Enhance Redfish to allow IPMI users
Thomaiyar, Richard Marian
richard.marian.thomaiyar at linux.intel.com
Thu Sep 17 01:54:48 AEST 2020
Hi Joseph,
Yes, phosphor-user-management supports the same. i.e. Users can be
created with different groups and they can also change group after
creation, Password restrictions apply accordingly.
IPMI doesn't have OEM Commands for this, but How about adding community
based OEM commands to support these in IPMI as well, along with Redfish
enhancements. Vernon / Tom ?
Note: One of the problem we still need to solve is how to deploy user
account Out of the box. Current solutions are
1. Default user account built in with common password (security
concern)/ Unique password (Still some concerns)
2. Deploy with no default user account in BMC. First user will be
created through Host interface (BIOS setup option), through host IPMI
(Again some concerns here).
#2 can't work directly on Redfish as we don't have host interface
communicating to Redfish, and the current concern of the WG is it still
requires authentication mechanism for deployment.
Regards,
Richard
On 9/16/2020 1:08 AM, Joseph Reynolds wrote:
>
> I am working on a new feature so the BMC admin can use Redfish
> operations to allow or deny specific users to use the BMC's network
> IPMI interface.
> The goal is to be able to configure the BMC out of the box with no
> users authorized to use the IPMI network service, and then as needed
> enable network IPMI and allow specific users to use that service.
>
<Richard> : This can be achieved even today, by having IPMI network
service disabled by default, and then enabling it through
ManagerNetworkProtocol (IPMI) in Redfish (Irrespective of user account
group restrictions).
> The direction for this seems to be adding the IPMI enum to the
> ManagerAccount AccountTypes array.
> https://redfishforum.com/thread/219/account-groups-property?page=1&scrollTo=1289
>
>
> If we had this, the BMC admin could allow someuser to use IPMI like
> this: PATCH /redfish/v1/AccountService/Account/someuser with
> {AccountTypes: [...,IPMI,...]} and possibly also changing the password.
>
> Would this work with OpenBMC phosphor user management? The forum
> thread has additional considerations. Will the IPMI maintainers
> please comment here or on the forum?
>
> - Joseph
>
More information about the openbmc
mailing list