commit | 720487803a1890e8d4e5d91463e7ec62b4b23f74 | [log] [tgz] |
---|---|---|
author | Abhishek Patel <Abhishek.Patel@ibm.com> | Wed Jun 02 09:53:24 2021 -0500 |
committer | Gunnar Mills <gmills@us.ibm.com> | Wed Jun 30 16:26:56 2021 +0000 |
tree | 05bef46a0578cdd00a0153f0d4273f2f6a72eb94 | |
parent | 7c8c4058e265f784679b9144ff33b89f50f1bf59 [diff] |
Modify entityPrivileges for certificate service DMTF published new entity privileges for certificate service classes which modify entity privilege Certificate, CertificateCollection, CertificateLocations, and CertificateService on bmcweb. Modification restricts a user without "ConfigureManager" from accessing the CertificateCollection and Certificate scehamas Redfish is a hypermedia API where the parent URI describes sub-URI. Thus, restricting sub-URI in a parent-URI data helps to forbidden user access, stricken the rule. So sub-URI only gets display if a user has access to that URI. Restricting the link allows the Redfish Validator to pass. These impact roles without ConfigureManager, which include operator and read-only. No access is not impacted since it already did not have access. The following are bmcweb user consequences: 1. ReadOnly and Operator role users are no longer able to view certificates or the certificate collection (LDAP, HTTPS, TrustStore) 2. Operator role users are no longer able to replace the certificates (LDAP, HTTPS, TrustStore), Install certificates (LDAP, HTTPS, TrustStore) or delete the Truststore Certificate. HTTPS and LDAP certificates do not have delete methods. Resolves openbmc/bmcweb#61 Tested: manually tested on Witherspoon system and run Redfish-Service- Validator with all roles root, operator, read-only, and No access. Test pass for root, operator, and read-only roles, And new errors get introduced for no access role. Signed-off-by: Abhishek Patel <Abhishek.Patel@ibm.com> Change-Id: Ibc5eed7db7e224e46f8572df8bcfba2a1ff47644
This component attempts to be a "do everything" embedded webserver for openbmc.
At this time, the webserver implements a few interfaces:
BMCWeb is configured by setting -D
flags that correspond to options in bmcweb/meson_options.txt
and then compiling. For example, meson <builddir> -Dkvm=disabled ...
followed by ninja
in build directory. The option names become C++ preprocessor symbols that control which code is compiled into the program.
meson builddir ninja -C builddir
meson builddir -Dbuildtype=minsize -Db_lto=true -Dtests=disabled ninja -C buildir
If any of the dependencies are not found on the host system during configuration, meson automatically gets them via its wrap dependencies mentioned in bmcweb/subprojects
.
meson builddir -Dwrap_mode=nofallback ninja -C builddir
meson builddir -Dbuildtype=debug ninja -C builddir
meson builddir -Db_coverage=true -Dtests=enabled ninja coverage -C builddir test
When BMCWeb starts running, it reads persistent configuration data (such as UUID and session data) from a local file. If this is not usable, it generates a new configuration.
When BMCWeb SSL support is enabled and a usable certificate is not found, it will generate a self-sign a certificate before launching the server. The keys are generated by the secp384r1
algorithm. The certificate
C=US, O=OpenBMC, CN=testhost
,SHA-256
algorithm.