Verify Privilege For Different Channels in openbmc-test-automation

Verify Privilege For Different Channels in openbmc-test-automation

[Tony Lee (李文富)]

Hi Rahul,

I meet with difficulties for the cases "Verify Administrator And No Access Privilege For Different Channels" and
"Verify Operator And User Privilege For Different Channels" in test_ipmi_user.robot.

Refer to https://github.com/openbmc/openbmc-test-automation/issues/1523
According to Richard's comment: "Channel command privilege are working as per the channel (but at this point of time this differentiation can't be made due to architecture limitations, but ok to write test case and mark it as failed, rather than skipping the same)"

Are these two cases be expected to fail?

Thanks
Best Regards,
Tony

RE: Verify Privilege For Different Channels in openbmc-test-automation

[Tony Lee (李文富)]

Got it. Another question, at the last two "Verify" steps. 
Can the user run out-of-band IPMI commands with the specified channel?
(e.g ipmitool -I lanplus -C 3 -p 623 -U YmRBwDUS -P 0penBmc1 -H x.x.x.x -L Administrator sel info 1)

Is there a description or SPEC about it? It doesn't work on my system.
For example:
I created a user name DD and gave it different privilege for different channels.

ipmitool user list 1
ID  Name	     Callin  Link Auth	IPMI Msg   Channel Priv Limit
1   root             false   true       true       ADMINISTRATOR
...
...
6   DD               true    false      false      NO ACCESS

ipmitool user list 2
ID  Name	     Callin  Link Auth	IPMI Msg   Channel Priv Limit
1   root             false   true       true       ADMINISTRATOR
...
...
6   DD               true    false      true       ADMINISTRATOR

As expected, it should not work if user run out-of-band IPMI commands with the channel 1.
Howerver it still work.
$ipmitool -I lanplus -C 3 -p 623 -U DD -P 0penBmc1 -H x.x.x.x sel info 1

SEL Information
Version          : 1.5 (v1.5, v2 compliant)
Entries          : 6
Free Space       : 0 bytes 
Percent Used     : 100%
Last Add Time    : 01/06/1970 00:13:18
Last Del Time    : Not Available
Overflow         : false
Supported Cmds   : 'Reserve'

Thanks
Best Regards,
Tony

From: Rahul Maheshwari <rahulmaheshwari01@gmail.com> 
Sent: Thursday, January 16, 2020 7:15 PM
To: Tony Lee (李文富) <Tony.Lee@quantatw.com>
Subject: Re: Verify Privilege For Different Channels in openbmc-test-automation

Hi Tony
These test cases are expected to fail if your system's BMC has only one LAN channel support. In case of your BMC has 2 LAN channel support, then these tests should pass.

Thanks
Rahul

On Tue, Jan 14, 2020 at 2:52 PM Tony Lee (李文富) <mailto:Tony.Lee@quantatw.com> wrote:
Hi Rahul,

I meet with difficulties for the cases "Verify Administrator And No Access Privilege For Different Channels" and
"Verify Operator And User Privilege For Different Channels" in test_ipmi_user.robot.

Refer to https://github.com/openbmc/openbmc-test-automation/issues/1523
According to Richard's comment: "Channel command privilege are working as per the channel (but at this point of time this differentiation can't be made due to architecture limitations, but ok to write test case and mark it as failed, rather than skipping the same)"

Are these two cases be expected to fail?

Thanks
Best Regards,
Tony

Re: Verify Privilege For Different Channels in openbmc-test-automation

[Rahul Maheshwari]

[-- Attachment #1: Type: text/plain, Size: 2991 bytes --]

That seem to be an issue. Can you also check output for below lan print
command? If that also is working, check with Richard regarding this problem.

ipmitool -I lanplus -C 3 -p 623 -U DD -P 0penBmc1 -H x.x.x.x lan print 1

On Fri, Jan 17, 2020 at 11:09 AM Tony Lee (李文富) <Tony.Lee@quantatw.com>
wrote:

