diff options
author | Asmitha Karunanithi <asmitk01@in.ibm.com> | 2022-03-25 10:59:03 +0300 |
---|---|---|
committer | Asmitha Karunanithi <asmitk01@in.ibm.com> | 2022-11-17 10:29:07 +0300 |
commit | 239adf852bba7f9971eb471c52cd024156a860eb (patch) | |
tree | e882292e5700ab40dfb5a14756c8608f60fdb341 | |
parent | 2ea468a096638b3ad829c538605ef3bcdbbff4ce (diff) | |
download | bmcweb-239adf852bba7f9971eb471c52cd024156a860eb.tar.xz |
Remove support for priv-noaccess role
A user created with no-access privilege is allowed to login
but can not logout. Any no-access user can create many and
many login sessions and exhaust the bmc without logging out.
No-access role was basically added to support the IPMI usecase,
where a user can be created first and then is assigned a privilege.
This is being reworked at IPMI interface and the dependency on the
no-access privilege is being removed completely. Following two
commits were added to support the priv-noaccess in user-manager
and bmcweb:
[1] https://github.com/openbmc/bmcweb/commit/e9e6d240ab85e515f8d264e39b47a75043b73374
[2] https://github.com/openbmc/phosphor-user-manager/commit/7c6e7cffaf061aabfe5489ef52442e2f7cbd0fb7
This commit removes the no-access role support at bmcweb by
reverting the commit:
[1] https://github.com/openbmc/bmcweb/commit/e9e6d240ab85e515f8d264e39b47a75043b73374
The user-manager change w.r.t this change is at:
[1] https://gerrit.openbmc-project.xyz/c/openbmc/phosphor-user-manager/+/52363
Tested By:
1. Create an LDAP user with priv-noaccess. Verify the login attempt
fails with accessDenied error
2. Verified the other role users can login
Signed-off-by: Asmitha Karunanithi <asmitk01@in.ibm.com>
Change-Id: I5ac8a58d9146379c9ce3be804d476ea85835bb2f
-rw-r--r-- | redfish-core/lib/account_service.hpp | 25 | ||||
-rw-r--r-- | redfish-core/lib/roles.hpp | 8 |
2 files changed, 1 insertions, 32 deletions
diff --git a/redfish-core/lib/account_service.hpp b/redfish-core/lib/account_service.hpp index 0cef7a36a6..8ccab655ca 100644 --- a/redfish-core/lib/account_service.hpp +++ b/redfish-core/lib/account_service.hpp @@ -88,10 +88,6 @@ inline std::string getRoleIdFromPrivilege(std::string_view role) { return "Operator"; } - if (role.empty() || (role == "priv-noaccess")) - { - return "NoAccess"; - } return ""; } inline std::string getPrivilegeFromRoleId(std::string_view role) @@ -108,10 +104,6 @@ inline std::string getPrivilegeFromRoleId(std::string_view role) { return "priv-operator"; } - if ((role == "NoAccess") || (role.empty())) - { - return "priv-noaccess"; - } return ""; } @@ -1244,10 +1236,6 @@ inline void updateUserProperties(std::shared_ptr<bmcweb::AsyncResp> asyncResp, "RoleId"); return; } - if (priv == "priv-noaccess") - { - priv = ""; - } crow::connections::systemBus->async_method_call( [asyncResp](const boost::system::error_code ec) { @@ -1633,18 +1621,7 @@ inline void handleAccountCollectionPost( messages::propertyValueNotInList(asyncResp->res, *roleId, "RoleId"); return; } - // TODO: Following override will be reverted once support in - // phosphor-user-manager is added. In order to avoid dependency - // issues, this is added in bmcweb, which will removed, once - // phosphor-user-manager supports priv-noaccess. - if (priv == "priv-noaccess") - { - roleId = ""; - } - else - { - roleId = priv; - } + roleId = priv; // Reading AllGroups property sdbusplus::asio::getProperty<std::vector<std::string>>( diff --git a/redfish-core/lib/roles.hpp b/redfish-core/lib/roles.hpp index ef7b5f48a8..962a1c2491 100644 --- a/redfish-core/lib/roles.hpp +++ b/redfish-core/lib/roles.hpp @@ -39,10 +39,6 @@ inline std::string getRoleFromPrivileges(std::string_view priv) { return "Operator"; } - if (priv == "priv-noaccess") - { - return "NoAccess"; - } return ""; } @@ -62,10 +58,6 @@ inline bool getAssignedPrivFromRole(std::string_view role, { privArray = {"Login", "ConfigureSelf"}; } - else if (role == "NoAccess") - { - privArray = nlohmann::json::array(); - } else { return false; |