Added new pre-defined usergroup called hostconsole
The new pre-defined usergroup named "hostconsole" is added to
differentiate access between host console and manager console.
The only users allowed to interact with host console are part of the
"hostconsole" group and they are in an administrator role.
Note: The changes are spread across multiple repositories listed under
"Related commits:"
The bmcweb changes to incorporate new group are as follows:
- The new user is added in the hostconsole group only if it has an
administrative role.
- The ssh usergroup is only translated to ManagerConsole redfish group
and hostconsole usergroup is translated to HostConsole redfish group.
- The following changes are made to check the privileges for host console
access
- The new OEM privilege "OpenBMCHostConsole" added for host console
access. This privilege is not shared externally hence it is not
documented.
- Updated obmc_console BMCWEB_ROUTE to use the new privilege.
- Router functions now save user role and user groups in the session
- getUserPrivileges() function now takes session reference instead
of user role. This function now also checks for the user group
"hostconsole" and add the new privilege if user is member of this
group.
- Updated all callers of the getUserPrivileges to pass session
reference.
- Added test to validate that new privilege is set correctly.
Tested:
Loaded code on the system and validated that;
- New user gets added in hostconsole group. NOTE: Prior to this commit
all groups are assigned to new user. This drop does not change that
behavior.
- Access from the web gui is only available for users in hostconsole
group. Used IBM internal simulator called simics to test this. This
simulator allows accessing openbmc from GUI.
- Checked the role collection and there is no change.
$ curl -k -H "X-Auth-Token: $TOKEN" -X GET \
https://${bmc}/redfish/v1/AccountService/Roles
$ curl -k -H "X-Auth-Token: $TOKEN" -X GET \
https://${bmc}/redfish/v1/AccountService/Roles/Administrator
$ curl -k -H "X-Auth-Token: $TOKEN" -X GET \
https://${bmc}/redfish/v1/AccountService/Roles/ReadOnly
$ curl -k -H "X-Auth-Token: $TOKEN" -X GET \
https://${bmc}/redfish/v1/AccountService/Roles/Operator
- HostConsole is in AccountType when hostconsole group is present in
UserGroups D-Bus property
$ id user99
uid=1006(user99) gid=100(users) groups=1000(priv-admin),1005(web),\
1006(redfish),1013(hostconsole),100(users)
$ curl -k https://${bmc}/redfish/v1/AccountService/Accounts/user99
{
"@odata.id": "/redfish/v1/AccountService/Accounts/user99",
"@odata.type": "#ManagerAccount.v1_4_0.ManagerAccount",
"AccountTypes": [
"HostConsole",
"Redfish",
"WebUI",
"ManagerConsole"
],
"Description": "User Account",
"Enabled": true,
"Id": "user99",
"Links": {
"Role": {
"@odata.id": "/redfish/v1/AccountService/Roles/Administrator"
}
},
"Locked": false,
"Locked@Redfish.AllowableValues": [
"false"
],
"Name": "User Account",
"Password": null,
"PasswordChangeRequired": false,
"RoleId": "Administrator",
"UserName": "user99"
- The hostconsole group is not present for readonly or operator users
and also made sure that console access is not provided. This testing
is done one the system and console access was tried by modifying the
https://github.com/openbmc/bmcweb/blob/master/scripts/websocket_test.py
+ curl -k https://${bmc}/redfish/v1/AccountService/Accounts/user99
{
"@odata.id": "/redfish/v1/AccountService/Accounts/user99",
"@odata.type": "#ManagerAccount.v1_4_0.ManagerAccount",
"AccountTypes": [
"IPMI",
"Redfish",
"WebUI",
"ManagerConsole"
],
"Description": "User Account",
"Enabled": true,
"Id": "user99",
"Links": {
"Role": {
"@odata.id": "/redfish/v1/AccountService/Roles/ReadOnly"
}
},
"Locked": false,
"Locked@Redfish.AllowableValues": [
"false"
],
"Name": "User Account",
"Password": null,
"PasswordChangeRequired": false,
"RoleId": "ReadOnly",
"UserName": "user99"
[INFO "http_connection.hpp":209] Request: 0x150ac38 HTTP/1.1 GET /console0 ::ffff:x.x.xx.xxx
[DEBUG "routing.hpp":1265] Matched rule (upgrade) '/console0' 1 / 2
[DEBUG "routing.hpp":1084] userName = user99 userRole = priv-user
[DEBUG "routing.hpp":1123] IsUserPrivileged: group=ipmi
[DEBUG "routing.hpp":1123] IsUserPrivileged: group=redfish
[DEBUG "routing.hpp":1123] IsUserPrivileged: group=ssh
