search

DMTF / Redfish-Usecase-Checkers

This is a collection of python3 tools to exercise and validate common use cases for Redfish
Other
1 stars 6 forks source link

cannot fully delete user from Dell PowerEdge #41

Closed cb371j closed 4 years ago

cb371j commented 4 years ago

account_manager.py and rf_accounts.py do not complete remove user with delete.. only remove name .

root@testingvm:/usr/local/bin# python3 rf_accounts.py -u root -p mypassword -r https://172.26.15.212

Name | Role | Locked | Enabled root | Administrator | False | True | Operator | False | True | Administrator | False | True | Administrator | False | True | Administrator | False | True | Administrator | False | True | Operator | False | True | Operator | False | True testuser | Operator | False | True

root@testingvm:/usr/local/bin# rf_accounts.py -u root -p mypassword -r https://172.26.15.212 -delete testuser Deleting user 'testuser' Traceback (most recent call last): File "/usr/local/bin/rf_accounts.py", line 45, in redfish_utilities.delete_user( redfish_obj, args.delete )

root@testingvm:/usr/local/bin# python3 rf_accounts.py -u root -p mypassword -r https://172.26.15.212

Name | Role | Locked | Enabled root | Administrator | False | True | Operator | False | True | Administrator | False | True | Administrator | False | True | Administrator | False | True | Administrator | False | True | Operator | False | True | Operator | False | True

"TestResults": {
    "User Count": {
        "pass": 1,
        "fail": 0,
        "skip": 0
    },
    "Add User": {
        "pass": 2,
        "fail": 0,
        "skip": 0
    },
    "Credential Check": {
        "pass": 2,
        "fail": 0,
        "skip": 0
    },
    "Change Role": {
        "pass": 6,
        "fail": 0,
        "skip": 0
    },
    "Delete User": {
        "pass": 0,
        "fail": 1,
        "skip": 0
    },
    "ErrorMessages": [
        "Delete User: Failed to delete user 'alice73t'"
    ]
}
mraineri commented 4 years ago

Is there further trace information from when you did the delete, or did it stop at "redfish_utilities.delete_user( redfish_obj, args.delete )"?

I know some implementations don't actually allow the account resources themselves to be deleted, and instead they pre-provision "account slots" to maintain compatibility with IPMI. But the lower level tools should be detecting this and clearing the user account (in addition to disabling the user), but it looks like it's not disabling anything.

billdodd commented 4 years ago

The behavior of clearing the Name property on delete for the Dell Poweredge services is expected. Some Redfish services (including Dell Poweredge) have a fixed set of account slots and accounts are added by setting the Name property and deleted by clearing the Name.

See this code:

https://github.com/DMTF/Redfish-Tacklebox/blob/20bb321ca8f4f8b80e4fee165e77d91ccd2ab39d/redfish_utilities/accounts.py#L133-L139

However, you seem to be getting an exception when trying to do the delete operation:

root@testingvm:/usr/local/bin# rf_accounts.py -u root -p mypassword -r https://172.26.15.212 -delete testuser Deleting user 'testuser' Traceback (most recent call last): File "/usr/local/bin/rf_accounts.py", line 45, in redfish_utilities.delete_user( redfish_obj, args.delete )

But from your output above, it seems like you didn't capture the full traceback and exception, so I can't tell why it failed. Can you try this again and capture the full output of the delete command?

cb371j commented 4 years ago

more account_manager output.docx

only that error snipet is generated. another attachment with it and the account_manager.py results.json file. If there is a way to generate more error detail let me know how and I will do it. Thank you.

billdodd commented 4 years ago

Thanks. Your doc had the additional error text we were looking for:

root@testingvm:/usr/local/bin# python3 rf_accounts.py -u root -p mypassword -r https://172.26.15.212 --delete test1 Deleting user 'test1' Traceback (most recent call last): File "rf_accounts.py", line 45, in redfish_utilities.delete_user( redfish_obj, args.delete ) File "/usr/local/lib/python3.6/dist-packages/redfish_utilities/accounts.py", line 137, in delete_user return modify_user( context, user_name, new_name = "", new_enabled = False ) File "/usr/local/lib/python3.6/dist-packages/redfish_utilities/accounts.py", line 176, in modify_user verify_response( response ) File "/usr/local/lib/python3.6/dist-packages/redfish_utilities/messages.py", line 71, in verify_response raise RedfishOperationFailedError( "Operation failed: HTTP {}\n{}".format( response.status, exception_string ) ) redfish_utilities.messages.RedfishOperationFailedError: Operation failed: HTTP 400 A general error has occurred. See ExtendedInfo for more information The specified value is not allowed to be configured if the user name \nor password is blank.

I guess that some services do not want the Enabled property to be specified when clearing the Username.

jautor commented 4 years ago

Ah, that's correct - the Enabled property is not a required property of ManagerAccount, so the test should probably not include it in the write if it wasn't in the GET payload.

mraineri commented 4 years ago

That's true, but I think Enabled is expected to be supported on this implementation.

@cb371j could you please provide the output from the following URIs? That'll help us narrow down the issue:

cb371j commented 4 years ago

redfish_output.docx

here is the output for the /redfish/v1/Managers/iDRAC.Embedded.1 /redfish/v1/Managers/iDRAC.Embedded.1/AccountService/Accounts/1

billdodd commented 4 years ago

I think the second URL should be:

/redfish/v1/Managers/iDRAC.Embedded.1/Accounts/1

cb371j commented 4 years ago

curl "https://172.26.15.212/redfish/v1/Managers/iDRAC.Embedded.1/Accounts/1" -k -u root:mypasswd| jq % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 409 100 409 0 0 1573 0 --:--:-- --:--:-- --:--:-- 1573 { "@odata.context": "/redfish/v1/$metadata#ManagerAccount.ManagerAccount", "@odata.id": "/redfish/v1/Managers/iDRAC.Embedded.1/Accounts/1", "@odata.type": "#ManagerAccount.v1_1_1.ManagerAccount", "Description": "User Account", "Enabled": false, "Id": "1", "Links": { "Role": { "@odata.id": "/redfish/v1/Managers/iDRAC.Embedded.1/Roles/None" } }, "Locked": false, "Name": "User Account", "Password": null, "RoleId": "None", "UserName": "" }

mraineri commented 4 years ago

@cb371j thanks for all of the info. I've traced this down to being the way this implementation behaves with regards to how Redfish users are deleted. This type of design allocates fixed slots per user account, so accounts themselves are not deleted, but instead they are modified to clear out properties.

We have fallback code in place in our library to detect when a true DELETE is not allowed, and then PATCH some properties to clean up. It tries to do this in a single PATCH request, but it doesn't allow both UserName and Enabled to be PATCHed simultaneously when UserName is an empty string. So, we can make a change to break this into two PATCH operations.

mraineri commented 4 years ago

@cb371j please try out the latest version of the usecase checkers; you'll also need to update the redfish_utilities package since there was a fix added to it to address this. If the issue persists, please reopen the issue.