User management via WebUI vs ipmitool

rgrs rgrs at protonmail.com
Fri Sep 27 21:24:08 AEST 2019 

Thanks for the update :)
will follow those links.

Thanks,
Raj

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Thursday, September 26, 2019 11:19 PM, Thomaiyar, Richard Marian <richard.marian.thomaiyar at linux.intel.com> wrote:

> yes, this is known problem, and there are changes under review which will fix the same as well. If i remember correctly, there should be an issue already for this.
>
> Issue: NoAccess is not in Redfish roles, and hence AccountService will not be able to get users with that privilege.
>
> Following changes under review will fix the same.
>
> 1. https://gerrit.openbmc-project.xyz/#/c/openbmc/bmcweb/+/23962/
>
> 2.https://gerrit.openbmc-project.xyz/#/c/openbmc/phosphor-user-manager/+/24784/
>
> regards,
>
> Richard
>
> On 9/26/2019 3:02 PM, Rahul Maheshwari wrote:
>
>> Gunnar
>> I tested and found that this problem is only seen when we don't assign privilege to user after creating using IPMItool. See below steps for more details.
>>
>> Step to hit the problem and fix it up.
>> 1. Create IPMI user using below command
>>  ipmitool -I lanplus -H <BMC_IP> -U root -P 0penBmc user set name 2 user_ipmi
>>
>> 2. Login to GUI and navigate to user account page(here you will see no user exist message in GUI's user page)
>>
>> 3. Now assign any privilege to user using below command
>>  ipmitool -I lanplus -H <BMC_IP> -U root -P 0penBmc channel setaccess 1 2 privilege=2
>>
>> 4. Now refresh the GUI user page(here you will see that all users are visible now).
>>
>> This problem is not with Redfish as we are able to see all users after creating user using IPMI without any permission. So this seem like a problem which need to be fixed from GUI side.
>>
>> $ curl -k -H "X-Auth-Token: $bmc_token" -X GET https://${BMC_IP}/redfish/v1/AccountService/Accounts/
>> {
>>   "@odata.context": "/redfish/v1/$metadata#ManagerAccountCollection.ManagerAccountCollection",
>>   "@odata.id": "/redfish/v1/AccountService/Accounts",
>>   "@odata.type": "#ManagerAccountCollection.ManagerAccountCollection",
>>   "Description": "BMC User Accounts",
>>   "Members": [
>>     {
>>       "@odata.id": "/redfish/v1/AccountService/Accounts/user_ipmi"
>>     },
>>     {
>>       "@odata.id": "/redfish/v1/AccountService/Accounts/root"
>>     }
>>   ],
>>   ["Members at odata.count"](mailto:Members at odata.count): 2,
>>   "Name": "Accounts Collection"
>>
>> Thanks
>> Rahul
>>
>> On Thu, Sep 26, 2019 at 3:13 AM Gunnar Mills <gmills at linux.vnet.ibm.com> wrote:
>>
>>> On 9/25/2019 5:20 AM, rgrs wrote:
>>>
>>>> Is there any difference in user management from WebUI and ipmitool?
>>>> When I add user via WebUI, a user is created and deleted immediately. Not sure why.
>>>
>>> The WebUI uses the Redfish API to create/update/delete users.
>>> https://github.com/openbmc/phosphor-webui/blob/418db63c77aad03fe3401c7acd9f9792fab96a68/app/common/services/api-utils.js#L616
>>>
>>>  Ratan or Richard do you know what is going on here?
>>>
>>>> When I add user via IPMItool, users are getting added but WebUI user configuration page is blank.
>>>
>>> I thought IPMI and Redfish users were treated the same in phosphor-user-manager.
>>>
>>> What version of OpenBMC?
>>>
>>>> Logs:
>>>> journalctl (User creation with WebUI):
>>>> Sep 25 09:17:52 mybmc nslcd[1127]: [200854] <passwd="TestUser"> no available LDAP server found: Server is unavailable: Transport endpoint is not connected
>>>> Sep 25 09:17:52 mybmc nslcd[1127]: [b127f8] <passwd=1000> no available LDAP server found: Server is unavailable: Transport endpoint is not connected
>>>> Sep 25 09:17:52 mybmc useradd[1816]: new user: name=TestUser, UID=1000, GID=100, home=/home/TestUser, shell=/bin/sh
