Closed AleksandrParamonov closed 1 month ago
Can you give an example call that causes the failure you're talking about?
1) Create custom group
groupadd openbmc_orfr_redfish
2) Restart BMC or User Manager to reload groups list.
systemctl restart xyz.openbmc_project.User.Manager.service
3) Add user with custom group over dbus
dbus-send --system --type="method_call" --print-reply --dest=xyz.openbmc_project.User.Manager /xyz/openbmc_project/user xyz.openbmc_project.User.Manager.CreateUser string:"temp1234" array:string:"openbmc_orfr_redfish" string:"priv-admin" boolean:"true"
4) Check whether user is created properly
busctl introspect xyz.openbmc_project.User.Manager /xyz/openbmc_project/user/temp1234
NAME TYPE SIGNATURE RESULT/VALUE FLAGS
org.freedesktop.DBus.Introspectable interface - - -
.Introspect method - s -
org.freedesktop.DBus.Peer interface - - -
.GetMachineId method - s -
.Ping method - - -
org.freedesktop.DBus.Properties interface - - -
.Get method ss v -
.GetAll method s a{sv} -
.Set method ssv - -
.PropertiesChanged signal sa{sv}as - -
xyz.openbmc_project.Object.Delete interface - - -
.Delete method - - -
xyz.openbmc_project.User.Attributes interface - - -
.RemoteUser property b false const
.UserEnabled property b true emits-change writable
.UserGroups property as 1 "openbmc_orfr_redfish" emits-change writable
.UserLockedForFailedAttempt property b false emits-change writable
.UserPasswordExpiration property x 2572992000 emits-change writable
.UserPasswordExpired property b false const
.UserPrivilege property s "priv-admin" emits-change writable
5) Try to get user list over Redfish-SUCCESS
curl -i -X GET -k -u root:0penBmc https://192.168.1.2/redfish/v1/AccountService/Accounts
HTTP/1.1 200 OK
{
"@odata.id": "/redfish/v1/AccountService/Accounts",
"@odata.type": "#ManagerAccountCollection.ManagerAccountCollection",
"Description": "BMC User Accounts",
"Members": [
{
"@odata.id": "/redfish/v1/AccountService/Accounts/temp1234"
},
{
"@odata.id": "/redfish/v1/AccountService/Accounts/temp123"
},
{
"@odata.id": "/redfish/v1/AccountService/Accounts/test"
},
{
"@odata.id": "/redfish/v1/AccountService/Accounts/root"
}
],
"Members@odata.count": 4,
"Name": "Accounts Collection"
6) Try to get this unusual user-error.
curl -i -X GET -k -u root:0penBmc https://192.168.1.2/redfish/v1/AccountService/Accounts/temp1234
HTTP/1.1 500 Internal Server Error
{
"@odata.type": "#ManagerAccount.v1_7_0.ManagerAccount",
"Description": "User Account",
"Name": "User Account",
"Password": null,
"StrictAccountTypes": true,
"error": {
"@Message.ExtendedInfo": [
{
"@odata.type": "#Message.v1_1_1.Message",
"Message": "The request failed due to an internal service error. The service is still operational.",
"MessageArgs": [],
"MessageId": "Base.1.16.0.InternalError",
"MessageSeverity": "Critical",
"Resolution": "Resubmit the request. If the problem persists, consider resetting the service."
}
],
"code": "Base.1.16.0.InternalError",
"message": "The request failed due to an internal service error. The service is still operational."
}
Phosphor-user-manager allows OEM Redfish privileges/roles ("openbmcrfr" etc) https://github.com/openbmc/docs/blob/master/designs/redfish-authorization.md. However bmcweb doesn't accept them. And vice versa bmcweb supports "web" userGroup which isn't supported by phosphor-user-manager.
In your example, you're accessing the system from the shell and adding internal groups that don't exist in the build and by force resetting services, something that isn't possible in a normal build. Are you able to reproduce this without using internal interfaces using the existing groups?
https://github.com/openbmc/docs/blob/master/designs/redfish-authorization.md
Note that you're referencing a potential design that was never implemented.
Note that you're referencing a potential design that was never implemented.
However it is still partially implemented (at least in phosphor-user-manager, which exposes user properties to dbus) https://github.com/openbmc/phosphor-user-manager/blob/af1594c90627b78d1a92bb16a0d826b12a0d182c/user_mgr.cpp#L115.
something that isn't possible in a normal build
I reset service only to speed up fetching process, since it is done on service startup. Creating group from shell and rebooting doesn't seem unusual. What is actually happening between bmcweb and phosphor-user-manager: bmcweb only allows following groups:
phosphor-user-manager allows following groups:
Only matchhing groups are highlighted. This behaviour is quite inconsistent. dbus allows groups forbidden in bmcweb and vice versa. Can i propose a patch for bmcweb which allows those **openbmc_*** userGroups (and maybe removes "web" group which seems to be unused)? This would allow easy implementation of bootstrap account.
Seems like this is not an issue that can be reprodused without ssh access so i close this topic.
the bug tracker is not the appropriate place to ask questions about new features. Discussed with submitter on discord, and this isn't actually able to be hit in practice without out of tree patches or using SSH to simulate something.
Is this the right place to submit this?
Bug Description
Some resources under /redfish/v1/AccountService/Accounts/ don't properly process users with userGroup field different from "redfish"/"ipmi"/"ssh"/"hostconsole"/"web". At least one of this userGroups must be present to prevent internal error in GET /redfish/v1/AccountService/Accounts/. Non-standard userGroups are lost after patching user in PATCH /redfish/v1/AccountService/Accounts// .
Version
Additional Information
I am trying to implement bootstrap account feature. It has to be created when "Get bootstrap account credentials" IPMI command is called and deleted on bmcweb service restart. Custom userGroup is straightforward way to differ this account from usual accounts which are not deleted automatically. However custom group doesn't work correctly with GET /redfish/v1/AccountService/Accounts/ and PATCH /redfish/v1/AccountService/Accounts// requests. GET requests requires account to have at least one known group, PATCH request also discards all unknown groups.