LDAP Role Groups #38
Comments
The mockups shows Role Group Group Name "RG1" and privileges (Admin, Operator, User, None). Can you clarify in this issue/review that RG1 is defined by the LDAP server, and the privileges are defined by the BMC? |
Thank you @joseph-reynolds I updated the description to include your comments about Group Name and Group Privileges. @edtanous, I also put your doc link about User Management in the description so it doesn't get lost in this comment string. |
So far the group roles and privilege roles definitions follow https://github.com/openbmc/docs/blob/master/user_management.md. As the user_management.md describes, the group roles are used to determine at a high level whether the user is authorized to the required interface. Maybe the group definition could be treated in different ways. How about defining groups according to the server usage where BMC is installed? For example, there are web application servers, email servers and ftp servers and these servers are grouped as “webapp” , “email” and “ftp”. These servers are grouped by their application or usage and bmc machines could be allocated in or moved out of these groups dynamically. Some accompanying LDIFs are presented for illustration. Here is the server group definition LDIF. dn: ou=ap_group,dc=ldap,dc=example,dc=com dn: cn=ftp,ou=ap_group,dc=ldap,dc=example,dc=com The attribute bmc-uid is defined to describe the BMC machines that the server application group contains. An LDIF example for bmc machine description is as below. dn: ou=bmc,dc=ldap,dc=example,dc=com dn: bmc-uid=bmc1,ou=bmc,dc=ldap,dc=example,dc=com dn: bmc-uid=bmc2,ou=bmc,dc=ldap,dc=example,dc=com The attribute “macAddress” is used to identify the bmc machine. The group roles defined in https://github.com/openbmc/docs/blob/master/user_management.md could be deemed as a user login interface. In this way, the administrator can assign the user login interfaces to the “server application” groups according to the admin’s plan. An LDIF is used to describe the scenario. dn: ou=login_info,uid=user1,ou=people,dc=ldap,dc=example,dc=com dn: cn=ftp,ou=login_info,uid=user1,ou=people,dc=ldap,dc=example,dc=com dn: cn=email,ou=login_info,uid=user1,ou=people,dc=ldap,dc=example,dc=com dn: cn=webserver,ou=login_info,uid=user1,ou=people,dc=ldap,dc=example,dc=com The LDIF above shows a piece of login information for a specific user. The login information gathers the “server application” groups a user joins and how the user logins into the “server application” groups in a predefined way. The user (user1) joins “ftp” and “email” groups here. When user1 tries to login into a BMC machine which belongs to a “ftp” group, the user can use ssh, redfish, /dev/pts and /dev/tty interfaces for the login purpose. dn: bmc-uid=bmc1,cn=webserver,ou=login_info,uid=user1,ou=people,dc=ldap,dc=example,dc=com The LDIF above describes the IPMI application setting for user1 in the webserver group on a BMC machine called “bmc1”. As for the user LDIF, an example is provided below. dn: ou=people,dc=ldap,dc=example,dc=com dn: uid=user1,ou=people,dc=ldap,dc=example,dc=com The attributes mentioned by https://github.com/openbmc/phosphor-dbus-interfaces/tree/master/xyz/openbmc_project/User and https://github.com/openbmc/docs/blob/master/user_management.md are defined in this LDIF. Finally, here comes the group LDIF and privilege LDIF mentioned by https://github.com/openbmc/docs/blob/master/user_management.md. dn: ou=group,dc=ldap,dc=example,dc=com dn: cn=ssh,ou=group,dc=ldap,dc=example,dc=com dn: cn=web,ou=group,dc=ldap,dc=example,dc=com dn: cn=ipmi,ou=group,dc=ldap,dc=example,dc=com dn: cn=redfish,ou=group,dc=ldap,dc=example,dc=com Here, the groups are treated as a user login interface or channel. dn: ou=privRole,dc=ldap,dc=example,dc=com dn: privRoleID=priv-user,ou=privRole,dc=ldap,dc=example,dc=com dn: privRoleID=priv-admin,ou=privRole,dc=ldap,dc=example,dc=com dn: privRoleID=priv-callback,ou=privRole,dc=ldap,dc=example,dc=com dn: privRoleID=priv-operator,ou=privRole,dc=ldap,dc=example,dc=com Privilege settings are stored in LDAP also. Some code patches for making the scenario described happen are required, of course. Your comments or suggestions are highly welcome. |
Hi Susan: May I know where I could retrieve webui page resources represented in LDAP Settings - InVision Mockups for testing 11-2018? Thank you. Regards, |
@warp5tw I am not sure what you mean by "resources represented in LDAP Settings". Can you be more specific about what you need? |
