New ServiceRep role and privilege
Joseph Reynolds
jrey at linux.ibm.com
Thu Jun 4 12:49:01 AEST 2020
On 6/3/20 9:31 PM, Joseph Reynolds wrote:
> This is a proposal to add a new ServiceRep role and a new
> PerformService privilege to Redfish. The motivation for this is given
> in the "Isolate service privileges" email, as archived [1].
>
> To be clear: This email is asking the OpenBMC community for input
> before approaching Redfish with a formal proposal. Would you be okay
> with the changes described here, or do we have more considerations?
I posted this topic to the Redfish forum to get their input:
https://redfishforum.com/thread/333/proposed-new-servicerep-role-privilege
- Joseph
> The proposal
>
> 1. Add a new PerformService privilege with description: Can perform
> service operations on components that this service manages.
> Reference: Update DSP2046 Redfish Resource and Schema Guide >
> PrivilegeRegistry > Property details.
>
> 2. Add a new ServiceRep role with the same privileges as Operator,
> plus the PerformService privilege.
> ServiceRep - Login, ConfigureComponents, ConfigureSelf, PerformService.
> Reference: DSP0266 Redfish Specification > Security Details >
> Privilege model and authorization.
>
> 3. Update the Administrator role to optionally have the PerformService
> privilege. Make this an implementation decision based on use case:
> - As an Administrator of a system that does not have dedicated service
> personnel, I need the PerformService privilege so I don't have to
> create a service account just to perform service operations.
> - As the OEM of a system that has dedicated service agents, I need the
> Administrator to NOT have the PerformService privilege so they cannot
> interfere with the service personnel.
>
> 4. Change various operations to require the PerformService privilege.
> For example, allow PATCH to an EthernetInterface MACAddress.
>
> 4a. Reference: DSP8010 Redfish Schema > EthernetInterface.
> Change the MACAddress.readonly property to false.
>
> 4b. Reference: DSP8011 > Redfish PrivilegeRegistry > EthernetInterface.
> Add a PropertyOverride to target MACAddress for the PATCH operation:
> require PerformService.
>
>
> Discussion points
>
> I believe this would be straightforward to implement in the BMCWeb
> Redfish server [2]. For point 3 above (optionally assigning the
> PerformService privileges), we can have an BMCWeb configuration option
> or image feature. I believe we need both use cases.
>
> Note that ServiceRep may need the ConfigureManagers privilege
> depending on your service model. Note also that a ServiceRep with the
> ConfigureUsers privilege is really an Administrator with additional
> powers, as discussed in the OpenBMC security working group minutes [3]
> from 2019-11-21 and 2020-03-04. That may or may not be what you
> want. All kinds of fun here, we could even make this configurable by
> the BMC admin. [4]
>
> To address how to protect against DSP2045 > "AccountService roles
> allow an escalation of privileges", see discussion in the "Isolate
> service privileges" email [1].
>
> The proposal described here does not fit neatly into the existing
> Redfish model. The PerformService privilege should optionally be
> assigned to the Administrator role, depending on the use case. Perhaps
> the Redfish spec could make that an implementation option. Otherwise
> using a custom Role and OemPrivileges (as shown in the DSP0266 >
> OEMSysAdminPriv example) would work. We'll need to work that out with
> Redfish.
>
> The alternate proposal using a custom Role & OemPrivileges would be:
> - Custom ServiceRep role, as above.
> - OemPrivilegePerformService, as above.
> - But with no changes to the Redfish spec.
> - A configuration option that determines whether or not Administrator
> contains OemPrivilegePerformService.
>
> Is this the right way to think about alternate role and privilege
> schemes, or is using custom roles and OemPrivileges the way to go?
>
> - Joseph
>
> [1]: https://lists.ozlabs.org/pipermail/openbmc/2020-June/021927.html
> [2]: https://github.com/openbmc/bmcweb
> [3]:
> https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI
> [4]: Just joking. That's extra works we don't need.
>
More information about the openbmc
mailing list