd[1092]: 1092 monitoring directory
>> `/etc` (2)
>> Sep 25 09:17:52 mybmc nscd[1092]: 1092 monitoring file
>> `/etc/group` (28)
>> Sep 25 09:17:52 mybmc nscd[1092]: 1092 monitoring directory
>> `/etc` (2)
>> Sep 25 09:17:52 mybmc phosphor-user-manager[1119]: User created
>> successfully
>> Sep 25 09:17:53 mybmc userdel[1822]: delete user 'TestUser'
>> Sep 25 09:17:53 mybmc userdel[1822]: delete 'TestUser' from group
>> 'web'
>> Sep 25 09:17:53 mybmc userdel[1822]: delete 'TestUser' from group
>> 'redfish'
>> Sep 25 09:17:53 mybmc userdel[1822]: delete 'TestUser' from group
>> 'priv-admin'
>> Sep 25 09:17:53 mybmc userdel[1822]: delete 'TestUser' from group
>> 'ipmi'
>> Sep 25 09:17:53 mybmc userdel[1822]: delete 'TestUser' from
>> shadow group 'web'
>> Sep 25 09:17:53 mybmc userdel[1822]: delete 'TestUser' from
>> shadow group 'redfish'
>> Sep 25 09:17:53 mybmc userdel[1822]: delete 'TestUser' from
>> shadow group 'priv-admin'
>> Sep 25 09:17:53 mybmc userdel[1822]: delete 'TestUser' from
>> shadow group 'ipmi'
>> Sep 25 09:17:53 mybmc nscd[1092]: 1092 monitored file
>> `/etc/passwd` was written to
>> Sep 25 09:17:53 mybmc nscd[1092]: 1092 monitored file
>> `/etc/passwd` was moved into place, adding watch
>> Sep 25 09:17:53 mybmc nscd[1092]: 1092 monitored file
>> `/etc/group` was written to
>> Sep 25 09:17:53 mybmc nscd[1092]: 1092 monitored file
>> `/etc/group` was moved into place, adding watch
>> Sep 25 09:17:53 mybmc nscd[1092]: 1092 monitoring file
>> `/etc/passwd` (29)
>> Sep 25 09:17:53 mybmc nscd[1092]: 1092 monitoring directory
>> `/etc` (2)
>> Sep 25 09:17:53 mybmc nscd[1092]: 1092 monitoring file
>> `/etc/group` (30)
>> Sep 25 09:17:53 mybmc nscd[1092]: 1092 monitoring directory
>> `/etc` (2)
>> Sep 25 09:17:53 mybmc nscd[1092]: 1092 monitoring file
>> `/etc/passwd` (29)
>> Sep 25 09:17:53 mybmc nscd[1092]: 1092 monitoring directory
>> `/etc` (2)
>> Sep 25 09:17:53 mybmc nscd[1092]: 1092 monitoring file
>> `/etc/group` (30)
>> Sep 25 09:17:53 mybmc nscd[1092]: 1092 monitoring directory
>> `/etc` (2)
>> Sep 25 09:17:53 mybmc phosphor-user-manager[1119]: User deleted
>> successfully
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20190926/71980866/attachment.htm>
More information about the openbmc
mailing list