> Got it. Another question, at the last two "Verify" steps.
> Can the user run out-of-band IPMI commands with the specified channel?
> (e.g ipmitool -I lanplus -C 3 -p 623 -U YmRBwDUS -P 0penBmc1 -H x.x.x.x -L
> Administrator sel info 1)
>
> Is there a description or SPEC about it? It doesn't work on my system.
> For example:
> I created a user name DD and gave it different privilege for different
> channels.
>
> ipmitool user list 1
> ID  Name             Callin  Link Auth  IPMI Msg   Channel Priv Limit
> 1   root             false   true       true       ADMINISTRATOR
> ...
> ...
> 6   DD               true    false      false      NO ACCESS
>
> ipmitool user list 2
> ID  Name             Callin  Link Auth  IPMI Msg   Channel Priv Limit
> 1   root             false   true       true       ADMINISTRATOR
> ...
> ...
> 6   DD               true    false      true       ADMINISTRATOR
>
> As expected, it should not work if user run out-of-band IPMI commands with
> the channel 1.
> Howerver it still work.
> $ipmitool -I lanplus -C 3 -p 623 -U DD -P 0penBmc1 -H x.x.x.x sel info 1
>
> SEL Information
> Version          : 1.5 (v1.5, v2 compliant)
> Entries          : 6
> Free Space       : 0 bytes
> Percent Used     : 100%
> Last Add Time    : 01/06/1970 00:13:18
> Last Del Time    : Not Available
> Overflow         : false
> Supported Cmds   : 'Reserve'
>
> Thanks
> Best Regards,
> Tony
>
> From: Rahul Maheshwari <rahulmaheshwari01@gmail.com>
> Sent: Thursday, January 16, 2020 7:15 PM
> To: Tony Lee (李文富) <Tony.Lee@quantatw.com>
> Subject: Re: Verify Privilege For Different Channels in
> openbmc-test-automation
>
> Hi Tony
> These test cases are expected to fail if your system's BMC has only one
> LAN channel support. In case of your BMC has 2 LAN channel support, then
> these tests should pass.
>
> Thanks
> Rahul
>
> On Tue, Jan 14, 2020 at 2:52 PM Tony Lee (李文富) <mailto:
> Tony.Lee@quantatw.com> wrote:
> Hi Rahul,
>
> I meet with difficulties for the cases "Verify Administrator And No Access
> Privilege For Different Channels" and
> "Verify Operator And User Privilege For Different Channels" in
> test_ipmi_user.robot.
>
> Refer to https://github.com/openbmc/openbmc-test-automation/issues/1523
> According to Richard's comment: "Channel command privilege are working as
> per the channel (but at this point of time this differentiation can't be
> made due to architecture limitations, but ok to write test case and mark it
> as failed, rather than skipping the same)"
>
> Are these two cases be expected to fail?
>
> Thanks
> Best Regards,
> Tony
>

[-- Attachment #2: Type: text/html, Size: 3902 bytes --]

RE: Verify Privilege For Different Channels in openbmc-test-automation

[Tony Lee (李文富)]

Yes, It also is working.
I think this lan print command doesn't represent running IPMI command with channel 1. It get channel 1 info with the LAN channel.
Thanks for your kind help. I'll check with Richard regarding this problem.

Regards,
Tony

From: Rahul Maheshwari <rahulmaheshwari01@gmail.com> 
Sent: Friday, January 17, 2020 7:02 PM
To: Tony Lee (李文富) <Tony.Lee@quantatw.com>
Cc: openbmc@lists.ozlabs.org
Subject: Re: Verify Privilege For Different Channels in openbmc-test-automation

That seem to be an issue. Can you also check output for below lan print command? If that also is working, check with Richard regarding this problem.

ipmitool -I lanplus -C 3 -p 623 -U DD -P 0penBmc1 -H x.x.x.x lan print 1

On Fri, Jan 17, 2020 at 11:09 AM Tony Lee (李文富) <mailto:Tony.Lee@quantatw.com> wrote:
Got it. Another question, at the last two "Verify" steps. 
Can the user run out-of-band IPMI commands with the specified channel?
(e.g ipmitool -I lanplus -C 3 -p 623 -U YmRBwDUS -P 0penBmc1 -H x.x.x.x -L Administrator sel info 1)

Is there a description or SPEC about it? It doesn't work on my system.
For example:
I created a user name DD and gave it different privilege for different channels.

ipmitool user list 1
ID  Name             Callin  Link Auth  IPMI Msg   Channel Priv Limit
1   root             false   true       true       ADMINISTRATOR
...
...
6   DD               true    false      false      NO ACCESS

ipmitool user list 2
ID  Name             Callin  Link Auth  IPMI Msg   Channel Priv Limit
1   root             false   true       true       ADMINISTRATOR
...
...
6   DD               true    false      true       ADMINISTRATOR

