Enhance Redfish to allow IPMI users

Enhance Redfish to allow IPMI users

[Joseph Reynolds]

I am working on a new feature so the BMC admin can use Redfish 
operations to allow or deny specific users to use the BMC's network IPMI 
interface.
The goal is to be able to configure the BMC out of the box with no users 
authorized to use the IPMI network service, and then as needed enable 
network IPMI and allow specific users to use that service.

The direction for this seems to be adding the IPMI enum to the 
ManagerAccount AccountTypes array.
https://redfishforum.com/thread/219/account-groups-property?page=1&scrollTo=1289

If we had this, the BMC admin could allow someuser to use IPMI like 
this: PATCH /redfish/v1/AccountService/Account/someuser with 
{AccountTypes: [...,IPMI,...]} and possibly also changing the password.

Would this work with OpenBMC phosphor user management?  The forum thread 
has additional considerations.  Will the IPMI maintainers please comment 
here or on the forum?

- Joseph

Re: Enhance Redfish to allow IPMI users

[Thomaiyar, Richard Marian]

Hi Joseph,

Yes, phosphor-user-management supports the same. i.e. Users can be 
created with different groups and they can also change group after 
creation, Password restrictions apply accordingly.

IPMI doesn't have OEM Commands for this, but How about adding community 
based OEM commands to support these in IPMI as well, along with Redfish 
enhancements. Vernon / Tom ?

Note: One of the problem we still need to solve is how to deploy user 
account Out of the box. Current solutions are

1. Default user account built in with common password (security 
concern)/ Unique password (Still some concerns)

2. Deploy with no default user account in BMC. First user will be 
created through Host interface (BIOS setup option), through host IPMI 
(Again some concerns here).

#2 can't work directly on Redfish as we don't have host interface 
communicating to Redfish, and the current concern of the WG is it still 
requires authentication mechanism for deployment.

Regards,

Richard

On 9/16/2020 1:08 AM, Joseph Reynolds wrote:
>
> I am working on a new feature so the BMC admin can use Redfish 
> operations to allow or deny specific users to use the BMC's network 
> IPMI interface.
> The goal is to be able to configure the BMC out of the box with no 
> users authorized to use the IPMI network service, and then as needed 
> enable network IPMI and allow specific users to use that service.
>
<Richard> : This can be achieved even today, by having IPMI network 
service disabled by default, and then enabling it through 
ManagerNetworkProtocol (IPMI) in Redfish (Irrespective of user account 
group restrictions).
> The direction for this seems to be adding the IPMI enum to the 
> ManagerAccount AccountTypes array.
> https://redfishforum.com/thread/219/account-groups-property?page=1&scrollTo=1289 
>
>
> If we had this, the BMC admin could allow someuser to use IPMI like 
> this: PATCH /redfish/v1/AccountService/Account/someuser with 
> {AccountTypes: [...,IPMI,...]} and possibly also changing the password.
>
> Would this work with OpenBMC phosphor user management?  The forum 
> thread has additional considerations.  Will the IPMI maintainers 
> please comment here or on the forum?
>
> - Joseph
>