Implement the Redfish PasswordChangeRequired property

Joseph Reynolds jrey at linux.ibm.com
Tue Feb 18 08:09:26 AEDT 2020 

This proposes implementing the Redfish [PasswordChangeRequired 
property][] and an underlying D-Bus PasswordExpired property.

These would be incremental changes to [OpenBMC user management][] and 
affect:
  - [phosphor-user-manager][]
  - [openbmc_project User D-Bus interfaces][]
  - [BMCWeb Redfish ManagerAccount REST APIs][]

[PasswordChangeRequired property]: 
https://www.dmtf.org/sites/default/files/standards/documents/DSP0266_1.9.0.pdf
[OpenBMC user management]: 
https://github.com/openbmc/docs/blob/master/architecture/user_management.md
[phosphor-user-manager]: https://github.com/openbmc/phosphor-user-manager
[openbmc_project User D-Bus interfaces]: 
https://github.com/openbmc/phosphor-dbus-interfaces/tree/master/xyz/openbmc_project/User
[BMCWeb Redfish ManagerAccount REST APIs]: 
https://github.com/openbmc/bmcweb/blob/master/redfish-core/lib/account_service.hpp

When this is merged, the PasswordChangeRequired property could be used 
as follows:
- The BMC admin can determine (via REST APIs) which local accounts have 
expired passwords.
- We can implement the [expired-password design][], which requires this 
property per the [expired-password code review][].
- We can add this field to the webui user-management page.

[expired-password design]: 
https://github.com/openbmc/docs/blob/master/designs/expired-password.md
[expired-password code review]: 
https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/29136


Detailed design changes:

1. Add a new PasswordExpired property to the existing [D-Bus 
xyz.openbmc_project.User.Attributes interface][] to indicate if the 
password is expired.

[D-Bus xyz.openbmc_project.User.Attributes interface]: 
https://github.com/openbmc/phosphor-dbus-interfaces/blob/master/xyz/openbmc_project/User/Attributes.interface.yaml

2. Update [phosphor-user-manager][] to implement this property for local 
users.
Reading can use something like the "chage --list" command.
I vote to make this property read-only, but if needed, writing a true 
value can invoke the "passwd --expire" command.

3. Implement the Redfish PasswordChangeRequired property in BMCWeb.
This would be read-only.
This affects existing Redfish ManagerAccount objects at URI 
/redfish/v1/AccountService/Accounts/SOMEUSER.
This property would be present for local accounts and omitted for LDAP 
accounts.

4. Update the [OpenBMC user management][] doc as needed.

- Joseph

More information about the openbmc mailing list