Proposal for the connected redfish client info

Proposal for the connected redfish client info

[Ratan Gupta]

[-- Attachment #1: Type: text/plain, Size: 1159 bytes --]

Hi Team,

In IBM we have a following requirement

  * Show the connected redfish client info.
      o    ClientIP
      o    Client Unique Identifier(unique serial number of the client etc)


Presently there is no way through which we can get this info.

I have following two proposal for the above requirement.

1/ (Extend the session schema)

Add the IPaddress and the client Identifier as a OEM in the session schema,
Clinet IP would be read only and will be updated once the redfish client 
creates the session.
ClientIdentifier(Management console unique serial number etc) will be 
writable property and can be set by the redfish client
during creation of the session or after creating the session.


2/ (Create the Manager object at runtime)
once the redfish client creates the session , bmcweb internally does the 
following

- Create the manager object whose type is "Management Controller".

- Create the ethernet interface resource manager resource and update the 
client IP.

    In the second option how to set the Client unique identifier which 
is to be given by the Redfish client

  Please let me know your thoughts on the above.

Ratan


[-- Attachment #2: Type: text/html, Size: 1670 bytes --]

Re: Proposal for the connected redfish client info

[Ratan Gupta]

[-- Attachment #1: Type: text/plain, Size: 1353 bytes --]

Hi Team,

Looking for your inputs

James, How about option1 for the below use case

Ratan

On 3/11/20 3:48 PM, Ratan Gupta wrote:
>
> Hi Team,
>
> In IBM we have a following requirement
>
>   * Show the connected redfish client info.
>       o   ClientIP
>       o   Client Unique Identifier(unique serial number of the client etc)
>
>
> Presently there is no way through which we can get this info.
>
> I have following two proposal for the above requirement.
>
> 1/ (Extend the session schema)
>
> Add the IPaddress and the client Identifier as a OEM in the session 
> schema,
> Clinet IP would be read only and will be updated once the redfish 
> client creates the session.
> ClientIdentifier(Management console unique serial number etc) will be 
> writable property and can be set by the redfish client
> during creation of the session or after creating the session.
>
>
> 2/ (Create the Manager object at runtime)
> once the redfish client creates the session , bmcweb internally does 
> the following
>
> - Create the manager object whose type is "Management Controller".
>
> - Create the ethernet interface resource manager resource and update 
> the client IP.
>
>    In the second option how to set the Client unique identifier which 
> is to be given by the Redfish client
>
>  Please let me know your thoughts on the above.
>
> Ratan
>

[-- Attachment #2: Type: text/html, Size: 2184 bytes --]

Re: Proposal for the connected redfish client info

[James Feist]

On 3/17/2020 6:01 AM, Ratan Gupta wrote:
> Hi Team,
> 
> Looking for your inputs
> 
> James, How about option1 for the below use case

Before creating OEM we are to propose it to the Redfish community. Have 
you asked them for their thoughts?

> 
> Ratan
> 
> On 3/11/20 3:48 PM, Ratan Gupta wrote:
>>
>> Hi Team,
>>
>> In IBM we have a following requirement
>>
>>   * Show the connected redfish client info.
>>       o   ClientIP >>       o   Client Unique Identifier(unique serial number of the 
client etc)

This confuses me, how are you getting the serial number for a connected 
client? If so, have you looked into data protection laws and storing 
Personally Identifiable Information?

>>
>>
>> Presently there is no way through which we can get this info.
>>
>> I have following two proposal for the above requirement.
>>
>> 1/ (Extend the session schema)
>>
>> Add the IPaddress and the client Identifier as a OEM in the session 
>> schema,
>> Clinet IP would be read only and will be updated once the redfish 
>> client creates the session.
>> ClientIdentifier(Management console unique serial number etc) will be 
>> writable property and can be set by the redfish client
>> during creation of the session or after creating the session.
>>
>>
>> 2/ (Create the Manager object at runtime)
>> once the redfish client creates the session , bmcweb internally does 
>> the following
>>
>> - Create the manager object whose type is "Management Controller".
>>
>> - Create the ethernet interface resource manager resource and update 
>> the client IP.
>>
>>    In the second option how to set the Client unique identifier which 
>> is to be given by the Redfish client

I've had talks before about creating a new systems schema for the BMC 
specifically, so that you could expose things like bmc memory, etc. 
Systems also has the Ethernet schema. However this depends on what 
you're trying to present.

