Redfish: Design User authorization.

Redfish: Design User authorization.

[Ratan Gupta]

Hi Ed,

This mail is regarding the authorization support on Redfish.

In Redfish we have two types of privilege.

1) User Privilege

Redfish Authorization uses Roles and Privileges to control which users 
have what access to
resources.

We can have static mapping of Roles and assigned privileges
      Role = "Administrator"
           Privileges = Login, ConfigureManager, 
ConfigureUsers,ConfigureComponents, ConfigureSelf
      Role = "Operator"
           Privileges = Login, ConfigureComponents, ConfigureSelf
      Role = "ReadOnly"
           Privileges = Login, ConfigureSelf

Currently in phsophor-user-manager all the default Roles/Privileges is 
hardcoded.

we need to map privilege name/Role to the RoleName of the Redfish.
Static mapping is needed in the Redfish code for the same.

    eg priv-admin = Administrator.

Once we have the above mapping ready we will add the user role in the 
session object itself during creation of the session.
we can get the user role/privilege by calling the D-bus method on 
phosphor-user-manager.
Gerrit commit is up for the same.


2) Entity privilege =>(Operation to Privilege) mapping

    Currently each redfish node have the entity privilege structure, 
which is supposed to be consumed
    when the redfish request is being recieved by the redfish node class.
    In the dispatchRequest funtion of node.hpp
     => Check what is entity privilege
     => Check what is user privilege
     => If the user is having that privilege then allow the request 
otherwise not.

     Eg: If a PATCH operation is performed on the Account Service and 
the entity privilege
     for the Account service PATCH operation is "ConfigureUsers" and the 
User Role which we get
     From the session request have the same privilege then allow the 
operation.

I can see that in current Redfish code User Privileges is hardcoded and 
it is allowing all
users to do any operation.

Can I get your feedback on the same?

Ratan

RE: Redfish: Design User authorization.

[Tanous, Ed]

>
> Hi Ed,
> 
> This mail is regarding the authorization support on Redfish.
> 

Thanks for pushing forward on this.  I think the best first step would be to review the patchset that's already in progress that's adding some infrastructure to do a lot of the things you're proposing.  If you're proposing an alternative approach than the existing review, and I misunderstood, apologies.

https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/15813

I suspect the questions we need to answer are:
1. How do we determine a user's role?
2. Given that privilege is required to service every request, do we need to cache it, or can we go to dbus for every request?
3. How is the cache invalidated?

I think the bulk of the implementation will be filling out the method here:
https://github.com/openbmc/bmcweb/blob/a24526dcf9ad8de2f0bd9dbd5fc746a130351a22/redfish-core/include/privileges.hpp#L229

And moving roles away from the static implementation, as you've already determined.

Do you have any intention to implement PrivilegeRegistry?

Looking forward to seeing your work here.

-Ed

Re: Redfish: Design User authorization.

[Ratan Gupta]

[-- Attachment #1: Type: text/plain, Size: 1837 bytes --]

Hi Ed,

Please find my responses

Ratan


On 25/02/19 10:42 PM, Tanous, Ed wrote:
>> Hi Ed,
>>
>> This mail is regarding the authorization support on Redfish.
>>
> Thanks for pushing forward on this.  I think the best first step would be to review the patchset that's already in progress that's adding some infrastructure to do a lot of the things you're proposing.  If you're proposing an alternative approach than the existing review, and I misunderstood, apologies.
>
> https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/15813
>
> I suspect the questions we need to answer are:
> 1. How do we determine a user's role?
*we can get the user role/privilege by calling the D-bus method on 
phosphor-user-manager.*

*Gerrit commit is up for the same.*

*https://gerrit.openbmc-project.xyz/#/c/openbmc/phosphor-user-manager/+/18132/
*

> 2. Given that privilege is required to service every request, do we need to cache it, or can we go to dbus for every request?
Once we get the user role/privilege, we will add the user role in the 
session object itself

during creation of the session so no need to make D-bus call for every 
request.

> 3. How is the cache invalidated?
Session would be invalidated during logout or session timeout.
>
> I think the bulk of the implementation will be filling out the method here:
> https://github.com/openbmc/bmcweb/blob/a24526dcf9ad8de2f0bd9dbd5fc746a130351a22/redfish-core/include/privileges.hpp#L229
>
> And moving roles away from the static implementation, as you've already determined.
>
> Do you have any intention to implement PrivilegeRegistry?
No, the intention is to call the get User Info function and add the User 
role into the session, so for each HTTP request we know the user 
privilege and compare it with the entity privilege.
>
> Looking forward to seeing your work here.
>
> -Ed

[-- Attachment #2: Type: text/html, Size: 3672 bytes --]