Security Working Group meeting - this Wednesday February 19 - summary results

Gunnar Mills gmills at linux.vnet.ibm.com
Wed Mar 4 04:56:41 AEDT 2020


On 2/19/2020 5:05 PM, Joseph Reynolds wrote:
> On 2/17/20 4:29 PM, Joseph Reynolds wrote:
>
>
>> 2. (Joseph, follow up to agenda item 3 from 2020-02-05): Redfish 
>> Privilege updates: 
>> https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/28881 and 
>> https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/28878 Update 
>> Feb 11: See 
>> https://redfishforum.com/thread/281/manageraccountcollection-change-allows-account-enumeration 
>> clarified the intention to NOT enumerate all accounts (unless you are 
>> the admin)

>
> Consensus was to leave OpenBMC as-is (only admin can enumerate users) 
> until Redfish releases a new spec.
>
This is implemented as Redfish intended, a user without ConfigureUsers 
privilege will only see their own account here: 
https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/28881

  We don't need to wait for the next Redfish release since Redfish is 
only further clarifying this in the documentation and implemented in 
28881 is how Redfish intended this to work. This fixes 2 validator 
errors if the validator is run as a ReadOnly or Operator role user.

Thx,
Gunnar



More information about the openbmc mailing list