>>
>>  Please let me know your thoughts on the above.
>>
>> Ratan
>>

Re: Proposal for the connected redfish client info

[Ivan Mikhaylov]

On Tue, 2020-03-17 at 18:31 +0530, Ratan Gupta wrote:
> Hi Team,
> 
> Looking for your inputs 
> 
> James, How about option1 for the below use case
> 
> Ratan
> 
> On 3/11/20 3:48 PM, Ratan Gupta wrote:
> > Hi Team,
> > 
> > In IBM we have a following requirement
> > 
> > Show the connected redfish client info.
> >   ClientIP
> >   Client Unique Identifier(unique serial number of the client etc)
> > 
> > Presently there is no way through which we can get this info.
> > 
> > I have following two proposal for the above requirement.
> > 
> > 1/ (Extend the session schema)
> > 
> > Add the IPaddress and the client Identifier as a OEM in the session schema,
> > Clinet IP would be read only and will be updated once the redfish client
> > creates the session.

We've already some sort of it in our local env for old builds. I don't mind
about client ip read only property inside session/connection inside bmcweb. 

> > ClientIdentifier(Management console unique serial number etc) will be
> > writable property and can be set by the redfish client 
> > during creation of the session or after creating the session.

What is 'ClientIdentifier' and why it should be there?

Re: Proposal for the connected redfish client info

[Richard Hanley]

[-- Attachment #1: Type: text/plain, Size: 1822 bytes --]

>Show the connected redfish client info.
> ClientIP
> Client Unique Identifier(unique serial number of the client etc)

I'd like to know a bit more of the use case for this information.  Is this
done to help clients find each other in realtime? Or is this being to log
accesses for security audits?  I think that would help me figure out what
direction we should move towards.

If this is related to auditing, then we should be thinking about how this
feature might expand over time.

Cheers,
Richard

On Tue, Mar 17, 2020 at 11:00 AM Ivan Mikhaylov <i.mikhaylov@yadro.com>
wrote:

> On Tue, 2020-03-17 at 18:31 +0530, Ratan Gupta wrote:
> > Hi Team,
> >
> > Looking for your inputs
> >
> > James, How about option1 for the below use case
> >
> > Ratan
> >
> > On 3/11/20 3:48 PM, Ratan Gupta wrote:
> > > Hi Team,
> > >
> > > In IBM we have a following requirement
> > >
> > > Show the connected redfish client info.
> > >   ClientIP
> > >   Client Unique Identifier(unique serial number of the client etc)
> > >
> > > Presently there is no way through which we can get this info.
> > >
> > > I have following two proposal for the above requirement.
> > >
> > > 1/ (Extend the session schema)
> > >
> > > Add the IPaddress and the client Identifier as a OEM in the session
> schema,
> > > Clinet IP would be read only and will be updated once the redfish
> client
> > > creates the session.
>
> We've already some sort of it in our local env for old builds. I don't mind
> about client ip read only property inside session/connection inside
> bmcweb.
>
> > > ClientIdentifier(Management console unique serial number etc) will be
> > > writable property and can be set by the redfish client
> > > during creation of the session or after creating the session.
>
> What is 'ClientIdentifier' and why it should be there?
>
>

[-- Attachment #2: Type: text/html, Size: 2531 bytes --]

Re: Proposal for the connected redfish client info

[Ivan Mikhaylov]

On Tue, 2020-03-17 at 12:49 -0700, Richard Hanley wrote:
> >Show the connected redfish client info.
> > ClientIP
> > Client Unique Identifier(unique serial number of the client etc)
> 
> I'd like to know a bit more of the use case for this information.  Is this
> done to help clients find each other in realtime? Or is this being to log
> accesses for security audits?  I think that would help me figure out what
> direction we should move towards.
> 
> If this is related to auditing, then we should be thinking about how this
> feature might expand over time.
> 

Not sure about Ratan's use case but ClientIP will be used in upcoming phosphor-
audit work.

Re: Proposal for the connected redfish client info

[Ratan Gupta]

[-- Attachment #1: Type: text/plain, Size: 3582 bytes --]

Hi James,Ivan,Richard

The Intention of the below requirement is to help the clients to find 
the other connected clients in realtime.

Richard, As you mentioned in other thread

*"Or is this being to log accesses for security audits?  I think that 
would help me figure out what direction we should move towards."*

  It may get used for security audits but didn't think before you 
pointed out.


On 3/17/20 9:28 PM, James Feist wrote:
> On 3/17/2020 6:01 AM, Ratan Gupta wrote:
>> Hi Team,
>>
>> Looking for your inputs
>>
>> James, How about option1 for the below use case
>
> Before creating OEM we are to propose it to the Redfish community. 
> Have you asked them for their thoughts?
My plan was to ask from the openBMC community first about the 
requirement, If the community interested in this we can propose it to 
the Redfish-Forum.
>
>>
>> Ratan
>>
>> On 3/11/20 3:48 PM, Ratan Gupta wrote:
>>>
>>> Hi Team,
>>>
>>> In IBM we have a following requirement
>>>
>>>   * Show the connected redfish client info.
>>>       o   ClientIP >>       o   Client Unique Identifier(unique 
>>> serial number of the 
> client etc)
>
> This confuses me, how are you getting the serial number for a 
> connected client? If so, have you looked into data protection laws and 
> storing Personally Identifiable Information?

