* Redfish: Design User authorization.
@ 2019-02-25 13:41 Ratan Gupta
2019-02-25 17:12 ` Tanous, Ed
0 siblings, 1 reply; 3+ messages in thread
From: Ratan Gupta @ 2019-02-25 13:41 UTC (permalink / raw)
To: openbmc, ed.tanous
Hi Ed,
This mail is regarding the authorization support on Redfish.
In Redfish we have two types of privilege.
1) User Privilege
Redfish Authorization uses Roles and Privileges to control which users
have what access to
resources.
We can have static mapping of Roles and assigned privileges
Role = "Administrator"
Privileges = Login, ConfigureManager,
ConfigureUsers,ConfigureComponents, ConfigureSelf
Role = "Operator"
Privileges = Login, ConfigureComponents, ConfigureSelf
Role = "ReadOnly"
Privileges = Login, ConfigureSelf
Currently in phsophor-user-manager all the default Roles/Privileges is
hardcoded.
we need to map privilege name/Role to the RoleName of the Redfish.
Static mapping is needed in the Redfish code for the same.
eg priv-admin = Administrator.
Once we have the above mapping ready we will add the user role in the
session object itself during creation of the session.
we can get the user role/privilege by calling the D-bus method on
phosphor-user-manager.
Gerrit commit is up for the same.
2) Entity privilege =>(Operation to Privilege) mapping
Currently each redfish node have the entity privilege structure,
which is supposed to be consumed
when the redfish request is being recieved by the redfish node class.
In the dispatchRequest funtion of node.hpp
=> Check what is entity privilege
=> Check what is user privilege
=> If the user is having that privilege then allow the request
otherwise not.
Eg: If a PATCH operation is performed on the Account Service and
the entity privilege
for the Account service PATCH operation is "ConfigureUsers" and the
User Role which we get
From the session request have the same privilege then allow the
operation.
I can see that in current Redfish code User Privileges is hardcoded and
it is allowing all
users to do any operation.
Can I get your feedback on the same?
Ratan
^ permalink raw reply [flat|nested] 3+ messages in thread
* RE: Redfish: Design User authorization.
2019-02-25 13:41 Redfish: Design User authorization Ratan Gupta
@ 2019-02-25 17:12 ` Tanous, Ed
2019-02-26 3:39 ` Ratan Gupta
0 siblings, 1 reply; 3+ messages in thread
From: Tanous, Ed @ 2019-02-25 17:12 UTC (permalink / raw)
To: Ratan Gupta, openbmc
>
> Hi Ed,
>
> This mail is regarding the authorization support on Redfish.
>
Thanks for pushing forward on this. I think the best first step would be to review the patchset that's already in progress that's adding some infrastructure to do a lot of the things you're proposing. If you're proposing an alternative approach than the existing review, and I misunderstood, apologies.
https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/15813
I suspect the questions we need to answer are:
1. How do we determine a user's role?
2. Given that privilege is required to service every request, do we need to cache it, or can we go to dbus for every request?
3. How is the cache invalidated?
I think the bulk of the implementation will be filling out the method here:
https://github.com/openbmc/bmcweb/blob/a24526dcf9ad8de2f0bd9dbd5fc746a130351a22/redfish-core/include/privileges.hpp#L229
And moving roles away from the static implementation, as you've already determined.
Do you have any intention to implement PrivilegeRegistry?
Looking forward to seeing your work here.
-Ed
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Redfish: Design User authorization.
2019-02-25 17:12 ` Tanous, Ed
@ 2019-02-26 3:39 ` Ratan Gupta
0 siblings, 0 replies; 3+ messages in thread
From: Ratan Gupta @ 2019-02-26 3:39 UTC (permalink / raw)
To: Tanous, Ed, openbmc
[-- Attachment #1: Type: text/plain, Size: 1837 bytes --]
Hi Ed,
Please find my responses
Ratan
On 25/02/19 10:42 PM, Tanous, Ed wrote:
>> Hi Ed,
>>
>> This mail is regarding the authorization support on Redfish.
>>
> Thanks for pushing forward on this. I think the best first step would be to review the patchset that's already in progress that's adding some infrastructure to do a lot of the things you're proposing. If you're proposing an alternative approach than the existing review, and I misunderstood, apologies.
>
> https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/15813
>
> I suspect the questions we need to answer are:
> 1. How do we determine a user's role?
*we can get the user role/privilege by calling the D-bus method on
phosphor-user-manager.*
*Gerrit commit is up for the same.*
*https://gerrit.openbmc-project.xyz/#/c/openbmc/phosphor-user-manager/+/18132/
*
> 2. Given that privilege is required to service every request, do we need to cache it, or can we go to dbus for every request?
Once we get the user role/privilege, we will add the user role in the
session object itself
during creation of the session so no need to make D-bus call for every
request.
> 3. How is the cache invalidated?
Session would be invalidated during logout or session timeout.
>
> I think the bulk of the implementation will be filling out the method here:
> https://github.com/openbmc/bmcweb/blob/a24526dcf9ad8de2f0bd9dbd5fc746a130351a22/redfish-core/include/privileges.hpp#L229
>
> And moving roles away from the static implementation, as you've already determined.
>
> Do you have any intention to implement PrivilegeRegistry?
No, the intention is to call the get User Info function and add the User
role into the session, so for each HTTP request we know the user
privilege and compare it with the entity privilege.
>
> Looking forward to seeing your work here.
>
> -Ed
[-- Attachment #2: Type: text/html, Size: 3672 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-02-26 3:41 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-02-25 13:41 Redfish: Design User authorization Ratan Gupta
2019-02-25 17:12 ` Tanous, Ed
2019-02-26 3:39 ` Ratan Gupta
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.