Security Working Group meeting - this Wednesday February 19 - summary results
Gunnar Mills
gmills at linux.vnet.ibm.com
Wed Mar 4 04:56:41 AEDT 2020
On 2/19/2020 5:05 PM, Joseph Reynolds wrote:
> On 2/17/20 4:29 PM, Joseph Reynolds wrote:
>
>
>> 2. (Joseph, follow up to agenda item 3 from 2020-02-05): Redfish
>> Privilege updates:
>> https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/28881 and
>> https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/28878 Update
>> Feb 11: See
>> https://redfishforum.com/thread/281/manageraccountcollection-change-allows-account-enumeration
>> clarified the intention to NOT enumerate all accounts (unless you are
>> the admin)
>
> Consensus was to leave OpenBMC as-is (only admin can enumerate users)
> until Redfish releases a new spec.
>
This is implemented as Redfish intended, a user without ConfigureUsers
privilege will only see their own account here:
https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/28881
We don't need to wait for the next Redfish release since Redfish is
only further clarifying this in the documentation and implemented in
28881 is how Redfish intended this to work. This fixes 2 validator
errors if the validator is run as a ReadOnly or Operator role user.
Thx,
Gunnar
More information about the openbmc
mailing list