User management via WebUI vs ipmitool

Thomaiyar, Richard Marian richard.marian.thomaiyar at linux.intel.com
Fri Sep 27 03:49:21 AEST 2019


yes, this is known problem, and there are changes under review which 
will fix the same as well. If i remember correctly, there should be an 
issue already for this.

Issue: NoAccess is not in Redfish roles, and hence AccountService will 
not be able to get users with that privilege.

Following changes under review will fix the same.

1. https://gerrit.openbmc-project.xyz/#/c/openbmc/bmcweb/+/23962/

2.https://gerrit.openbmc-project.xyz/#/c/openbmc/phosphor-user-manager/+/24784/

regards,

Richard

On 9/26/2019 3:02 PM, Rahul Maheshwari wrote:
> Gunnar
> I tested and found that this problem is only seen when we don't assign 
> privilege to user after creating using IPMItool. See below steps for 
> more details.
>
> Step to hit the problem and fix it up.
> 1. Create IPMI user using below command
>  ipmitool -I lanplus -H <BMC_IP> -U root -P 0penBmc user set name 2 
> user_ipmi
>
> 2. Login to GUI and navigate to user account page(here you will see no 
> user exist message in GUI's user page)
>
> 3. Now assign any privilege to user using below command
>  ipmitool -I lanplus -H <BMC_IP> -U root -P 0penBmc channel setaccess 
> 1 2 privilege=2
>
> 4. Now refresh the GUI user page(here you will see that all users are 
> visible now).
>
> This problem is not with Redfish as we are able to see all users 
> after creating user using IPMI without any permission. So this seem 
> like a problem which need to be fixed from GUI side.
>
> $ curl -k -H "X-Auth-Token: $bmc_token" -X GET 
> https://${BMC_IP}/redfish/v1/AccountService/Accounts/
> {
>   "@odata.context": 
> "/redfish/v1/$metadata#ManagerAccountCollection.ManagerAccountCollection",
>   "@odata.id <http://odata.id>": "/redfish/v1/AccountService/Accounts",
>   "@odata.type": "#ManagerAccountCollection.ManagerAccountCollection",
>   "Description": "BMC User Accounts",
>   "Members": [
>     {
>       "@odata.id <http://odata.id>": 
> "/redfish/v1/AccountService/Accounts/user_ipmi"
>     },
>     {
>       "@odata.id <http://odata.id>": 
> "/redfish/v1/AccountService/Accounts/root"
>     }
>   ],
>   "Members at odata.count": 2,
>   "Name": "Accounts Collection"
>
> Thanks
> Rahul
>
> On Thu, Sep 26, 2019 at 3:13 AM Gunnar Mills 
> <gmills at linux.vnet.ibm.com <mailto:gmills at linux.vnet.ibm.com>> wrote:
>
>
>     On 9/25/2019 5:20 AM, rgrs wrote:
>>
>>     Is there any difference in user management from WebUI and ipmitool?
>>     When I add user via WebUI, a user is created and deleted
>>     immediately. Not sure why.
>
>     The WebUI uses the Redfish API to create/update/delete users.
>     https://github.com/openbmc/phosphor-webui/blob/418db63c77aad03fe3401c7acd9f9792fab96a68/app/common/services/api-utils.js#L616
>
>      Ratan or Richard do you know what is going on here?
>
>>     When I add user via IPMItool, users are getting added but WebUI
>>     user configuration page is blank.
>
>     I thought IPMI and Redfish users were treated the same in
>     phosphor-user-manager.
>
>     What version of OpenBMC?
>
>>
>>     *_Logs:_*
>>     *journalctl (User creation with WebUI):*
>>     Sep 25 09:17:52 mybmc nslcd[1127]: [200854] <passwd="TestUser">
>>     no available LDAP server found: Server is unavailable: Transport
>>     endpoint is not connected
>>     Sep 25 09:17:52 mybmc nslcd[1127]: [b127f8] <passwd=1000> no
>>     available LDAP server found: Server is unavailable: Transport
>>     endpoint is not connected
>>     Sep 25 09:17:52 mybmc useradd[1816]: new user: name=TestUser,
>>     UID=1000, GID=100, home=/home/TestUser, shell=/bin/sh
>>     Sep 25 09:17:52 mybmc useradd[1816]: add 'TestUser' to group 'web'
>>     Sep 25 09:17:52 mybmc useradd[1816]: add 'TestUser' to group
>>     'redfish'
