* bmcweb - Redfish - Fix Privilege
@ 2021-08-11 1:15 Abhishek Patel
0 siblings, 0 replies; only message in thread
From: Abhishek Patel @ 2021-08-11 1:15 UTC (permalink / raw)
To: openbmc
Redfish defines a PrivilegeRegistry
(https://redfish.dmtf.org/registries/Redfish_1.1.0_PrivilegeRegistry.json
<https://redfish.dmtf.org/registries/Redfish_1.1.0_PrivilegeRegistry.json>).
This Privilege Registry defines which privilege(s) are needed to access
the URI. There was work here by Ed to have bmcweb automatically use this
PrivilegeRegistry,
https://github.com/openbmc/bmcweb/commit/ed3982131dcef2b499da36e674d2d21b2289ef29
<https://github.com/openbmc/bmcweb/commit/ed3982131dcef2b499da36e674d2d21b2289ef29>.
The commits below change bmcweb to match the PrivilegeRegistry. They
include two breaking Operator role changes (3 and 4).
1) Fix Log_services privileges
https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/45125
<https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/45125>
This change allows Admin, Operator, and Readonly users to access
Crashdump data and related entries. Before this change, only an admin
role user could access Crashdump data and related entries (LogService,
LogEntryCollection, and LogEntry). Operator users only had access to log
entries(LogEntry).
2) Fix BIOS privileges
https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/45470
<https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/45470>
This change allows Admin and operator users to Reset bios. Before this
change, only an admin role user had that privilege.
*Note:* Above 1) and 2) changes are backward compatible because that
change does not restrict any original user from access.
3) Fix certificate_service privileges
https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/45470
<https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/45470>
This change allows only Admin users to Generate CSR certificates and
restrict Operator users.
4) Fix Ethernet privileges
https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/45469
<https://gerrit.openbmc-project.xyz/c/openbmc/bmcweb/+/45469>
This change allows only Admin users to post, patch, and delete on VLAN
Network Interface Collection and restrict Operator users. Same for the
EthernetInterfaces patch method.
*Note:* Above 3) and 4) change are *not* *backward compatible* because
it restricts Operator user from its ability. Does this break anyone? Is
anyone opposed to these changes?
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2021-08-11 1:24 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-11 1:15 bmcweb - Redfish - Fix Privilege Abhishek Patel
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).