Remove support for priv-noaccess role
A user created with no-access privilege is allowed to login
but can not logout. Any no-access user can create many and
many login sessions and exhaust the bmc without logging out.
No-access role was basically added to support the IPMI usecase,
where a user can be created first and then is assigned a privilege.
This is being reworked at IPMI interface and the dependency on the
no-access privilege is being removed completely. Following two
commits were added to support the priv-noaccess in user-manager
and bmcweb:
[1] https://github.com/openbmc/bmcweb/commit/e9e6d240ab85e515f8d264e39b47a75043b73374
[2] https://github.com/openbmc/phosphor-user-manager/commit/7c6e7cffaf061aabfe5489ef52442e2f7cbd0fb7
This commit removes the no-access role support at bmcweb by
reverting the commit:
[1] https://github.com/openbmc/bmcweb/commit/e9e6d240ab85e515f8d264e39b47a75043b73374
The user-manager change w.r.t this change is at:
[1] https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-user-manager/+/52363
Tested By:
1. Create an LDAP user with priv-noaccess. Verify the login attempt
fails with accessDenied error
2. Verified the other role users can login
Signed-off-by: Asmitha Karunanithi <asmitk01@in.ibm.com>
Change-Id: I5ac8a58d9146379c9ce3be804d476ea85835bb2f
diff --git a/redfish-core/lib/account_service.hpp b/redfish-core/lib/account_service.hpp
index 0cef7a3..8ccab65 100644
--- a/redfish-core/lib/account_service.hpp
+++ b/redfish-core/lib/account_service.hpp
@@ -88,10 +88,6 @@
{
return "Operator";
}
- if (role.empty() || (role == "priv-noaccess"))
- {
- return "NoAccess";
- }
return "";
}
inline std::string getPrivilegeFromRoleId(std::string_view role)
@@ -108,10 +104,6 @@
{
return "priv-operator";
}
- if ((role == "NoAccess") || (role.empty()))
- {
- return "priv-noaccess";
- }
return "";
}
@@ -1244,10 +1236,6 @@
"RoleId");
return;
}
- if (priv == "priv-noaccess")
- {
- priv = "";
- }
crow::connections::systemBus->async_method_call(
[asyncResp](const boost::system::error_code ec) {
@@ -1633,18 +1621,7 @@
messages::propertyValueNotInList(asyncResp->res, *roleId, "RoleId");
return;
}
- // TODO: Following override will be reverted once support in
- // phosphor-user-manager is added. In order to avoid dependency
- // issues, this is added in bmcweb, which will removed, once
- // phosphor-user-manager supports priv-noaccess.
- if (priv == "priv-noaccess")
- {
- roleId = "";
- }
- else
- {
- roleId = priv;
- }
+ roleId = priv;
// Reading AllGroups property
sdbusplus::asio::getProperty<std::vector<std::string>>(