As expected, it should not work if user run out-of-band IPMI commands with the channel 1.
Howerver it still work.
$ipmitool -I lanplus -C 3 -p 623 -U DD -P 0penBmc1 -H x.x.x.x sel info 1

SEL Information
Version          : 1.5 (v1.5, v2 compliant)
Entries          : 6
Free Space       : 0 bytes 
Percent Used     : 100%
Last Add Time    : 01/06/1970 00:13:18
Last Del Time    : Not Available
Overflow         : false
Supported Cmds   : 'Reserve'

Thanks
Best Regards,
Tony

From: Rahul Maheshwari <mailto:rahulmaheshwari01@gmail.com> 
Sent: Thursday, January 16, 2020 7:15 PM
To: Tony Lee (李文富) <mailto:Tony.Lee@quantatw.com>
Subject: Re: Verify Privilege For Different Channels in openbmc-test-automation

Hi Tony
These test cases are expected to fail if your system's BMC has only one LAN channel support. In case of your BMC has 2 LAN channel support, then these tests should pass.

Thanks
Rahul

On Tue, Jan 14, 2020 at 2:52 PM Tony Lee (李文富) <mailto:mailto:Tony.Lee@quantatw.com> wrote:
Hi Rahul,

I meet with difficulties for the cases "Verify Administrator And No Access Privilege For Different Channels" and
"Verify Operator And User Privilege For Different Channels" in test_ipmi_user.robot.

Refer to https://github.com/openbmc/openbmc-test-automation/issues/1523
According to Richard's comment: "Channel command privilege are working as per the channel (but at this point of time this differentiation can't be made due to architecture limitations, but ok to write test case and mark it as failed, rather than skipping the same)"

Are these two cases be expected to fail?

Thanks
Best Regards,
Tony

Re: Verify Privilege For Different Channels in openbmc-test-automation

[Thomaiyar, Richard Marian]

Are you saying that with NoAcess for channel x, you are able to get the 
IPMI response.

please note: -H x.x.x.x  determines, which channel you are trying to 
communicate. Try the other IP address (because not sure, which channel 
is configured to what IP).

Regards,

Richard

On 1/20/2020 8:11 AM, Tony Lee (李文富) wrote:
> Yes, It also is working.
> I think this lan print command doesn't represent running IPMI command with channel 1. It get channel 1 info with the LAN channel.
> Thanks for your kind help. I'll check with Richard regarding this problem.
>
> Regards,
> Tony
>
> From: Rahul Maheshwari <rahulmaheshwari01@gmail.com>
> Sent: Friday, January 17, 2020 7:02 PM
> To: Tony Lee (李文富) <Tony.Lee@quantatw.com>
> Cc: openbmc@lists.ozlabs.org
> Subject: Re: Verify Privilege For Different Channels in openbmc-test-automation
>
> That seem to be an issue. Can you also check output for below lan print command? If that also is working, check with Richard regarding this problem.
>
> ipmitool -I lanplus -C 3 -p 623 -U DD -P 0penBmc1 -H x.x.x.x lan print 1
>
> On Fri, Jan 17, 2020 at 11:09 AM Tony Lee (李文富) <mailto:Tony.Lee@quantatw.com> wrote:
> Got it. Another question, at the last two "Verify" steps.
> Can the user run out-of-band IPMI commands with the specified channel?
> (e.g ipmitool -I lanplus -C 3 -p 623 -U YmRBwDUS -P 0penBmc1 -H x.x.x.x -L Administrator sel info 1)
>
> Is there a description or SPEC about it? It doesn't work on my system.
> For example:
> I created a user name DD and gave it different privilege for different channels.
>
> ipmitool user list 1
> ID  Name             Callin  Link Auth  IPMI Msg   Channel Priv Limit
> 1   root             false   true       true       ADMINISTRATOR
> ...
> ...
> 6   DD               true    false      false      NO ACCESS
>
> ipmitool user list 2
> ID  Name             Callin  Link Auth  IPMI Msg   Channel Priv Limit
> 1   root             false   true       true       ADMINISTRATOR
> ...
> ...
> 6   DD               true    false      true       ADMINISTRATOR
>
> As expected, it should not work if user run out-of-band IPMI commands with the channel 1.
> Howerver it still work.
> $ipmitool -I lanplus -C 3 -p 623 -U DD -P 0penBmc1 -H x.x.x.x sel info 1
>
> SEL Information
> Version          : 1.5 (v1.5, v2 compliant)
> Entries          : 6
> Free Space       : 0 bytes
> Percent Used     : 100%
> Last Add Time    : 01/06/1970 00:13:18
> Last Del Time    : Not Available
> Overflow         : false
> Supported Cmds   : 'Reserve'
>
> Thanks
> Best Regards,
> Tony
>
> From: Rahul Maheshwari <mailto:rahulmaheshwari01@gmail.com>
> Sent: Thursday, January 16, 2020 7:15 PM
> To: Tony Lee (李文富) <mailto:Tony.Lee@quantatw.com>
> Subject: Re: Verify Privilege For Different Channels in openbmc-test-automation
>
> Hi Tony
> These test cases are expected to fail if your system's BMC has only one LAN channel support. In case of your BMC has 2 LAN channel support, then these tests should pass.
>
> Thanks
> Rahul
>
> On Tue, Jan 14, 2020 at 2:52 PM Tony Lee (李文富) <mailto:mailto:Tony.Lee@quantatw.com> wrote:
> Hi Rahul,
>
> I meet with difficulties for the cases "Verify Administrator And No Access Privilege For Different Channels" and
> "Verify Operator And User Privilege For Different Channels" in test_ipmi_user.robot.
>
> Refer to https://github.com/openbmc/openbmc-test-automation/issues/1523
> According to Richard's comment: "Channel command privilege are working as per the channel (but at this point of time this differentiation can't be made due to architecture limitations, but ok to write test case and mark it as failed, rather than skipping the same)"
>
> Are these two cases be expected to fail?
>
> Thanks
> Best Regards,
> Tony

