Verify Privilege For Different Channels in openbmc-test-automation

Thomaiyar, Richard Marian richard.marian.thomaiyar at linux.intel.com
Tue Jan 21 15:59:02 AEDT 2020


Hi Tony / Rahul,

1. sel info 1  (I don't think sel info can get channel number, as sel is 
not based on channel numbers)

2. user list can be queried through channel number i.e. "user list 1" 
will query user privileges as per channel number 1 and "user list 3" 
will query user privileges as per channel number 3. But it doesn't 
determine the incoming channel number.

i.e. if a system is having 2 LAN Channels, then LAN channel privilege is 
based on the IP address of those channels

say channel 1 is having IP x.y.z.1 & channel 3 is having IP x.y.z.3  and 
channel 3 is with NoAccess

then executing following command will pass

ipmitool -I lanplus -H x.y.z.1 -U root -P 0penBmc user list 1

ipmitool -I lanplus -H x.y.z.1 -U root -P 0penBmc user list 3

Following command execution will fail

ipmitool -I lanplus -H x.y.z.3 -U root -P 0penBmc user list 1 --> will 
fail if channel 3 is with NoAccess privilege for user root

ipmitool -I lanplus -H x.y.z.3 -U root -P 0penBmc user list 1 --> will 
fail if channel 3 is with NoAccess privilege for user root

Please update the test case accordingly.

Regards,

Richard

On 1/21/2020 8:39 AM, Tony Lee (李文富) wrote:
>> Are you saying that with NoAcess for channel x, you are able to get the IPMI
>> response.
> Yes.
>
>> please note: -H x.x.x.x  determines, which channel you are trying to
>> communicate. Try the other IP address (because not sure, which channel is
>> configured to what IP).
> This is as I expected!
> However, please look at the cases "Verify Administrator And No Access Privilege For Different Channels"
> and "Verify Operator And User Privilege For Different Channels" in test_ipmi_user.robot.
> For example: case "Verify Administrator And No Access Privilege For Different Channels" at the last two "Verify" steps:
> '''
> # Verify that user is able to run administrator level IPMI command with channel 1.
> Verify IPMI Command  ${random_username}  ${valid_password}  Administrator  1
>
> # Verify that user is unable to run IPMI command with channel 2.
> Run IPMI Standard Command  sel info 2  expected_rc=${1}  U=${random_username}  P=${valid_password}
> '''
>
> In this case, first, there is only one IP address.
> second, I can't find a description or SPEC about command like
> "ipmitool -I lanplus -C 3 -p 623 -U YmRBwDUS -P 0penBmc1 -H x.x.x.x -L Administrator sel info 1"
> which mean user is able to run IPMI command with channel 1.
>
> If the method for out-of-band communication using different channels is the same as you described,
> do we need to fix these two cases?
>
>> Regards,
>>
>> Richard
>>


More information about the openbmc mailing list