Client have to give this info, it could be anything like hostname of the 
client, serial number of the machine etc, it is up to the client what 
they want to provide as part of client identifier.

Why it is needed?

Consider the below use case

=> Client(x.x.x.x) creates the session with BMC

=> BMC stores this IP(x.x.x.x)

=> Now say Client IP(x.x.x.x) got change to y.y.y.y but the session is 
still valid.

=> Stored IP(x.x.x.x) will not be much usable here in this scenario

=> Here Client Identifier may be usable to identify the connected client.

Let me know your thoughts here.


>
>>>
>>>
>>> Presently there is no way through which we can get this info.
>>>
>>> I have following two proposal for the above requirement.
>>>
>>> 1/ (Extend the session schema)
>>>
>>> Add the IPaddress and the client Identifier as a OEM in the session 
>>> schema,
>>> Clinet IP would be read only and will be updated once the redfish 
>>> client creates the session.
>>> ClientIdentifier(Management console unique serial number etc) will 
>>> be writable property and can be set by the redfish client
>>> during creation of the session or after creating the session.
>>>
>>>
>>> 2/ (Create the Manager object at runtime)
>>> once the redfish client creates the session , bmcweb internally does 
>>> the following
>>>
>>> - Create the manager object whose type is "Management Controller".
>>>
>>> - Create the ethernet interface resource manager resource and update 
>>> the client IP.
>>>
>>>    In the second option how to set the Client unique identifier 
>>> which is to be given by the Redfish client
>
> I've had talks before about creating a new systems schema for the BMC 
> specifically, so that you could expose things like bmc memory, etc. 
> Systems also has the Ethernet schema. However this depends on what 
> you're trying to present.
>
Here I was proposing to create a manager object for the external 
clients, once they creates the session with the BMC. I am not sure what 
else we can set for the connected client in the manager object so I was 
inclined towards extending the session schema instead of creating the 
manager object for external clients.
>>>
>>>  Please let me know your thoughts on the above.
>>>
>>> Ratan
>>>
Ratan

[-- Attachment #2: Type: text/html, Size: 6076 bytes --]

Re: Proposal for the connected redfish client info

[Ratan Gupta]

[-- Attachment #1: Type: text/plain, Size: 3903 bytes --]

Hi James, Ivan, Richard,

Please go through the mail below, I responded the queries.

Let me know if we have concern around this.

Ratan

On 3/20/20 12:50 PM, Ratan Gupta wrote:
>
> Hi James,Ivan,Richard
>
> The Intention of the below requirement is to help the clients to find 
> the other connected clients in realtime.
>
> Richard, As you mentioned in other thread
>
> *"Or is this being to log accesses for security audits? I think that 
> would help me figure out what direction we should move towards."*
>
>  It may get used for security audits but didn't think before you 
> pointed out.
>
>
> On 3/17/20 9:28 PM, James Feist wrote:
>> On 3/17/2020 6:01 AM, Ratan Gupta wrote:
>>> Hi Team,
>>>
>>> Looking for your inputs
>>>
>>> James, How about option1 for the below use case
>>
>> Before creating OEM we are to propose it to the Redfish community. 
>> Have you asked them for their thoughts?
> My plan was to ask from the openBMC community first about the 
> requirement, If the community interested in this we can propose it to 
> the Redfish-Forum.
>>
>>>
>>> Ratan
>>>
>>> On 3/11/20 3:48 PM, Ratan Gupta wrote:
>>>>
>>>> Hi Team,
>>>>
>>>> In IBM we have a following requirement
>>>>
>>>>   * Show the connected redfish client info.
>>>>       o   ClientIP >>       o   Client Unique Identifier(unique 
>>>> serial number of the 
>> client etc)
>>
>> This confuses me, how are you getting the serial number for a 
>> connected client? If so, have you looked into data protection laws 
>> and storing Personally Identifiable Information?
>
> Client have to give this info, it could be anything like hostname of 
> the client, serial number of the machine etc, it is up to the client 
> what they want to provide as part of client identifier.
>
> Why it is needed?
>
> Consider the below use case
>
> => Client(x.x.x.x) creates the session with BMC
>
> => BMC stores this IP(x.x.x.x)
>
> => Now say Client IP(x.x.x.x) got change to y.y.y.y but the session is 
> still valid.
>
> => Stored IP(x.x.x.x) will not be much usable here in this scenario
>
> => Here Client Identifier may be usable to identify the connected client.
>
> Let me know your thoughts here.
>
>
>>
>>>>
>>>>
>>>> Presently there is no way through which we can get this info.
>>>>
>>>> I have following two proposal for the above requirement.
>>>>
>>>> 1/ (Extend the session schema)
>>>>
>>>> Add the IPaddress and the client Identifier as a OEM in the session 
>>>> schema,
>>>> Clinet IP would be read only and will be updated once the redfish 
>>>> client creates the session.
>>>> ClientIdentifier(Management console unique serial number etc) will 
>>>> be writable property and can be set by the redfish client
>>>> during creation of the session or after creating the session.
>>>>
>>>>
>>>> 2/ (Create the Manager object at runtime)
>>>> once the redfish client creates the session , bmcweb internally 
>>>> does the following
>>>>
>>>> - Create the manager object whose type is "Management Controller".
>>>>
>>>> - Create the ethernet interface resource manager resource and 
>>>> update the client IP.
>>>>
>>>>    In the second option how to set the Client unique identifier 
>>>> which is to be given by the Redfish client
>>
>> I've had talks before about creating a new systems schema for the BMC 
>> specifically, so that you could expose things like bmc memory, etc. 
>> Systems also has the Ethernet schema. However this depends on what 
>> you're trying to present.
>>
> Here I was proposing to create a manager object for the external 
> clients, once they creates the session with the BMC. I am not sure 
> what else we can set for the connected client in the manager object so 
> I was inclined towards extending the session schema instead of 
> creating the manager object for external clients.
>>>>
>>>>  Please let me know your thoughts on the above.
>>>>
>>>> Ratan
>>>>
> Ratan