RE: Verify Privilege For Different Channels in openbmc-test-automation

[Tony Lee (李文富)]

> Are you saying that with NoAcess for channel x, you are able to get the IPMI
> response.
Yes.

> please note: -H x.x.x.x  determines, which channel you are trying to
> communicate. Try the other IP address (because not sure, which channel is
> configured to what IP).
This is as I expected!
However, please look at the cases "Verify Administrator And No Access Privilege For Different Channels"
and "Verify Operator And User Privilege For Different Channels" in test_ipmi_user.robot.
For example: case "Verify Administrator And No Access Privilege For Different Channels" at the last two "Verify" steps:
'''
# Verify that user is able to run administrator level IPMI command with channel 1.
Verify IPMI Command  ${random_username}  ${valid_password}  Administrator  1

# Verify that user is unable to run IPMI command with channel 2.
Run IPMI Standard Command  sel info 2  expected_rc=${1}  U=${random_username}  P=${valid_password}
'''

In this case, first, there is only one IP address.
second, I can't find a description or SPEC about command like 
"ipmitool -I lanplus -C 3 -p 623 -U YmRBwDUS -P 0penBmc1 -H x.x.x.x -L Administrator sel info 1"
which mean user is able to run IPMI command with channel 1.

If the method for out-of-band communication using different channels is the same as you described,
do we need to fix these two cases?

> Regards,
> 
> Richard
> 

Re: Verify Privilege For Different Channels in openbmc-test-automation

[Thomaiyar, Richard Marian]

Hi Tony / Rahul,

1. sel info 1  (I don't think sel info can get channel number, as sel is 
not based on channel numbers)

2. user list can be queried through channel number i.e. "user list 1" 
will query user privileges as per channel number 1 and "user list 3" 
will query user privileges as per channel number 3. But it doesn't 
determine the incoming channel number.

i.e. if a system is having 2 LAN Channels, then LAN channel privilege is 
based on the IP address of those channels

say channel 1 is having IP x.y.z.1 & channel 3 is having IP x.y.z.3  and 
channel 3 is with NoAccess

then executing following command will pass

ipmitool -I lanplus -H x.y.z.1 -U root -P 0penBmc user list 1

ipmitool -I lanplus -H x.y.z.1 -U root -P 0penBmc user list 3

Following command execution will fail

ipmitool -I lanplus -H x.y.z.3 -U root -P 0penBmc user list 1 --> will 
fail if channel 3 is with NoAccess privilege for user root

ipmitool -I lanplus -H x.y.z.3 -U root -P 0penBmc user list 1 --> will 
fail if channel 3 is with NoAccess privilege for user root

Please update the test case accordingly.

