NoAccess user can login but cannot logout

[joseph-reynolds]

Describe the bug An authenticated user with the NoAccess role can login but cannot log out. The user should not be allowed to login.

Environment Not applicable. The problem was discovered in an LDAP user account where that user did not map to a Redfish Role, so NoAccess was used.

This problem happens at HEAD, currently accdbb2c0eb90d64f60be6319685c0814cafff49

To Reproduce Steps to reproduce the behavior:

1. Configure LDAP. Ensure an LDAP user does not map to a Redfish Role.
2. Login the LDAP user via POST /redfish/v1/SessionService/Sessions/
3. Attempt to logout via DELETE /redfish/v1/SessionService/Sessions/...sessionid...
4. The logout fails with Forbidden. Expected the logout would succeed.
5. Note: an admin user can delete the session.

I expect the problem could be reproduced with any NoAccess user.

Is this a regression Our test team reports the logout had worked in the past, like early 2021, with the LDAP configured as above, specifically wwith a broken LDAP role privilege mapping. However, I looked at the code and was unable to find out how the logout function could have worked. Specifically, I found logout requires the ConfigureSelf privilege, and NoAccess users do not have this privilege.

Notes The Redfish operation-to-privilege map specifiess the "Login" privilege to create a session via for POST SessionCollection, but BMCWeb does not implement that check. I believe that check should be added.

Redfish specs the "ConfigureSelf" privilege (modulo the ConfigureUsers privilege) to Delete Session. This privilege is different than the privilege for Login. In my opinion its implementation is correct. If we really want NoAccess users to be able to create sessions, then I want to understand why that is needed and we should have a way for them to logout.

[sunharis]

@edtanous @gtmills Can you please share your views on this? How the fix should be done for this behavior ?

[joseph-reynolds]

Here are more detailed questions.

I understand the Redfish NoAccess role is equivalent to the Phosphor user management docs no-access privilege group, and that it has literally no privileges, not even the Redfish "Login" privilege.

Will someone please explain the use case and intentions for users who have role=NoAccess?

• I understand role=NoAccess was created for IPMI users who don't need HTTPS access; is that right? If so, then such users should not be allowed to login into BMCWeb, correct? If so, the fix is to add the authority check to the login operation.
• If role=NoAccess users really are intended to log into BMCWeb, then what are they allowed to access? They literally have no privileges. Such as user would not be able to ever read most Redfish properties because the "Login" privilege would be needed. Please note if there is a use case for this, I am not opposed to it, and instead I will help to define it better.

[edtanous]

Per my responses on the PR for this, no access users should not be allowed to log in. bmcweb has checks to see if users are disabled before giving them a session, so this implies that phosphor-user-manager isn't properly disabling these users. Please open a bug in that repo, or continue discussing in the bmcweb patchset.