search

openbmc / bmcweb

A do everything Redfish, KVM, GUI, and DBus webserver for OpenBMC
Apache License 2.0
156 stars 131 forks source link

Users with unusual userGroup are not processed properly #287

Closed AleksandrParamonov closed 1 month ago

AleksandrParamonov commented 1 month ago

Is this the right place to submit this?

Bug Description

Some resources under /redfish/v1/AccountService/Accounts/ don't properly process users with userGroup field different from "redfish"/"ipmi"/"ssh"/"hostconsole"/"web". At least one of this userGroups must be present to prevent internal error in GET /redfish/v1/AccountService/Accounts/. Non-standard userGroups are lost after patching user in PATCH /redfish/v1/AccountService/Accounts//.

Version

b729096d0a787abe2a7e8a9a2d1ea12b5e1540fb

Additional Information

I am trying to implement bootstrap account feature. It has to be created when "Get bootstrap account credentials" IPMI command is called and deleted on bmcweb service restart. Custom userGroup is straightforward way to differ this account from usual accounts which are not deleted automatically. However custom group doesn't work correctly with GET /redfish/v1/AccountService/Accounts/ and PATCH /redfish/v1/AccountService/Accounts// requests. GET requests requires account to have at least one known group, PATCH request also discards all unknown groups.

edtanous commented 1 month ago

Can you give an example call that causes the failure you're talking about?

AleksandrParamonov commented 1 month ago

1) Create custom group groupadd openbmc_orfr_redfish 2) Restart BMC or User Manager to reload groups list. systemctl restart xyz.openbmc_project.User.Manager.service 3) Add user with custom group over dbus dbus-send --system --type="method_call" --print-reply --dest=xyz.openbmc_project.User.Manager /xyz/openbmc_project/user xyz.openbmc_project.User.Manager.CreateUser string:"temp1234" array:string:"openbmc_orfr_redfish" string:"priv-admin" boolean:"true" 4) Check whether user is created properly

busctl introspect xyz.openbmc_project.User.Manager /xyz/openbmc_project/user/temp1234
NAME                                TYPE      SIGNATURE RESULT/VALUE             FLAGS
org.freedesktop.DBus.Introspectable interface -         -                        -
.Introspect                         method    -         s                        -
org.freedesktop.DBus.Peer           interface -         -                        -
.GetMachineId                       method    -         s                        -
.Ping                               method    -         -                        -
org.freedesktop.DBus.Properties     interface -         -                        -
.Get                                method    ss        v                        -
.GetAll                             method    s         a{sv}                    -
.Set                                method    ssv       -                        -
.PropertiesChanged                  signal    sa{sv}as  -                        -
xyz.openbmc_project.Object.Delete   interface -         -                        -
.Delete                             method    -         -                        -
xyz.openbmc_project.User.Attributes interface -         -                        -
.RemoteUser                         property  b         false                    const
.UserEnabled                        property  b         true                     emits-change writable
.UserGroups                         property  as        1 "openbmc_orfr_redfish" emits-change writable
.UserLockedForFailedAttempt         property  b         false                    emits-change writable
.UserPasswordExpiration             property  x         2572992000               emits-change writable
.UserPasswordExpired                property  b         false                    const
.UserPrivilege                      property  s         "priv-admin"             emits-change writable

5) Try to get user list over Redfish-SUCCESS

curl -i -X GET -k -u root:0penBmc https://192.168.1.2/redfish/v1/AccountService/Accounts
HTTP/1.1 200 OK
{
  "@odata.id": "/redfish/v1/AccountService/Accounts",
  "@odata.type": "#ManagerAccountCollection.ManagerAccountCollection",
  "Description": "BMC User Accounts",
  "Members": [
    {
      "@odata.id": "/redfish/v1/AccountService/Accounts/temp1234"
    },
    {
      "@odata.id": "/redfish/v1/AccountService/Accounts/temp123"
    },
    {
      "@odata.id": "/redfish/v1/AccountService/Accounts/test"
    },
    {
      "@odata.id": "/redfish/v1/AccountService/Accounts/root"
    }
  ],
  "Members@odata.count": 4,
  "Name": "Accounts Collection"

6) Try to get this unusual user-error.

curl -i -X GET -k -u root:0penBmc https://192.168.1.2/redfish/v1/AccountService/Accounts/temp1234
HTTP/1.1 500 Internal Server Error
{
  "@odata.type": "#ManagerAccount.v1_7_0.ManagerAccount",
  "Description": "User Account",
  "Name": "User Account",
  "Password": null,
  "StrictAccountTypes": true,
  "error": {
    "@Message.ExtendedInfo": [
      {
        "@odata.type": "#Message.v1_1_1.Message",
        "Message": "The request failed due to an internal service error.  The service is still operational.",
        "MessageArgs": [],
        "MessageId": "Base.1.16.0.InternalError",
        "MessageSeverity": "Critical",
        "Resolution": "Resubmit the request.  If the problem persists, consider resetting the service."
      }
    ],
    "code": "Base.1.16.0.InternalError",
    "message": "The request failed due to an internal service error.  The service is still operational."
  }
AleksandrParamonov commented 1 month ago

Phosphor-user-manager allows OEM Redfish privileges/roles ("openbmcrfr" etc) https://github.com/openbmc/docs/blob/master/designs/redfish-authorization.md. However bmcweb doesn't accept them. And vice versa bmcweb supports "web" userGroup which isn't supported by phosphor-user-manager.

edtanous commented 1 month ago

In your example, you're accessing the system from the shell and adding internal groups that don't exist in the build and by force resetting services, something that isn't possible in a normal build. Are you able to reproduce this without using internal interfaces using the existing groups?

https://github.com/openbmc/docs/blob/master/designs/redfish-authorization.md

Note that you're referencing a potential design that was never implemented.

AleksandrParamonov commented 1 month ago

Note that you're referencing a potential design that was never implemented.

However it is still partially implemented (at least in phosphor-user-manager, which exposes user properties to dbus) https://github.com/openbmc/phosphor-user-manager/blob/af1594c90627b78d1a92bb16a0d826b12a0d182c/user_mgr.cpp#L115.

something that isn't possible in a normal build

I reset service only to speed up fetching process, since it is done on service startup. Creating group from shell and rebooting doesn't seem unusual. What is actually happening between bmcweb and phosphor-user-manager: bmcweb only allows following groups:

phosphor-user-manager allows following groups:

Only matchhing groups are highlighted. This behaviour is quite inconsistent. dbus allows groups forbidden in bmcweb and vice versa. Can i propose a patch for bmcweb which allows those **openbmc_*** userGroups (and maybe removes "web" group which seems to be unused)? This would allow easy implementation of bootstrap account.

AleksandrParamonov commented 1 month ago

Seems like this is not an issue that can be reprodused without ssh access so i close this topic.

edtanous commented 1 month ago

the bug tracker is not the appropriate place to ask questions about new features. Discussed with submitter on discord, and this isn't actually able to be hit in practice without out of tree patches or using SSH to simulate something.