Regards,

Richard

On 1/21/2020 8:39 AM, Tony Lee (李文富) wrote:
>> Are you saying that with NoAcess for channel x, you are able to get the IPMI
>> response.
> Yes.
>
>> please note: -H x.x.x.x  determines, which channel you are trying to
>> communicate. Try the other IP address (because not sure, which channel is
>> configured to what IP).
> This is as I expected!
> However, please look at the cases "Verify Administrator And No Access Privilege For Different Channels"
> and "Verify Operator And User Privilege For Different Channels" in test_ipmi_user.robot.
> For example: case "Verify Administrator And No Access Privilege For Different Channels" at the last two "Verify" steps:
> '''
> # Verify that user is able to run administrator level IPMI command with channel 1.
> Verify IPMI Command  ${random_username}  ${valid_password}  Administrator  1
>
> # Verify that user is unable to run IPMI command with channel 2.
> Run IPMI Standard Command  sel info 2  expected_rc=${1}  U=${random_username}  P=${valid_password}
> '''
>
> In this case, first, there is only one IP address.
> second, I can't find a description or SPEC about command like
> "ipmitool -I lanplus -C 3 -p 623 -U YmRBwDUS -P 0penBmc1 -H x.x.x.x -L Administrator sel info 1"
> which mean user is able to run IPMI command with channel 1.
>
> If the method for out-of-band communication using different channels is the same as you described,
> do we need to fix these two cases?
>
>> Regards,
>>
>> Richard
>>

Re: Verify Privilege For Different Channels in openbmc-test-automation

[Rahul Maheshwari]

[-- Attachment #1: Type: text/plain, Size: 3138 bytes --]

Thanks Richard for correcting. Yes, there is a need to update this test
case.

Tony
We don't run this test case on our systems as we dont have dual channel
system. Can you fix this test case?

Thanks
Rahul

On Tue, Jan 21, 2020 at 10:29 AM Thomaiyar, Richard Marian <
richard.marian.thomaiyar@linux.intel.com> wrote:

> Hi Tony / Rahul,
>
> 1. sel info 1  (I don't think sel info can get channel number, as sel is
> not based on channel numbers)
>
> 2. user list can be queried through channel number i.e. "user list 1"
> will query user privileges as per channel number 1 and "user list 3"
> will query user privileges as per channel number 3. But it doesn't
> determine the incoming channel number.
>
> i.e. if a system is having 2 LAN Channels, then LAN channel privilege is
> based on the IP address of those channels
>
> say channel 1 is having IP x.y.z.1 & channel 3 is having IP x.y.z.3  and
> channel 3 is with NoAccess
>
> then executing following command will pass
>
> ipmitool -I lanplus -H x.y.z.1 -U root -P 0penBmc user list 1
>
> ipmitool -I lanplus -H x.y.z.1 -U root -P 0penBmc user list 3
>
> Following command execution will fail
>
> ipmitool -I lanplus -H x.y.z.3 -U root -P 0penBmc user list 1 --> will
> fail if channel 3 is with NoAccess privilege for user root
>
> ipmitool -I lanplus -H x.y.z.3 -U root -P 0penBmc user list 1 --> will
> fail if channel 3 is with NoAccess privilege for user root
>
> Please update the test case accordingly.
>
> Regards,
>
> Richard
>
> On 1/21/2020 8:39 AM, Tony Lee (李文富) wrote:
> >> Are you saying that with NoAcess for channel x, you are able to get the
> IPMI
> >> response.
> > Yes.
> >
> >> please note: -H x.x.x.x  determines, which channel you are trying to
> >> communicate. Try the other IP address (because not sure, which channel
> is
> >> configured to what IP).
> > This is as I expected!
> > However, please look at the cases "Verify Administrator And No Access
> Privilege For Different Channels"
> > and "Verify Operator And User Privilege For Different Channels" in
> test_ipmi_user.robot.
> > For example: case "Verify Administrator And No Access Privilege For
> Different Channels" at the last two "Verify" steps:
> > '''
> > # Verify that user is able to run administrator level IPMI command with
> channel 1.
> > Verify IPMI Command  ${random_username}  ${valid_password}
> Administrator  1
> >
> > # Verify that user is unable to run IPMI command with channel 2.
> > Run IPMI Standard Command  sel info 2  expected_rc=${1}
> U=${random_username}  P=${valid_password}
> > '''
> >
> > In this case, first, there is only one IP address.
> > second, I can't find a description or SPEC about command like
> > "ipmitool -I lanplus -C 3 -p 623 -U YmRBwDUS -P 0penBmc1 -H x.x.x.x -L
> Administrator sel info 1"
> > which mean user is able to run IPMI command with channel 1.
> >
> > If the method for out-of-band communication using different channels is
> the same as you described,
> > do we need to fix these two cases?
> >
> >> Regards,
> >>
> >> Richard
> >>
>