Hi Susan: Where could I download these web pages that show LDAP Settings - InVision Mockups for testing 11-2018?? Sorry for my unclear statement. |
@warp5tw I am still uncertain what you need from me. The image that you see in the Invision app is a drawing only, the web UI panel does not exist yet. The purpose of this feedback review is to gather comments from the open community so that we can adjust the design before coding in order to have less re-work for developers. If you tell me what you are trying to do, perhaps I can assess what you need from me. Regarding your proposal for redefining groups according to server usage where BMC is installed, this is an architectural decision. Feel free to add this to the Open Community Call agenda on an upcoming Monday to discuss whether we should implement your idea and, if yes, then who will work on it and how it will affect the GUI panel design. |
@susantjasinski I get your point now because I thought that the web UI panel existed. Originally my idea was to use these web UI panels to test my own LDAP configurations and implementations. That's the whole story. Thank you for your information about OpenBMC Community Call agenda and I'll check it. Thank you again. |
New Changes to the Page Layout coming in January based on feedback ... |
Current design: https://ibm.invisionapp.com/share/RQNYHJ0VBDY#/318942513_LDAP_Disabled Open questions:
|
Adds LDAP page and ability to add and change configuration settings. Adds ability to add, remove and edit user groups for LDAP. Resolves openbmc/phosphor-webui#38 Resolves openbmc/phosphor-webui#39 Tested: Loaded on to a witherspoon and able to add initial LDAP config as well us update the configuration and role groups. Appropriate messages displayed to user when required fields are missing or in the incorrect format. Change-Id: If8a21f3f9d9334415ead73472e90b2a0823bf9ea Signed-off-by: beccabroek <beccabroek@gmail.com> Signed-off-by: Dixsie Wolmers <dixsiew@gmail.com>
Adds LDAP page and ability to add and change configuration settings. Adds ability to add, remove and edit user groups for LDAP. Resolves openbmc/phosphor-webui#38 Resolves openbmc/phosphor-webui#39 Tested: Loaded on to a witherspoon and able to add initial LDAP config as well us update the configuration and role groups. Appropriate messages displayed to user when required fields are missing or in the incorrect format. Change-Id: If8a21f3f9d9334415ead73472e90b2a0823bf9ea Signed-off-by: beccabroek <beccabroek@gmail.com> Signed-off-by: Dixsie Wolmers <dixsiew@gmail.com>
Adds LDAP page and ability to add and change configuration settings. Adds ability to add, remove and edit user groups for LDAP. Resolves openbmc/phosphor-webui#38 Resolves openbmc/phosphor-webui#39 Tested: Loaded on to a witherspoon and able to add initial LDAP config as well us update the configuration and role groups. Appropriate messages displayed to user when required fields are missing or in the incorrect format. Change-Id: If8a21f3f9d9334415ead73472e90b2a0823bf9ea Signed-off-by: beccabroek <beccabroek@gmail.com> Signed-off-by: Dixsie Wolmers <dixsiew@gmail.com>
Adds LDAP page and ability to add and change configuration settings. Adds ability to add, remove and edit user groups for LDAP. Resolves openbmc/phosphor-webui#38 Resolves openbmc/phosphor-webui#39 Tested: Loaded on to a witherspoon and able to add initial LDAP config as well us update the configuration and role groups. Appropriate messages displayed to user when required fields are missing or in the incorrect format. Change-Id: If8a21f3f9d9334415ead73472e90b2a0823bf9ea Signed-off-by: beccabroek <beccabroek@gmail.com> Signed-off-by: Dixsie Wolmers <dixsiew@gmail.com> Conflicts: app/common/directives/ldap-user-roles.html
Adds LDAP page and ability to add and change configuration settings. Adds ability to add, remove and edit user groups for LDAP. Resolves openbmc/phosphor-webui#38 Resolves openbmc/phosphor-webui#39 Tested: Loaded on to a witherspoon and able to add initial LDAP config as well us update the configuration and role groups. Appropriate messages displayed to user when required fields are missing or in the incorrect format. Change-Id: If8a21f3f9d9334415ead73472e90b2a0823bf9ea Signed-off-by: beccabroek <beccabroek@gmail.com> Signed-off-by: Dixsie Wolmers <dixsiew@gmail.com>
LDAP Settings - InVision Mockups for testing 11-2018
System Admins need to add and remove Role Groups of users (as defined by the LDAP server) who can access the BMC through the LDAP server, and modify their privileges.
The text was updated successfully, but these errors were encountered: