From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: ** X-Spam-Status: No, score=2.6 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE, HTML_MIME_NO_HTML_TAG,MAILING_LIST_MULTI,MENTIONS_GIT_HOSTING,MIME_HTML_ONLY, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 68B54C4338F for ; Tue, 10 Aug 2021 18:45:06 +0000 (UTC) Received: from lists.ozlabs.org (lists.ozlabs.org [112.213.38.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id A9F4E60E9B for ; Tue, 10 Aug 2021 18:45:05 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org A9F4E60E9B Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=ibm.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=lists.ozlabs.org Received: from boromir.ozlabs.org (localhost [IPv6:::1]) by lists.ozlabs.org (Postfix) with ESMTP id 4Gkhhb6rdDz3bT9 for ; Wed, 11 Aug 2021 04:45:03 +1000 (AEST) Authentication-Results: lists.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=ibm.com header.i=@ibm.com header.a=rsa-sha256 header.s=pp1 header.b=GH8V1Brq; dkim-atps=neutral Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=ibm.com (client-ip=148.163.158.5; helo=mx0b-001b2d01.pphosted.com; envelope-from=abhishek.patel@ibm.com; receiver=) Authentication-Results: lists.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=ibm.com header.i=@ibm.com header.a=rsa-sha256 header.s=pp1 header.b=GH8V1Brq; dkim-atps=neutral Received: from mx0b-001b2d01.pphosted.com (mx0b-001b2d01.pphosted.com [148.163.158.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 4Gkhgl1Gdmz2yXW for ; Wed, 11 Aug 2021 04:44:18 +1000 (AEST) Received: from pps.filterd (m0098421.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 17AIiBLI032150 for ; Tue, 10 Aug 2021 14:44:14 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ibm.com; h=in-reply-to : subject : from : to : date : message-id : content-transfer-encoding : content-type : references : mime-version; s=pp1; bh=vUXPJsv748CZdaYassTdSi2GYzhBxZJtLZiZpKWcTpk=; b=GH8V1BrqgOlT0KgT1KxU9Iiyx5dPKWitLHwUVaDfh81+mSx7MqEEBcAA96xQe8oLNkbC lsZkYRvKP22qcdUDqLqTWUbxOWlwWE35pbeU4gPfJgKd1EbYk0kcKoOuEB+wLQD8D1u1 bTayRijoFgRcphB8ViW50ZAKAVTnayVgyEpKffcWDj1YDIPB5XFTGPJ7ft3iXKJxHTCf +Hiy3GbO0jXpLZlc1lgafAnLGVb0MMbLXKnPalhEbxo5rMtz2KyV96oSmeVQvHwE5404 POac7xy2KLeBhhMjnY1koIViOWhWu525PmUKEUqe1ewNh22HRjWcuCZQBPwBjSSdsusE GA== Received: from ppma02wdc.us.ibm.com (aa.5b.37a9.ip4.static.sl-reverse.com [169.55.91.170]) by mx0a-001b2d01.pphosted.com with ESMTP id 3abt970p2a-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 10 Aug 2021 14:44:12 -0400 Received: from pps.filterd (ppma02wdc.us.ibm.com [127.0.0.1]) by ppma02wdc.us.ibm.com (8.16.1.2/8.16.1.2) with SMTP id 17AIhQIN014670 for ; Tue, 10 Aug 2021 18:44:01 GMT Received: from b01cxnp22033.gho.pok.ibm.com (b01cxnp22033.gho.pok.ibm.com [9.57.198.23]) by ppma02wdc.us.ibm.com with ESMTP id 3aapjabsn9-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 10 Aug 2021 18:44:01 +0000 Received: from b01ledav006.gho.pok.ibm.com (b01ledav006.gho.pok.ibm.com [9.57.199.111]) by b01cxnp22033.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id 17AIi0UT20644250 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Tue, 10 Aug 2021 18:44:00 GMT Received: from b01ledav006.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id AF2E4AC077 for ; Tue, 10 Aug 2021 18:44:00 +0000 (GMT) Received: from b01ledav006.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 823F8AC069 for ; Tue, 10 Aug 2021 18:44:00 +0000 (GMT) Received: from mww0571.wdc07m.mail.ibm.com (unknown [9.208.0.95]) by b01ledav006.gho.pok.ibm.com (Postfix) with ESMTPS for ; Tue, 10 Aug 2021 18:44:00 +0000 (GMT) In-Reply-To: Subject: bmcweb - Redfish - Fix permissions From: "Abhishek Patel" To: openbmc@lists.ozlabs.org Date: Tue, 10 Aug 2021 18:43:58 +0000 Message-ID: Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=UTF-8 Sensitivity: References: MIME-Version: 1.0 Importance: Normal X-Priority: 3 (Normal) X-Mailer: Lotus Domino Web Server Release 11.0.1FP2HF97 July 2, 2021 X-MIMETrack: Serialize by http on MWW0571/01/M/IBM at 08/10/2021 18:43:58, Serialize complete at 08/10/2021 18:43:58 X-KeepSent: B17B0ACB:6D25FB91-0025872D:006672CB; name=$KeepSent; type=4 X-Disclaimed: 29831 X-TM-AS-GCONF: 00 X-Proofpoint-ORIG-GUID: 2NHcpFCGJwocEg3GxEw2RK536AU_4HkJ X-Proofpoint-GUID: 2NHcpFCGJwocEg3GxEw2RK536AU_4HkJ X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.790 definitions=2021-08-10_08:2021-08-10, 2021-08-10 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 phishscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 suspectscore=0 adultscore=0 priorityscore=1501 impostorscore=0 mlxlogscore=465 malwarescore=0 mlxscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2107140000 definitions=main-2108100121 X-BeenThere: openbmc@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development list for OpenBMC List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openbmc-bounces+openbmc=archiver.kernel.org@lists.ozlabs.org Sender: "openbmc"

Red= fish defines a PrivilegeRegistry (https://redfish.= dmtf.org/registries/Redfish=5F1.1.0=5FPrivilegeRegistry.json<= /a>). This Pr= ivilege Registry defines which privilege(s) are needed to access the URI. T= here was work here by Ed to have bmcweb automatically use this PrivilegeReg= istry, https://github.com/openbmc/bmcweb/commit/ed39821= 31dcef2b499da36e674d2d21b2289ef29. The commits below change bmcweb to = match the PrivilegeRegistry. They include two breaking Operator role change= s (3 and 4).

1) Fix Log=5Fservices privileges

https://gerrit.openbmc-project.xyz/c/openbmc/= bmcweb/+/45125

This change allows Admin, Operator, and Read= only users to access Crashdump data and related entries. Before this change= , only an admin role user could access Crashdump data and related entries (= LogService, LogEntryCollection, and LogEntry). Operator users only had = ;access to log entries(LogEntry).

2) Fix BIOS privileges<= /span>

https://gerrit.openbmc-project.xyz/c/openbmc/= bmcweb/+/45470

This change allows Admin and operator users = to Reset bios. Before this change, only an admin role user had that privile= ge.

Note: Above 1) a= nd 2) changes are backward compatible because that change does not restrict= any original user from access.

3) Fix certificate=5Fservice privileges

https://gerrit.openbmc-project.xyz/c/openbmc/= bmcweb/+/45470

This change allows only Admin users to Gener= ate CSR certificates and restrict Operator users.

4) Fix Ethernet privileges

https://gerrit.openbmc-project.xyz/c/openbmc/= bmcweb/+/45469

T= his change allows only Admin users= to post, patch, and delete on VLAN Network Interface Collection and = restrict Operator users. Same for the EthernetInterfaces patch method.

Note: Above 3) a= nd 4) change are not backward compat= ible because it restricts Operator user from its ability. Do= es this break anyone? Is anyone opposed to these changes?