[-- Attachment #2: Type: text/html, Size: 3872 bytes --]

RE: Verify Privilege For Different Channels in openbmc-test-automation

[Tony Lee (李文富)]

I'm sorry, we also do not have dual channel system currently.
Once we have, it will be tested and updated for these two test cases.

From: Rahul Maheshwari <rahulmaheshwari01@gmail.com> 
Sent: Tuesday, January 21, 2020 1:21 PM
To: Thomaiyar, Richard Marian <richard.marian.thomaiyar@linux.intel.com>
Cc: Tony Lee (李文富) <Tony.Lee@quantatw.com>; openbmc@lists.ozlabs.org
Subject: Re: Verify Privilege For Different Channels in openbmc-test-automation

Thanks Richard for correcting. Yes, there is a need to update this test case. 

Tony
We don't run this test case on our systems as we dont have dual channel system. Can you fix this test case?

Thanks
Rahul

On Tue, Jan 21, 2020 at 10:29 AM Thomaiyar, Richard Marian <mailto:richard.marian.thomaiyar@linux.intel.com> wrote:
Hi Tony / Rahul,

1. sel info 1  (I don't think sel info can get channel number, as sel is 
not based on channel numbers)

2. user list can be queried through channel number i.e. "user list 1" 
will query user privileges as per channel number 1 and "user list 3" 
will query user privileges as per channel number 3. But it doesn't 
determine the incoming channel number.

i.e. if a system is having 2 LAN Channels, then LAN channel privilege is 
based on the IP address of those channels

say channel 1 is having IP x.y.z.1 & channel 3 is having IP x.y.z.3  and 
channel 3 is with NoAccess

then executing following command will pass

ipmitool -I lanplus -H x.y.z.1 -U root -P 0penBmc user list 1

ipmitool -I lanplus -H x.y.z.1 -U root -P 0penBmc user list 3

Following command execution will fail

ipmitool -I lanplus -H x.y.z.3 -U root -P 0penBmc user list 1 --> will 
fail if channel 3 is with NoAccess privilege for user root

ipmitool -I lanplus -H x.y.z.3 -U root -P 0penBmc user list 1 --> will 
fail if channel 3 is with NoAccess privilege for user root

Please update the test case accordingly.

Regards,

Richard

On 1/21/2020 8:39 AM, Tony Lee (李文富) wrote:
>> Are you saying that with NoAcess for channel x, you are able to get the IPMI
>> response.
> Yes.
>
>> please note: -H x.x.x.x  determines, which channel you are trying to
>> communicate. Try the other IP address (because not sure, which channel is
>> configured to what IP).
> This is as I expected!
> However, please look at the cases "Verify Administrator And No Access Privilege For Different Channels"
> and "Verify Operator And User Privilege For Different Channels" in test_ipmi_user.robot.
> For example: case "Verify Administrator And No Access Privilege For Different Channels" at the last two "Verify" steps:
> '''
> # Verify that user is able to run administrator level IPMI command with channel 1.
> Verify IPMI Command  ${random_username}  ${valid_password}  Administrator  1
>
> # Verify that user is unable to run IPMI command with channel 2.
> Run IPMI Standard Command  sel info 2  expected_rc=${1}  U=${random_username}  P=${valid_password}
> '''
>
> In this case, first, there is only one IP address.
> second, I can't find a description or SPEC about command like
> "ipmitool -I lanplus -C 3 -p 623 -U YmRBwDUS -P 0penBmc1 -H x.x.x.x -L Administrator sel info 1"
> which mean user is able to run IPMI command with channel 1.
>
> If the method for out-of-band communication using different channels is the same as you described,
> do we need to fix these two cases?
>
>> Regards,
>>
>> Richard
>>

Re: Verify Privilege For Different Channels in openbmc-test-automation

[Rahul Maheshwari]

[-- Attachment #1: Type: text/plain, Size: 3756 bytes --]

Sure. Thanks you.

