Correct privilege levels for LogService
Correct the privilege levels for LogService as per
privilege registry under redfish specification.
https://redfish.dmtf.org/registries/Redfish_1.0.4_PrivilegeRegistry.json
1) ClearLog actions(EventLog, CrashDump, PostCode,
JournalLog etc..) are subordinates of LogService
should be executed with "ConfigureComponents"
privilege level.
2) For security reasons, Restricted CrashDump
(LogService and LogEntry) to "ConfigureComponents".
Tested:
- Created Operator, User and Administrator users
and validated all methods under LogService, LogEntry
LogServiceCollections and LogEntryCollections, its
subordinates.
Signed-off-by: AppaRao Puli <apparao.puli@linux.intel.com>
Change-Id: I4ce1ee90b3b999a80daa9aa20e5e7d79b64a9b85
diff --git a/redfish-core/lib/log_services.hpp b/redfish-core/lib/log_services.hpp
index d53c829..73a7bb6 100644
--- a/redfish-core/lib/log_services.hpp
+++ b/redfish-core/lib/log_services.hpp
@@ -1530,9 +1530,11 @@
CrashdumpService(CrowApp &app) :
Node(app, "/redfish/v1/Systems/system/LogServices/Crashdump/")
{
+ // Note: Deviated from redfish privilege registry for GET & HEAD
+ // method for security reasons.
entityPrivileges = {
- {boost::beast::http::verb::get, {{"Login"}}},
- {boost::beast::http::verb::head, {{"Login"}}},
+ {boost::beast::http::verb::get, {{"ConfigureComponents"}}},
+ {boost::beast::http::verb::head, {{"ConfigureComponents"}}},
{boost::beast::http::verb::patch, {{"ConfigureManager"}}},
{boost::beast::http::verb::put, {{"ConfigureManager"}}},
{boost::beast::http::verb::delete_, {{"ConfigureManager"}}},
@@ -1585,9 +1587,11 @@
Node(app, "/redfish/v1/Systems/system/LogServices/Crashdump/Actions/"
"LogService.ClearLog/")
{
+ // Note: Deviated from redfish privilege registry for GET & HEAD
+ // method for security reasons.
entityPrivileges = {
- {boost::beast::http::verb::get, {{"Login"}}},
- {boost::beast::http::verb::head, {{"Login"}}},
+ {boost::beast::http::verb::get, {{"ConfigureComponents"}}},
+ {boost::beast::http::verb::head, {{"ConfigureComponents"}}},
{boost::beast::http::verb::patch, {{"ConfigureComponents"}}},
{boost::beast::http::verb::put, {{"ConfigureComponents"}}},
{boost::beast::http::verb::delete_, {{"ConfigureComponents"}}},
@@ -1676,9 +1680,11 @@
CrashdumpEntryCollection(CrowApp &app) :
Node(app, "/redfish/v1/Systems/system/LogServices/Crashdump/Entries/")
{
+ // Note: Deviated from redfish privilege registry for GET & HEAD
+ // method for security reasons.
entityPrivileges = {
- {boost::beast::http::verb::get, {{"Login"}}},
- {boost::beast::http::verb::head, {{"Login"}}},
+ {boost::beast::http::verb::get, {{"ConfigureComponents"}}},
+ {boost::beast::http::verb::head, {{"ConfigureComponents"}}},
{boost::beast::http::verb::patch, {{"ConfigureManager"}}},
{boost::beast::http::verb::put, {{"ConfigureManager"}}},
{boost::beast::http::verb::delete_, {{"ConfigureManager"}}},
@@ -1761,9 +1767,11 @@
"/redfish/v1/Systems/system/LogServices/Crashdump/Entries/<str>/",
std::string())
{
+ // Note: Deviated from redfish privilege registry for GET & HEAD
+ // method for security reasons.
entityPrivileges = {
- {boost::beast::http::verb::get, {{"Login"}}},
- {boost::beast::http::verb::head, {{"Login"}}},
+ {boost::beast::http::verb::get, {{"ConfigureComponents"}}},
+ {boost::beast::http::verb::head, {{"ConfigureComponents"}}},
{boost::beast::http::verb::patch, {{"ConfigureManager"}}},
{boost::beast::http::verb::put, {{"ConfigureManager"}}},
{boost::beast::http::verb::delete_, {{"ConfigureManager"}}},
@@ -1794,9 +1802,11 @@
"<str>/",
std::string(), std::string())
{
+ // Note: Deviated from redfish privilege registry for GET & HEAD
+ // method for security reasons.
entityPrivileges = {
- {boost::beast::http::verb::get, {{"Login"}}},
- {boost::beast::http::verb::head, {{"Login"}}},
+ {boost::beast::http::verb::get, {{"ConfigureComponents"}}},
+ {boost::beast::http::verb::head, {{"ConfigureComponents"}}},
{boost::beast::http::verb::patch, {{"ConfigureManager"}}},
{boost::beast::http::verb::put, {{"ConfigureManager"}}},
{boost::beast::http::verb::delete_, {{"ConfigureManager"}}},
@@ -1894,13 +1904,15 @@
"/redfish/v1/Systems/system/LogServices/Crashdump/Actions/Oem/"
"Crashdump.OnDemand/")
{
+ // Note: Deviated from redfish privilege registry for GET & HEAD
+ // method for security reasons.
entityPrivileges = {
- {boost::beast::http::verb::get, {{"Login"}}},
- {boost::beast::http::verb::head, {{"Login"}}},
- {boost::beast::http::verb::patch, {{"ConfigureManager"}}},
- {boost::beast::http::verb::put, {{"ConfigureManager"}}},
- {boost::beast::http::verb::delete_, {{"ConfigureManager"}}},
- {boost::beast::http::verb::post, {{"ConfigureManager"}}}};
+ {boost::beast::http::verb::get, {{"ConfigureComponents"}}},
+ {boost::beast::http::verb::head, {{"ConfigureComponents"}}},
+ {boost::beast::http::verb::patch, {{"ConfigureComponents"}}},
+ {boost::beast::http::verb::put, {{"ConfigureComponents"}}},
+ {boost::beast::http::verb::delete_, {{"ConfigureComponents"}}},
+ {boost::beast::http::verb::post, {{"ConfigureComponents"}}}};
}
private:
@@ -1962,6 +1974,8 @@
"/redfish/v1/Systems/system/LogServices/Crashdump/Actions/Oem/"
"Crashdump.SendRawPeci/")
{
+ // Note: Deviated from redfish privilege registry for GET & HEAD
+ // method for security reasons.
entityPrivileges = {
{boost::beast::http::verb::get, {{"ConfigureComponents"}}},
{boost::beast::http::verb::head, {{"ConfigureComponents"}}},
@@ -2152,10 +2166,10 @@
entityPrivileges = {
{boost::beast::http::verb::get, {{"Login"}}},
{boost::beast::http::verb::head, {{"Login"}}},
- {boost::beast::http::verb::patch, {{"ConfigureManager"}}},
- {boost::beast::http::verb::put, {{"ConfigureManager"}}},
- {boost::beast::http::verb::delete_, {{"ConfigureManager"}}},
- {boost::beast::http::verb::post, {{"ConfigureManager"}}}};
+ {boost::beast::http::verb::patch, {{"ConfigureComponents"}}},
+ {boost::beast::http::verb::put, {{"ConfigureComponents"}}},
+ {boost::beast::http::verb::delete_, {{"ConfigureComponents"}}},
+ {boost::beast::http::verb::post, {{"ConfigureComponents"}}}};
}
private: