Separate ManagerConsole and HostConsole access #15
Comments
|
@gtmills @ratagupt @rthomaiy Any plans to separate ssh into userGroup HostConsole and ManagerConsole? I am interested in getting the acountType PATCH support (https://gerrit.openbmc.org/c/openbmc/bmcweb/+/50965) and this is a requite for PATCH. This is where the accountType split is discussed : https://gerrit.openbmc.org/c/openbmc/bmcweb/+/50835. I think it is easiest to add new group named hostConsole and keep managerConsole mapped to ssh. |
|
Another wrinkle is that the SSH interface And (if desired) to keep the same behavior when new users are created, the default for the Redfish AccountTypes property would be to add the "ssh" and "hostconsole" groups exactly when role=Administrator. |
The new pre-defined usergroup named "hostconsole" is added to differentiate access between host console and manager console. The only users allowed to interact with host console are part of the "hostconsole" group. This is a fixed is the github issue: openbmc/phosphor-user-manager#15 In commit https://gerrit.openbmc.org/c/openbmc/bmcweb/+/50835 ssh was mapped to both ManagerConsole and HostConsole. The split is discussed in the commit https://gerrit.openbmc.org/c/openbmc/bmcweb/+/50835?tab=comments Note: The changes are spread across multiple repositories listed under "Related commits:" The openbmc changes are as follows: - Removed a dependency on dropbear.default file. Added a new environment file dropbear.env for obmc-console. If we want to add port specific configuration then we can add dropbear.%i.env file. - The DROPBEAR_EXTRA_ARGS variable updated to include "-G hostconsole" flag. - New update script added to add new hostconsole group and also add all users part of the priv-admin group to this new group. - Similarly changes are made to add new group during install time and add root user in this group. Tested: Loaded on system and qemu eumulator. Made sure that the only user can ssh to host console are member of hostconsole group. Related commits: docs: https://gerrit.openbmc.org/c/openbmc/docs/+/60968 phosphor-user-manager: https://gerrit.openbmc.org/c/openbmc/phosphor-user-manager/+/61583 openbmc: https://gerrit.openbmc.org/c/openbmc/openbmc/+/61582 obmc-console: https://gerrit.openbmc.org/c/openbmc/obmc-console/+/61581 bmcweb: https://gerrit.openbmc.org/c/openbmc/bmcweb/+/61580 Change-Id: Icced48da188fb76828bf4ff5c705d6f1300ae3e7 Signed-off-by: Ninad Palsule <ninadpalsule@us.ibm.com>
|
This task is complete with following commits.
|
|
This merged. Thanks @ninadpalsule ! |
The new pre-defined usergroup named "hostconsole" is added to differentiate access between host console and manager console. The only users allowed to interact with host console are part of the "hostconsole" group. This is a fixed is the github issue: openbmc/phosphor-user-manager#15 In commit https://gerrit.openbmc.org/c/openbmc/bmcweb/+/50835 ssh was mapped to both ManagerConsole and HostConsole. The split is discussed in the commit https://gerrit.openbmc.org/c/openbmc/bmcweb/+/50835?tab=comments Note: The changes are spread across multiple repositories listed under "Related commits:" The openbmc changes are as follows: - Removed a dependency on dropbear.default file. Added a new environment file dropbear.env for obmc-console. If we want to add port specific configuration then we can add dropbear.%i.env file. - The DROPBEAR_EXTRA_ARGS variable updated to include "-G hostconsole" flag. - New update script added to add new hostconsole group and also add all users part of the priv-admin group to this new group. - Similarly changes are made to add new group during install time and add root user in this group. Tested: Loaded on system and qemu eumulator. Made sure that the only user can ssh to host console are member of hostconsole group. Related commits: docs: https://gerrit.openbmc.org/c/openbmc/docs/+/60968 phosphor-user-manager: https://gerrit.openbmc.org/c/openbmc/phosphor-user-manager/+/61583 openbmc: https://gerrit.openbmc.org/c/openbmc/openbmc/+/61582 obmc-console: https://gerrit.openbmc.org/c/openbmc/obmc-console/+/61581 bmcweb: https://gerrit.openbmc.org/c/openbmc/bmcweb/+/61580 Change-Id: Icced48da188fb76828bf4ff5c705d6f1300ae3e7 Signed-off-by: Ninad Palsule <ninadpalsule@us.ibm.com>
Redfish has both ManagerConsole and HostConsole. OpenBMC only has 1 group for these "ssh"
In https://gerrit.openbmc.org/c/openbmc/bmcweb/+/50835/ ssh was mapped to both ManagerConsole and HostConsole.
It makes sense these are different "can log into the BMC console" is different than "can log into the host console" and users could have one and not the other.
We should solve this before https://gerrit.openbmc.org/c/openbmc/bmcweb/+/50965 goes in because switching would change behavior in a breaking way.
In IPMI, these are a difference between operator and admin roles.
https://github.com/openbmc/docs/blob/master/architecture/user-management.md#supported-group-roles
phosphor-user-manager/user_mgr.hpp
Line 201 in f1b69fa
The text was updated successfully, but these errors were encountered: