bmcweb icon indicating copy to clipboard operation
bmcweb copied to clipboard
verified publisher icon openbmc

Redfish does not provide option to specify group roles for a user

Open rahulmah opened this issue 6 years ago • 4 comments

Redfish does not provide option to specify group roles for a user. As per user management design - https://github.com/openbmc/docs/blob/master/user_management.md#openbmc---user-management---user-creation-from-webserver-flow---with-all-groups, we should be able to set different group roles for a user.

I check with development and found that its not in their current priority. I have opened this issue to track it development.

bash-4.1$ curl -k -H "X-Auth-Token: $bmc_token" -X GET https://${BMC_IP}/redfish/v1/AccountService/Accounts/newuser
{
  "@odata.context": "/redfish/v1/$metadata#ManagerAccount.ManagerAccount",
  "@odata.id": "/redfish/v1/AccountService/Accounts/newuser",
  "@odata.type": "#ManagerAccount.v1_0_3.ManagerAccount",
  "Description": "User Account",
  "Enabled": true,
  "Id": "newuser",
  "Links": {
    "Role": {
      "@odata.id": "/redfish/v1/AccountService/Roles/Administrator"
    }
  },
  "Locked": false,
  "Name": "User Account",
  "Password": null,
  "RoleId": "Administrator",
  "UserName": "newuser"
}bash-4.1$

rahulmah avatar Mar 12 '19 11:03 rahulmah

At this point of time, REDFISH schema doesn't provide direct support to mark the user accounts for different app authentication levels (i.e. IPMI / REDFISH / Web), either we need to overload existing roles / use OEM schema. Similarly IPMI also doens't have any command to do the same. OEM Commands has to be defined for this. Note: Back-end support in phosphor-user-manager exists, and enhancement require in IPMI / REDFISH to support the same Good that this is tracked using enhancement label.

rthomaiy avatar Mar 14 '19 15:03 rthomaiy

@joseph-reynolds asked Redfish yesterday for some way to support our user groups (ssh, ipmi, redfish, and web)

Redfish was receptive to adding something for us. Their initial thought was adding additional enums to the array AccountTypes

                "AccountTypes": {
                    "description": "The account types.",
                    "items": {
                        "anyOf": [
                            {
                                "$ref": "#/definitions/AccountTypes"
                            },
                            {
                                "type": "null"
                            }
                        ]
                    },
                    "longDescription": "This property shall contain an array of the various account types that apply to the account.  If this property is not provided by the client, the default value shall be an array with the single value `Redfish`.",
                    "readonly": false,
                    "type": "array",

    "definitions": {
        "AccountTypes": {
            "enum": [
                "Redfish",
                "SNMP",
                "OEM"
            ],

https://redfish.dmtf.org/schemas/v1/ManagerAccount.v1_6_1.json

If you have access to Redfish, must be a Redfish promotor or supporter member, https://github.com/DMTF/Redfish/issues/4189

gtmills avatar Sep 11 '20 15:09 gtmills

This was recently added to Redfish. See AccountTypes https://redfish.dmtf.org/schemas/v1/ManagerAccount.v1_7_0.json http://redfish.dmtf.org/schemas/v1/ManagerAccount.json#/definitions/AccountTypes

gtmills avatar May 19 '21 00:05 gtmills

@rahulmah This still needs to be implemented in bmcweb, if you wanted to keep this open. I am fine either way.

gtmills avatar May 19 '21 14:05 gtmills

No progress on this in some time, and significant changes have been made. Please reopen if this is still in progress.

edtanous avatar Mar 27 '23 17:03 edtanous