FarahRasheed1
commented
1 month ago Note that parse_registries.py script is used to auto gen the privilege registry using the redfish spec.
Open FarahRasheed1 opened 1 month ago
FarahRasheed1
commented
1 month ago Note that parse_registries.py script is used to auto gen the privilege registry using the redfish spec.
edtanous
commented
1 month ago latest bmcweb
This isn't a version. The "latest" changes every day.
The "operator" privilege role is currently allowed to configure network settings.
Shows that this the URI in question would be a SubordinateOverride that limit this further, which was never implemented. So far as I'm aware, there has been no effort to try to implement SubordinateOverrides in bmcweb.
https://gerrit.openbmc.org/c/openbmc/bmcweb/+/59570/12 Makes mention of it, but I'm not aware of any patchsets being sent.
For what it's worth, we've discussed in the past simply removing the Operator privilege level, as there seems to be very little use of it, and nobody willing to maintain the distinction between an "Operator" and an "Administrator" of the BMC.
FarahRasheed1
commented
1 month ago This isn't a version. The "latest" changes every day.
Yea, I wasn't sure what to use there, so I saw what the previous issue in the "open issues" list had done and used it: https://github.com/openbmc/bmcweb/issues/272. Will update in a bit.
edtanous
commented
1 month ago Please edit your initial post and add the requested information. Which platform you tested on, and which openbmc/openbmc sha1 you used.
FarahRasheed1
commented
1 month ago Updated the bug description.
Is this the right place to submit this?
Bug Description
The "operator" privilege role is currently allowed to configure network settings. This behavior is unexpected as network configuration should be restricted to roles with higher privileges, such as "admin". This is per the spec: https://github.com/openbmc/docs/blob/master/architecture/user-management.md
operator | Users are allowed to view and control basic operations. This includes reboot of the host, etc. But users are not allowed to change other configuration like user, network, etc.
Links to code:
An operator privilege user role is assigned ConfigureComponents here: https://github.com/openbmc/bmcweb/blob/master/redfish-core/include/privileges.hpp#L247-L253 https://github.com/openbmc/bmcweb/blob/master/redfish-core/lib/roles.hpp#L66
Link to privilege registry that defines privilegeSetConfigureComponents : https://github.com/openbmc/bmcweb/blob/master/redfish-core/include/registries/privilege_registry.hpp#L23
Link to privilege registry that defines patchEthernetInterface: https://github.com/openbmc/bmcweb/blob/master/redfish-core/include/registries/privilege_registry.hpp#L580
Link to ethernet.hpp that handles the PATCH request using the above privilege: https://github.com/openbmc/bmcweb/blob/master/redfish-core/lib/ethernet.hpp#L2258
The code above is not according to the spec in user-management.md which does not allow an operator to change network configuration.
Version
Additional Information - Logs from testing on QEMU:
Added a test user to operator priv group
Jul 24 19:26:26 romulus useradd[332]: add 'test' to group 'web' Jul 24 19:26:26 romulus useradd[332]: add 'test' to group 'redfish' Jul 24 19:26:26 romulus useradd[332]: add 'test' to group 'priv-operator' Jul 24 19:26:26 romulus useradd[332]: add 'test' to group 'ipmi' Jul 24 19:26:26 romulus useradd[332]: add 'test' to shadow group 'web' Jul 24 19:26:26 romulus useradd[332]: add 'test' to shadow group 'redfish' Jul 24 19:26:26 romulus useradd[332]: add 'test' to shadow group 'priv-operator' Jul 24 19:26:26 romulus useradd[332]: add 'test' to shadow group 'ipmi' Jul 24 19:26:27 romulus phosphor-user-manager[257]: User 'test' created successfully
Sent a PATCH request to update the host name from the test user
Jul 24 20:45:43 romulus bmcweb[182]: pam_succeed_if(webserver:auth): requirement "user ingroup redfish" was met by user "test" Jul 24 20:45:44 romulus systemd[1]: Starting Hostname Service... Jul 24 20:45:44 romulus systemd[1]: Started Hostname Service. Jul 24 20:45:45 dcscm systemd-resolved[138]: System hostname changed to 'dcscm'. Jul 24 20:46:15 dcscm systemd[1]: systemd-hostnamed.service: Deactivated successfully.