Disable specific URLs in bmcweb

Thu Sep 3 04:02:00 AEST 2020

On 9/2/20 12:46 PM, Ed Tanous wrote:
> On Wed, Sep 2, 2020 at 9:57 AM Richard Hanley <rhanley at google.com> wrote:
>> Hi Ed,
>>
>> In this particular case, I think Alan is talking about disabling the POST for certain resources, effectively making them readonly. One example I remember talking to him about was disabling the addition of new users via bmcweb.
>>
> Gotcha.
>
> In that particular case, Redfish PrivilegeRegistry schema is probably
> what you're looking for.  To handle that specific case, you would add

Here is an alternate solution: use the administrator account (currently 
"root") to create a new user with the Operator role, then use that new 
account and discontinue using the Administrator account.  For example 
(change the password):

|curl -x POST https://${bmc}/redfish/v1/AccountService/Accounts/ -d 
'{"UserName": "joeoperator", "Password": "0penBmc1", "RoleId": "Operator"}'|

- Joseph

> a mapping that looks like:
>          {
>              "Entity": "ManagerAccount",
>              "OperationMap": {
>                  "GET": [
>                      {
>                          "Privilege": [
>                              "Login"
>                          ]
>                      }
>                  ],
>                  "HEAD": [
>                      {
>                          "Privilege": [
>                              "Login"
>                          ]
>                      }
>                  ],
>                  "PATCH": [
>                      {
>                          "Privilege": []
>                      }
>                  ],
>                  "POST": [
>                      {
>                          "Privilege": [,
>                  "PUT": [
>                      {
>                          "Privilege": []
>                      }
>                  ],
>                  "DELETE": [
>                      {
>                          "Privilege": []
>                      }
>                  ]
>              }
>          },
>
> I don't believe there's an implementation of PrivilegeRegistry for
> bmcweb today, although we kept it in mind (ish) when we built the
> privileges system.  If you want to chat more about how you could add
> it, I'm happy to talk more specifics with you.
>
> -Ed
>
>> - Richard
>>
>> On Tue, Sep 1, 2020 at 10:55 PM Ed Tanous <ed at tanous.net> wrote:
>>> On Tue, Sep 1, 2020 at 10:40 PM Alan Kuo (郭振維) <Alan_Kuo at quantatw.com> wrote:
>>>> Are there some configuration files in bmcweb that can be used to disable specific URLs and HTTP methods ?
>>>>
>>> There are compile time options that can disable features (and
>>> therefore URLs associated).  They're listed in the CMakeLists.txt
>>> file.
>>>
>>> As far as disabling particular methods, why are you wanting to disable
>>> them?  It seems odd to want to disable a few particular HTTP verbs.