On Tue, Jan 21, 2020 at 2:16 PM Tony Lee (李文富) <Tony.Lee@quantatw.com>
wrote:

> I'm sorry, we also do not have dual channel system currently.
> Once we have, it will be tested and updated for these two test cases.
>
> From: Rahul Maheshwari <rahulmaheshwari01@gmail.com>
> Sent: Tuesday, January 21, 2020 1:21 PM
> To: Thomaiyar, Richard Marian <richard.marian.thomaiyar@linux.intel.com>
> Cc: Tony Lee (李文富) <Tony.Lee@quantatw.com>; openbmc@lists.ozlabs.org
> Subject: Re: Verify Privilege For Different Channels in
> openbmc-test-automation
>
> Thanks Richard for correcting. Yes, there is a need to update this test
> case.
>
> Tony
> We don't run this test case on our systems as we dont have dual channel
> system. Can you fix this test case?
>
> Thanks
> Rahul
>
> On Tue, Jan 21, 2020 at 10:29 AM Thomaiyar, Richard Marian <mailto:
> richard.marian.thomaiyar@linux.intel.com> wrote:
> Hi Tony / Rahul,
>
> 1. sel info 1  (I don't think sel info can get channel number, as sel is
> not based on channel numbers)
>
> 2. user list can be queried through channel number i.e. "user list 1"
> will query user privileges as per channel number 1 and "user list 3"
> will query user privileges as per channel number 3. But it doesn't
> determine the incoming channel number.
>
> i.e. if a system is having 2 LAN Channels, then LAN channel privilege is
> based on the IP address of those channels
>
> say channel 1 is having IP x.y.z.1 & channel 3 is having IP x.y.z.3  and
> channel 3 is with NoAccess
>
> then executing following command will pass
>
> ipmitool -I lanplus -H x.y.z.1 -U root -P 0penBmc user list 1
>
> ipmitool -I lanplus -H x.y.z.1 -U root -P 0penBmc user list 3
>
> Following command execution will fail
>
> ipmitool -I lanplus -H x.y.z.3 -U root -P 0penBmc user list 1 --> will
> fail if channel 3 is with NoAccess privilege for user root
>
> ipmitool -I lanplus -H x.y.z.3 -U root -P 0penBmc user list 1 --> will
> fail if channel 3 is with NoAccess privilege for user root
>
> Please update the test case accordingly.
>
> Regards,
>
> Richard
>
> On 1/21/2020 8:39 AM, Tony Lee (李文富) wrote:
> >> Are you saying that with NoAcess for channel x, you are able to get the
> IPMI
> >> response.
> > Yes.
> >
> >> please note: -H x.x.x.x  determines, which channel you are trying to
> >> communicate. Try the other IP address (because not sure, which channel
> is
> >> configured to what IP).
> > This is as I expected!
> > However, please look at the cases "Verify Administrator And No Access
> Privilege For Different Channels"
> > and "Verify Operator And User Privilege For Different Channels" in
> test_ipmi_user.robot.
> > For example: case "Verify Administrator And No Access Privilege For
> Different Channels" at the last two "Verify" steps:
> > '''
> > # Verify that user is able to run administrator level IPMI command with
> channel 1.
> > Verify IPMI Command  ${random_username}  ${valid_password}
> Administrator  1
> >
> > # Verify that user is unable to run IPMI command with channel 2.
> > Run IPMI Standard Command  sel info 2  expected_rc=${1}
> U=${random_username}  P=${valid_password}
> > '''
> >
> > In this case, first, there is only one IP address.
> > second, I can't find a description or SPEC about command like
> > "ipmitool -I lanplus -C 3 -p 623 -U YmRBwDUS -P 0penBmc1 -H x.x.x.x -L
> Administrator sel info 1"
> > which mean user is able to run IPMI command with channel 1.
> >
> > If the method for out-of-band communication using different channels is
> the same as you described,
> > do we need to fix these two cases?
> >
> >> Regards,
> >>
> >> Richard
> >>
>

[-- Attachment #2: Type: text/html, Size: 4811 bytes --]