>>>> Sep 25 09:17:52 mybmc useradd[1816]: add 'TestUser' to group 'web'
>>>> Sep 25 09:17:52 mybmc useradd[1816]: add 'TestUser' to group 'redfish'
>>>> Sep 25 09:17:52 mybmc useradd[1816]: add 'TestUser' to group 'priv-admin'
>>>> Sep 25 09:17:52 mybmc useradd[1816]: add 'TestUser' to group 'ipmi'
>>>> Sep 25 09:17:52 mybmc useradd[1816]: add 'TestUser' to shadow group 'web'
>>>> Sep 25 09:17:52 mybmc useradd[1816]: add 'TestUser' to shadow group 'redfish'
>>>> Sep 25 09:17:52 mybmc useradd[1816]: add 'TestUser' to shadow group 'priv-admin'
>>>> Sep 25 09:17:52 mybmc useradd[1816]: add 'TestUser' to shadow group 'ipmi'
>>>> Sep 25 09:17:52 mybmc nscd[1092]: 1092 monitored file `/etc/passwd` was written to
>>>> Sep 25 09:17:52 mybmc nscd[1092]: 1092 monitored file `/etc/passwd` was moved into place, adding watch
>>>> Sep 25 09:17:52 mybmc nscd[1092]: 1092 monitored file `/etc/group` was written to
>>>> Sep 25 09:17:52 mybmc nscd[1092]: 1092 monitored file `/etc/group` was moved into place, adding watch
>>>> Sep 25 09:17:52 mybmc nscd[1092]: 1092 monitoring file `/etc/passwd` (27)
>>>> Sep 25 09:17:52 mybmc nscd[1092]: 1092 monitoring directory `/etc` (2)
>>>> Sep 25 09:17:52 mybmc nscd[1092]: 1092 monitoring file `/etc/group` (28)
>>>> Sep 25 09:17:52 mybmc nscd[1092]: 1092 monitoring directory `/etc` (2)
>>>> Sep 25 09:17:52 mybmc nscd[1092]: 1092 monitoring file `/etc/passwd` (27)
>>>> Sep 25 09:17:52 mybmc nscd[1092]: 1092 monitoring directory `/etc` (2)
>>>> Sep 25 09:17:52 mybmc nscd[1092]: 1092 monitoring file `/etc/group` (28)
>>>> Sep 25 09:17:52 mybmc nscd[1092]: 1092 monitoring directory `/etc` (2)
>>>> Sep 25 09:17:52 mybmc phosphor-user-manager[1119]: User created successfully
>>>> Sep 25 09:17:53 mybmc userdel[1822]: delete user 'TestUser'
>>>> Sep 25 09:17:53 mybmc userdel[1822]: delete 'TestUser' from group 'web'
>>>> Sep 25 09:17:53 mybmc userdel[1822]: delete 'TestUser' from group 'redfish'
>>>> Sep 25 09:17:53 mybmc userdel[1822]: delete 'TestUser' from group 'priv-admin'
>>>> Sep 25 09:17:53 mybmc userdel[1822]: delete 'TestUser' from group 'ipmi'
>>>> Sep 25 09:17:53 mybmc userdel[1822]: delete 'TestUser' from shadow group 'web'
>>>> Sep 25 09:17:53 mybmc userdel[1822]: delete 'TestUser' from shadow group 'redfish'
>>>> Sep 25 09:17:53 mybmc userdel[1822]: delete 'TestUser' from shadow group 'priv-admin'
>>>> Sep 25 09:17:53 mybmc userdel[1822]: delete 'TestUser' from shadow group 'ipmi'
>>>> Sep 25 09:17:53 mybmc nscd[1092]: 1092 monitored file `/etc/passwd` was written to
>>>> Sep 25 09:17:53 mybmc nscd[1092]: 1092 monitored file `/etc/passwd` was moved into place, adding watch
>>>> Sep 25 09:17:53 mybmc nscd[1092]: 1092 monitored file `/etc/group` was written to
>>>> Sep 25 09:17:53 mybmc nscd[1092]: 1092 monitored file `/etc/group` was moved into place, adding watch
>>>> Sep 25 09:17:53 mybmc nscd[1092]: 1092 monitoring file `/etc/passwd` (29)
>>>> Sep 25 09:17:53 mybmc nscd[1092]: 1092 monitoring directory `/etc` (2)
>>>> Sep 25 09:17:53 mybmc nscd[1092]: 1092 monitoring file `/etc/group` (30)
>>>> Sep 25 09:17:53 mybmc nscd[1092]: 1092 monitoring directory `/etc` (2)
>>>> Sep 25 09:17:53 mybmc nscd[1092]: 1092 monitoring file `/etc/passwd` (29)
>>>> Sep 25 09:17:53 mybmc nscd[1092]: 1092 monitoring directory `/etc` (2)
>>>> Sep 25 09:17:53 mybmc nscd[1092]: 1092 monitoring file `/etc/group` (30)
>>>> Sep 25 09:17:53 mybmc nscd[1092]: 1092 monitoring directory `/etc` (2)
>>>> Sep 25 09:17:53 mybmc phosphor-user-manager[1119]: User deleted successfully
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20190927/083b11d7/attachment-0001.htm>

More information about the openbmc mailing list