[-- Attachment #2: Type: text/html, Size: 6552 bytes --]

Re: Proposal for the connected redfish client info

[Patrick Williams]

On Thu, Mar 26, 2020 at 01:54:05PM +0530, Ratan Gupta wrote:
> >> This confuses me, how are you getting the serial number for a 
> >> connected client? If so, have you looked into data protection laws 
> >> and storing Personally Identifiable Information?
> >
> > Client have to give this info, it could be anything like hostname of 
> > the client, serial number of the machine etc, it is up to the client 
> > what they want to provide as part of client identifier.
> >
> > Why it is needed?
> >
> > Consider the below use case
> >
> > => Client(x.x.x.x) creates the session with BMC
> >
> > => BMC stores this IP(x.x.x.x)
> >
> > => Now say Client IP(x.x.x.x) got change to y.y.y.y but the session is 
> > still valid.
> >
> > => Stored IP(x.x.x.x) will not be much usable here in this scenario
> >
> > => Here Client Identifier may be usable to identify the connected client.
> >
> > Let me know your thoughts here.

IP addresses are a terrible way of attempting to identify a client
anyhow.  Aren't there hundreds of implementations of authentication
tokens used in web technologies?  Why are we attempting to invent
something new?

It seems like much of the internet world has coalesced around JWT.
https://tools.ietf.org/html/rfc7519

-- 
Patrick Williams

Re: Proposal for the connected redfish client info

[Ivan Mikhaylov]

On Thu, 2020-03-26 at 09:01 -0500, Patrick Williams wrote:
> On Thu, Mar 26, 2020 at 01:54:05PM +0530, Ratan Gupta wrote:
> > > > This confuses me, how are you getting the serial number for a 
> > > > connected client? If so, have you looked into data protection laws 
> > > > and storing Personally Identifiable Information?
> > > 
> > > Client have to give this info, it could be anything like hostname of 
> > > the client, serial number of the machine etc, it is up to the client 
> > > what they want to provide as part of client identifier.
> > > 
> > > Why it is needed?
> > > 
> > > Consider the below use case
> > > 
> > > => Client(x.x.x.x) creates the session with BMC
> > > 
> > > => BMC stores this IP(x.x.x.x)
> > > 
> > > => Now say Client IP(x.x.x.x) got change to y.y.y.y but the session is 
> > > still valid.
> > > 
> > > => Stored IP(x.x.x.x) will not be much usable here in this scenario
> > > 
> > > => Here Client Identifier may be usable to identify the connected client.
> > > 
> > > Let me know your thoughts here.
> 
> IP addresses are a terrible way of attempting to identify a client
> anyhow.  Aren't there hundreds of implementations of authentication
> tokens used in web technologies?  Why are we attempting to invent
> something new?
> 
> It seems like much of the internet world has coalesced around JWT.
> https://tools.ietf.org/html/rfc7519
> 

I agree with Patrick about tokens as identification, IP addresses are not usable
for this purpose.