Enhance Redfish to allow IPMI users

Thomaiyar, Richard Marian richard.marian.thomaiyar at linux.intel.com
Thu Sep 17 01:54:48 AEST 2020


Hi Joseph,

Yes, phosphor-user-management supports the same. i.e. Users can be 
created with different groups and they can also change group after 
creation, Password restrictions apply accordingly.

IPMI doesn't have OEM Commands for this, but How about adding community 
based OEM commands to support these in IPMI as well, along with Redfish 
enhancements. Vernon / Tom ?

Note: One of the problem we still need to solve is how to deploy user 
account Out of the box. Current solutions are

1. Default user account built in with common password (security 
concern)/ Unique password (Still some concerns)

2. Deploy with no default user account in BMC. First user will be 
created through Host interface (BIOS setup option), through host IPMI 
(Again some concerns here).

#2 can't work directly on Redfish as we don't have host interface 
communicating to Redfish, and the current concern of the WG is it still 
requires authentication mechanism for deployment.

Regards,

Richard

On 9/16/2020 1:08 AM, Joseph Reynolds wrote:
>
> I am working on a new feature so the BMC admin can use Redfish 
> operations to allow or deny specific users to use the BMC's network 
> IPMI interface.
> The goal is to be able to configure the BMC out of the box with no 
> users authorized to use the IPMI network service, and then as needed 
> enable network IPMI and allow specific users to use that service.
>
<Richard> : This can be achieved even today, by having IPMI network 
service disabled by default, and then enabling it through 
ManagerNetworkProtocol (IPMI) in Redfish (Irrespective of user account 
group restrictions).
> The direction for this seems to be adding the IPMI enum to the 
> ManagerAccount AccountTypes array.
> https://redfishforum.com/thread/219/account-groups-property?page=1&scrollTo=1289 
>
>
> If we had this, the BMC admin could allow someuser to use IPMI like 
> this: PATCH /redfish/v1/AccountService/Account/someuser with 
> {AccountTypes: [...,IPMI,...]} and possibly also changing the password.
>
> Would this work with OpenBMC phosphor user management?  The forum 
> thread has additional considerations.  Will the IPMI maintainers 
> please comment here or on the forum?
>
> - Joseph
>


More information about the openbmc mailing list