[DEBUG "routing.hpp":1123] IsUserPrivileged: group=web
[DEBUG "routing.hpp":93] checkPrivileges: BASE USER: Login
[DEBUG "routing.hpp":93] checkPrivileges: BASE USER: ConfigureSelf
[DEBUG "routing.hpp":113] checkPrivileges: OEM REQUIRED: OpenBMCHostConsole
[ERROR "routing.hpp":1192] Insufficient Privilege
+ curl -k https://${bmc}/redfish/v1/AccountService/Accounts/user99
{
"@odata.id": "/redfish/v1/AccountService/Accounts/user99",
"@odata.type": "#ManagerAccount.v1_4_0.ManagerAccount",
"AccountTypes": [
"IPMI",
"Redfish",
"WebUI",
"ManagerConsole"
],
"Description": "User Account",
"Enabled": true,
"Id": "user99",
"Links": {
"Role": {
"@odata.id": "/redfish/v1/AccountService/Roles/Operator"
}
},
"Locked": false,
"Locked@Redfish.AllowableValues": [
"false"
],
"Name": "User Account",
"Password": null,
"PasswordChangeRequired": false,
"RoleId": "Operator",
"UserName": "user99"
[INFO "http_connection.hpp":209] Request: 0x21c7c38 HTTP/1.1 GET /console0 ::ffff:x.x.xx.xxx
[DEBUG "routing.hpp":1265] Matched rule (upgrade) '/console0' 1 / 2
[DEBUG "routing.hpp":1084] userName = user99 userRole = priv-operator
[DEBUG "routing.hpp":1123] IsUserPrivileged: group=ipmi
[DEBUG "routing.hpp":1123] IsUserPrivileged: group=redfish
[DEBUG "routing.hpp":1123] IsUserPrivileged: group=ssh
[DEBUG "routing.hpp":1123] IsUserPrivileged: group=web
[DEBUG "routing.hpp":93] checkPrivileges: BASE USER: Login
[DEBUG "routing.hpp":93] checkPrivileges: BASE USER: ConfigureComponents
[DEBUG "routing.hpp":93] checkPrivileges: BASE USER: ConfigureSelf
[DEBUG "routing.hpp":113] checkPrivileges: OEM REQUIRED: OpenBMCHostConsole
[ERROR "routing.hpp":1192] Insufficient Privilege
Related commits:
NOTE: docs, openbmc, obmc-console changes are already merged. bmcweb
and phosphor-user-manager will be merged together.
docs: https://gerrit.openbmc.org/c/openbmc/docs/+/60968
phosphor-user-manager: https://gerrit.openbmc.org/c/openbmc/phosphor-user-manager/+/61583
openbmc: https://gerrit.openbmc.org/c/openbmc/openbmc/+/61582
obmc-console: https://gerrit.openbmc.org/c/openbmc/obmc-console/+/61581
bmcweb: https://gerrit.openbmc.org/c/openbmc/bmcweb/+/61580
Change-Id: Ia5a33dafc9a76444e6a8e74e752f0f90cb0a31c8
Signed-off-by: Ninad Palsule <ninadpalsule@us.ibm.com>
diff --git a/redfish-core/lib/account_service.hpp b/redfish-core/lib/account_service.hpp
index b4c9205..c8fd196 100644
--- a/redfish-core/lib/account_service.hpp
+++ b/redfish-core/lib/account_service.hpp
@@ -135,9 +135,14 @@
}
else if (userGroup == "ssh")
{
- accountTypes.emplace_back("HostConsole");
accountTypes.emplace_back("ManagerConsole");
}
+ else if (userGroup == "hostconsole")
+ {
+ // The hostconsole group controls who can access the host console
+ // port via ssh and websocket.
+ accountTypes.emplace_back("HostConsole");
+ }
else if (userGroup == "web")
{
// 'web' is one of the valid groups in the UserGroups property of
@@ -1293,6 +1298,13 @@
{
return;
}
+
+ if (req.session == nullptr)
+ {
+ messages::internalError(asyncResp->res);
+ return;
+ }
+
asyncResp->res.addHeader(
boost::beast::http::field::link,
"</redfish/v1/JsonSchemas/AccountService/AccountService.json>; rel=describedby");
@@ -1327,7 +1339,7 @@
// ConfigureManager can access then only display when the user has
// permissions ConfigureManager
Privileges effectiveUserPrivileges =
- redfish::getUserPrivileges(req.userRole);
+ redfish::getUserPrivileges(*req.session);
if (isOperationAllowedWithPrivileges({{"ConfigureManager"}},
effectiveUserPrivileges))
@@ -1526,6 +1538,13 @@
{
return;
}
+
+ if (req.session == nullptr)
+ {
+ messages::internalError(asyncResp->res);
+ return;
+ }
+
asyncResp->res.addHeader(
boost::beast::http::field::link,
"</redfish/v1/JsonSchemas/ManagerAccountCollection.json>; rel=describedby");
@@ -1538,7 +1557,7 @@
asyncResp->res.jsonValue["Description"] = "BMC User Accounts";
Privileges effectiveUserPrivileges =
- redfish::getUserPrivileges(req.userRole);
+ redfish::getUserPrivileges(*req.session);
std::string thisUser;
if (req.session)
@@ -1646,14 +1665,26 @@
const std::vector<std::string>& allGroupsList)
{
+ std::vector<std::string> userGroups;
+ for (const auto& grp : allGroupsList)
+ {
+ // Console access is provided to the user who is a member of
+ // hostconsole group and has a administrator role. So, set
+ // hostconsole group only for the administrator.
