Proposal add PerformService privilege

Ed Tanous ed at tanous.net
Thu Dec 10 05:25:05 AEDT 2020 

On Fri, Dec 4, 2020 at 12:13 PM Joseph Reynolds <jrey at linux.ibm.com> wrote:
>
> This is a proposal to add an OemOpenBMCPerformService privilege to BMCWeb.
>
> See https://redfishforum.com/thread/397/redfish-direction-update-eeproms
> As mentioned in the Redfish forum thread, the use case is that some
> OpenBMC use cases require isolating manufacturing and service functions
> away from the customer/admin (including updating FRU serial numbers, and
> updating a permanent MAC address), and this is a Redfish compatible way
> to do it.
>
> The work items would be like:
> - Add this OEM privilege to the base BMCWeb implementation.

Can you talk through how you would do this mechanically?  Today, we
rely on privilege registry (published from DMTF) to guide these roles
and urls.  Now that you've invented a new role, how do you plan on
fitting that in?  Will it be required for all systems?  Will it be
optional?  Will it only apply to OEM schemas?

> - Identify URIs that we need to be able to isolate away from
> customer/admins.  Then modify the privilege mapping to require this
> privilege to PUT to those URIs.

What URLs have what privileges is already defined by DMTF in the base
privilege registry.  What you're talking about would require a
customizable privilege registry, which definitely needs some
significant thought, as the current privileges mechanisms in bmcweb
are very static today.  Just "customizable privileges registry" is
probably a design on its own, and would likely need to land before
adding OEM privilege levels.

> - Add this privilege to the Administrator role (but not Operator or
> ReadOnly).

If we're adding this privilege to the Administrator role, how does it
differ from ConfigureManager role?

> - Document how to isolate these operations.  Specifically, remove this
> privilege from Administrator, and create a custom OEM role that has this
> privilege
>
> What do you think?

I think we've got a couple designs that would need to land ahead of
this before we'd have the infrastructure and documentation to build
something like this.


The designs I see coming before this are:
Static PrivilegeRegistry implementation
modifiable/dynamic Per-URI privilege registry implementation
modifiable/dynamic Per-property privilege registry implementation
OemOpenBMCPerformService registry added.

> - Joseph
>

More information about the openbmc mailing list