bmcweb - Redfish - Fix Privilege
Abhishek Patel
patelabhishek9893 at gmail.com
Wed Aug 11 11:15:21 AEST 2021
Redfish defines a PrivilegeRegistry
(https://redfish.dmtf.org/registries/Redfish_1.1.0_PrivilegeRegistry.json
<https://redfish.dmtf.org/registries/Redfish_1.1.0_PrivilegeRegistry.json>).
This Privilege Registry defines which privilege(s) are needed to access
the URI. There was work here by Ed to have bmcweb automatically use this
PrivilegeRegistry,
https://github.com/openbmc/bmcweb/commit/ed3982131dcef2b499da36e674d2d21b2289ef29
<https://github.com/openbmc/bmcweb/commit/ed3982131dcef2b499da36e674d2d21b2289ef29>.
The commits below change bmcweb to match the PrivilegeRegistry. They
include two breaking Operator role changes (3 and 4).
1) Fix Log_services privileges
https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/45125
<https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/45125>
This change allows Admin, Operator, and Readonly users to access
Crashdump data and related entries. Before this change, only an admin
role user could access Crashdump data and related entries (LogService,
LogEntryCollection, and LogEntry). Operator users only had access to log
entries(LogEntry).
2) Fix BIOS privileges
https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/45470
<https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/45470>
This change allows Admin and operator users to Reset bios. Before this
change, only an admin role user had that privilege.
*Note:* Above 1) and 2) changes are backward compatible because that
change does not restrict any original user from access.
3) Fix certificate_service privileges
https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/45470
<https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/45470>
This change allows only Admin users to Generate CSR certificates and
restrict Operator users.
4) Fix Ethernet privileges
https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/45469
<https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/45469>
This change allows only Admin users to post, patch, and delete on VLAN
Network Interface Collection and restrict Operator users. Same for the
EthernetInterfaces patch method.
*Note:* Above 3) and 4) change are *not* *backward compatible* because
it restricts Operator user from its ability. Does this break anyone? Is
anyone opposed to these changes?
More information about the openbmc
mailing list