Verify Privilege For Different Channels in openbmc-test-automation
Thomaiyar, Richard Marian
richard.marian.thomaiyar at linux.intel.com
Tue Jan 21 15:59:02 AEDT 2020
Hi Tony / Rahul,
1. sel info 1 (I don't think sel info can get channel number, as sel is
not based on channel numbers)
2. user list can be queried through channel number i.e. "user list 1"
will query user privileges as per channel number 1 and "user list 3"
will query user privileges as per channel number 3. But it doesn't
determine the incoming channel number.
i.e. if a system is having 2 LAN Channels, then LAN channel privilege is
based on the IP address of those channels
say channel 1 is having IP x.y.z.1 & channel 3 is having IP x.y.z.3 and
channel 3 is with NoAccess
then executing following command will pass
ipmitool -I lanplus -H x.y.z.1 -U root -P 0penBmc user list 1
ipmitool -I lanplus -H x.y.z.1 -U root -P 0penBmc user list 3
Following command execution will fail
ipmitool -I lanplus -H x.y.z.3 -U root -P 0penBmc user list 1 --> will
fail if channel 3 is with NoAccess privilege for user root
ipmitool -I lanplus -H x.y.z.3 -U root -P 0penBmc user list 1 --> will
fail if channel 3 is with NoAccess privilege for user root
Please update the test case accordingly.
Regards,
Richard
On 1/21/2020 8:39 AM, Tony Lee (李文富) wrote:
>> Are you saying that with NoAcess for channel x, you are able to get the IPMI
>> response.
> Yes.
>
>> please note: -H x.x.x.x determines, which channel you are trying to
>> communicate. Try the other IP address (because not sure, which channel is
>> configured to what IP).
> This is as I expected!
> However, please look at the cases "Verify Administrator And No Access Privilege For Different Channels"
> and "Verify Operator And User Privilege For Different Channels" in test_ipmi_user.robot.
> For example: case "Verify Administrator And No Access Privilege For Different Channels" at the last two "Verify" steps:
> '''
> # Verify that user is able to run administrator level IPMI command with channel 1.
> Verify IPMI Command ${random_username} ${valid_password} Administrator 1
>
> # Verify that user is unable to run IPMI command with channel 2.
> Run IPMI Standard Command sel info 2 expected_rc=${1} U=${random_username} P=${valid_password}
> '''
>
> In this case, first, there is only one IP address.
> second, I can't find a description or SPEC about command like
> "ipmitool -I lanplus -C 3 -p 623 -U YmRBwDUS -P 0penBmc1 -H x.x.x.x -L Administrator sel info 1"
> which mean user is able to run IPMI command with channel 1.
>
> If the method for out-of-band communication using different channels is the same as you described,
> do we need to fix these two cases?
>
>> Regards,
>>
>> Richard
>>
More information about the openbmc
mailing list