>>     Sep 25 09:17:52 mybmc useradd[1816]: add 'TestUser' to group
>>     'priv-admin'
>>     Sep 25 09:17:52 mybmc useradd[1816]: add 'TestUser' to group 'ipmi'
>>     Sep 25 09:17:52 mybmc useradd[1816]: add 'TestUser' to shadow
>>     group 'web'
>>     Sep 25 09:17:52 mybmc useradd[1816]: add 'TestUser' to shadow
>>     group 'redfish'
>>     Sep 25 09:17:52 mybmc useradd[1816]: add 'TestUser' to shadow
>>     group 'priv-admin'
>>     Sep 25 09:17:52 mybmc useradd[1816]: add 'TestUser' to shadow
>>     group 'ipmi'
>>     Sep 25 09:17:52 mybmc nscd[1092]: 1092 monitored file
>>     `/etc/passwd` was written to
>>     Sep 25 09:17:52 mybmc nscd[1092]: 1092 monitored file
>>     `/etc/passwd` was moved into place, adding watch
>>     Sep 25 09:17:52 mybmc nscd[1092]: 1092 monitored file
>>     `/etc/group` was written to
>>     Sep 25 09:17:52 mybmc nscd[1092]: 1092 monitored file
>>     `/etc/group` was moved into place, adding watch
>>     Sep 25 09:17:52 mybmc nscd[1092]: 1092 monitoring file
>>     `/etc/passwd` (27)
>>     Sep 25 09:17:52 mybmc nscd[1092]: 1092 monitoring directory
>>     `/etc` (2)
>>     Sep 25 09:17:52 mybmc nscd[1092]: 1092 monitoring file
>>     `/etc/group` (28)
>>     Sep 25 09:17:52 mybmc nscd[1092]: 1092 monitoring directory
>>     `/etc` (2)
>>     Sep 25 09:17:52 mybmc nscd[1092]: 1092 monitoring file
>>     `/etc/passwd` (27)
>>     Sep 25 09:17:52 mybmc nscd[1092]: 1092 monitoring directory
>>     `/etc` (2)
>>     Sep 25 09:17:52 mybmc nscd[1092]: 1092 monitoring file
>>     `/etc/group` (28)
>>     Sep 25 09:17:52 mybmc nscd[1092]: 1092 monitoring directory
>>     `/etc` (2)
>>     Sep 25 09:17:52 mybmc phosphor-user-manager[1119]: User created
>>     successfully
>>     Sep 25 09:17:53 mybmc userdel[1822]: delete user 'TestUser'
>>     Sep 25 09:17:53 mybmc userdel[1822]: delete 'TestUser' from group
>>     'web'
>>     Sep 25 09:17:53 mybmc userdel[1822]: delete 'TestUser' from group
>>     'redfish'
>>     Sep 25 09:17:53 mybmc userdel[1822]: delete 'TestUser' from group
>>     'priv-admin'
>>     Sep 25 09:17:53 mybmc userdel[1822]: delete 'TestUser' from group
>>     'ipmi'
>>     Sep 25 09:17:53 mybmc userdel[1822]: delete 'TestUser' from
>>     shadow group 'web'
>>     Sep 25 09:17:53 mybmc userdel[1822]: delete 'TestUser' from
>>     shadow group 'redfish'
>>     Sep 25 09:17:53 mybmc userdel[1822]: delete 'TestUser' from
>>     shadow group 'priv-admin'
>>     Sep 25 09:17:53 mybmc userdel[1822]: delete 'TestUser' from
>>     shadow group 'ipmi'
>>     Sep 25 09:17:53 mybmc nscd[1092]: 1092 monitored file
>>     `/etc/passwd` was written to
>>     Sep 25 09:17:53 mybmc nscd[1092]: 1092 monitored file
>>     `/etc/passwd` was moved into place, adding watch
>>     Sep 25 09:17:53 mybmc nscd[1092]: 1092 monitored file
>>     `/etc/group` was written to
>>     Sep 25 09:17:53 mybmc nscd[1092]: 1092 monitored file
>>     `/etc/group` was moved into place, adding watch
>>     Sep 25 09:17:53 mybmc nscd[1092]: 1092 monitoring file
>>     `/etc/passwd` (29)
>>     Sep 25 09:17:53 mybmc nscd[1092]: 1092 monitoring directory
>>     `/etc` (2)
>>     Sep 25 09:17:53 mybmc nscd[1092]: 1092 monitoring file
>>     `/etc/group` (30)
>>     Sep 25 09:17:53 mybmc nscd[1092]: 1092 monitoring directory
>>     `/etc` (2)
>>     Sep 25 09:17:53 mybmc nscd[1092]: 1092 monitoring file
>>     `/etc/passwd` (29)
>>     Sep 25 09:17:53 mybmc nscd[1092]: 1092 monitoring directory
>>     `/etc` (2)
>>     Sep 25 09:17:53 mybmc nscd[1092]: 1092 monitoring file
>>     `/etc/group` (30)
>>     Sep 25 09:17:53 mybmc nscd[1092]: 1092 monitoring directory
>>     `/etc` (2)
>>     Sep 25 09:17:53 mybmc phosphor-user-manager[1119]: User deleted
>>     successfully
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20190926/71980866/attachment.htm>


More information about the openbmc mailing list