+ if ((grp != "hostconsole") || (roleId == "priv-admin"))
+ {
+ userGroups.emplace_back(grp);
+ }
+ }
+
crow::connections::systemBus->async_method_call(
[asyncResp, username, password](const boost::system::error_code& ec2,
sdbusplus::message_t& m) {
processAfterCreateUser(asyncResp, username, password, ec2, m);
},
"xyz.openbmc_project.User.Manager", "/xyz/openbmc_project/user",
- "xyz.openbmc_project.User.Manager", "CreateUser", username,
- allGroupsList, *roleId, *enabled);
+ "xyz.openbmc_project.User.Manager", "CreateUser", username, userGroups,
+ *roleId, *enabled);
}
inline void handleAccountCollectionPost(
@@ -1754,7 +1785,7 @@
// have permissions to modify other users, so re-run the auth
// check with the same permissions, minus ConfigureSelf.
Privileges effectiveUserPrivileges =
- redfish::getUserPrivileges(req.userRole);
+ redfish::getUserPrivileges(*req.session);
Privileges requiredPermissionsToChangeNonSelf = {"ConfigureUsers",
"ConfigureManager"};
if (!effectiveUserPrivileges.isSupersetOf(
@@ -1965,7 +1996,7 @@
}
Privileges effectiveUserPrivileges =
- redfish::getUserPrivileges(req.userRole);
+ redfish::getUserPrivileges(*req.session);
Privileges configureUsers = {"ConfigureUsers"};
bool userHasConfigureUsers =
effectiveUserPrivileges.isSupersetOf(configureUsers);
diff --git a/redfish-core/lib/certificate_service.hpp b/redfish-core/lib/certificate_service.hpp
index 027e05d..d4df6c8 100644
--- a/redfish-core/lib/certificate_service.hpp
+++ b/redfish-core/lib/certificate_service.hpp
@@ -404,6 +404,12 @@
return;
}
+ if (req.session == nullptr)
+ {
+ messages::internalError(asyncResp->res);
+ return;
+ }
+
asyncResp->res.jsonValue["@odata.type"] =
"#CertificateService.v1_0_0.CertificateService";
asyncResp->res.jsonValue["@odata.id"] = "/redfish/v1/CertificateService";
@@ -415,7 +421,7 @@
// only ConfigureManager can access then only display when the user
// has permissions ConfigureManager
Privileges effectiveUserPrivileges =
- redfish::getUserPrivileges(req.userRole);
+ redfish::getUserPrivileges(*req.session);
if (isOperationAllowedWithPrivileges({{"ConfigureManager"}},
effectiveUserPrivileges))
{
diff --git a/redfish-core/lib/network_protocol.hpp b/redfish-core/lib/network_protocol.hpp
index e4a4b56..be84246 100644
--- a/redfish-core/lib/network_protocol.hpp
+++ b/redfish-core/lib/network_protocol.hpp
@@ -154,6 +154,12 @@
inline void getNetworkData(const std::shared_ptr<bmcweb::AsyncResp>& asyncResp,
const crow::Request& req)
{
+ if (req.session == nullptr)
+ {
+ messages::internalError(asyncResp->res);
+ return;
+ }
+
asyncResp->res.addHeader(
boost::beast::http::field::link,
"</redfish/v1/JsonSchemas/ManagerNetworkProtocol/NetworkProtocol.json>; rel=describedby");
@@ -216,7 +222,7 @@
});
Privileges effectiveUserPrivileges =
- redfish::getUserPrivileges(req.userRole);
+ redfish::getUserPrivileges(*req.session);
// /redfish/v1/Managers/bmc/NetworkProtocol/HTTPS/Certificates is
// something only ConfigureManager can access then only display when
diff --git a/redfish-core/lib/redfish_sessions.hpp b/redfish-core/lib/redfish_sessions.hpp
index c41b0df..0608333 100644
--- a/redfish-core/lib/redfish_sessions.hpp
+++ b/redfish-core/lib/redfish_sessions.hpp
@@ -112,7 +112,7 @@
session->username != req.session->username)
{
Privileges effectiveUserPrivileges =
- redfish::getUserPrivileges(req.userRole);
+ redfish::getUserPrivileges(*req.session);
if (!effectiveUserPrivileges.isSupersetOf({"ConfigureUsers"}))
{