Documented hostconsole as pre-defined usergroup
The new pre-defined usergroup named "hostconsole" is added to
differentiate access between host console and manager console.
The only users allowed to interact with host console are part of the
"hostconsole" group.
Note: The changes are spread across multiple repositories listed under
"Related commits:"
Related drops:
docs: https://gerrit.openbmc.org/c/openbmc/docs/+/60968
phosphor-user-manager: https://gerrit.openbmc.org/c/openbmc/phosphor-user-manager/+/61583
openbmc: https://gerrit.openbmc.org/c/openbmc/openbmc/+/61582
obmc-console: https://gerrit.openbmc.org/c/openbmc/obmc-console/+/61581
bmcweb: https://gerrit.openbmc.org/c/openbmc/bmcweb/+/61580
Change-Id: I45124aa13b2200e6a69f865c667d7bd6014e15ba
Signed-off-by: Ninad Palsule <ninadpalsule@us.ibm.com>
diff --git a/architecture/user-management.md b/architecture/user-management.md
index e47cd4e..51d2497 100644
--- a/architecture/user-management.md
+++ b/architecture/user-management.md
@@ -45,19 +45,20 @@
_Note: Group names are for representation only and can be modified/extended
based on the need_
-| Sl. No | Group Name | Purpose / Comments |
-| -----: | ---------- | ---------------------------------------------------------------- |
-| 1 | ssh | Users in this group are only allowed to login through SSH. |
-| 2 | ipmi | Users in this group are only allowed to use IPMI Interface. |
-| 3 | redfish | Users in this group are only allowed to use REDFISH Interface. |
-| 4 | web | Users in this group are only allowed to use webserver Interface. |
+| Sl. No | Group Name | Purpose / Comments |
+| -----: | ----------- | ------------------------------------------------------------------- |
+| 1 | ssh | Users in this group are only allowed to login through SSH. |
+| 2 | ipmi | Users in this group are only allowed to use IPMI Interface. |
+| 3 | redfish | Users in this group are only allowed to use REDFISH Interface. |
+| 4 | web | Users in this group are only allowed to use webserver Interface. |
+| 5 | hostconsole | Users in this group are only allowed to interact with host console. |
## Supported Privilege Roles
OpenBMC supports privilege roles which are common across all the supported
-groups (i.e. User will have same privilege for REDFISH / Webserver / IPMI /
-SSH). User can belong to any one of the following privilege roles at any point
-of time.
+groups (i.e. User will have same privilege for REDFISH / Webserver / IPMI / SSH
+/ HostConsole). User can belong to any one of the following privilege roles at
+any point of time.
_Note: Privileges are for representation only and can be modified/extended based
on the need_
@@ -438,9 +439,10 @@
## LDAP
-SSH, Redfish and Webserver interface allows the user to authenticate against an
-LDAP directory. IPMI interface cannot be used to authenticate against LDAP,
-since IPMI needs the password in clear text at the time of session setup.
+SSH, Redfish, Webserver and HostConsole interface allows the user to
+authenticate against an LDAP directory. IPMI interface cannot be used to
+authenticate against LDAP, since IPMI needs the password in clear text at the
+time of session setup.
In OpenBMC, PAM based authentication is implemented, so for both LDAP users and
local users, the authentication flow is the same.