Configuring access for local and remote users

striker
Minnow

Posts: 4

Configuring access for local and remote users Jun 5, 2024 16:02:55 GMT

Quote

Post by striker on Jun 5, 2024 16:02:55 GMT

Hi.

I have a few questions about access control in Redfish.

Let's say there are several BMC users. For some of them, I would like to specify which interfaces they are allowed to access (Redfish, IPMI, KVM, Virtual Media, etc.).

How would I implement this? I see several options here:

1) Use Redfish property AccountTypes (ManagerAccount schema).

And it seems that this particular property is intended for this purpose. But I see that the AccountTypes property exists only for local accounts.

So, in this case, how can I manage such access for remote users?

2) Using Redfish privileges.

Both local and remote users have privileges (Role property for local, RemoteRoleMapping for remote users).

Theoretically, we can create privileges for each type of interface and use them to restrict access to local and remote users.

What I don't like here:
It seems that Redfish privileges are intended to restrict access only to the resources of the Redfish service. Then using them to restrict access to Non-Redfish services looks incorrect.

Is this statement true?

---

Example:

Let's say we have:
- BMC with a host console implemented and accessible via SSH on a specific port;
- multiple local users;
- multiple remote users (for example, an LDAP user group).

In this case, what would the implementation of restricting access to the host console for local and remote users in Redfish look like?

Last Edit: Jun 5, 2024 16:03:11 GMT by striker

jautor
Administrator

Posts: 519

Configuring access for local and remote users Jun 5, 2024 23:45:10 GMT

Quote

Post by jautor on Jun 5, 2024 23:45:10 GMT

Jun 5, 2024 16:02:55 GMT striker said:

Hi.

I have a few questions about access control in Redfish.

Let's say there are several BMC users. For some of them, I would like to specify which interfaces they are allowed to access (Redfish, IPMI, KVM, Virtual Media, etc.).

How would I implement this? I see several options here:

1) Use Redfish property AccountTypes (ManagerAccount schema).

And it seems that this particular property is intended for this purpose. But I see that the AccountTypes property exists only for local accounts.

So, in this case, how can I manage such access for remote users?

You're correct. The `AccountTypes` was intended for locally-managed accounts, not those coming from LDAP/AD or other external account providers.

I'll discuss with the group to see what we think an answer would be here. The issue here is that we're providing the "mapping" of account information from the external provider to a Redfish "Role", which is only scoped to providing access to Redfish resources, not other services.

2) Using Redfish privileges.

Both local and remote users have privileges (Role property for local, RemoteRoleMapping for remote users).

Theoretically, we can create privileges for each type of interface and use them to restrict access to local and remote users.

What I don't like here:
It seems that Redfish privileges are intended to restrict access only to the resources of the Redfish service. Then using them to restrict access to Non-Redfish services looks incorrect.

Is this statement true?

Yes, that is correct. The Redfish "Role" is only managing access to Redfish resources.

Example:

Let's say we have:
- BMC with a host console implemented and accessible via SSH on a specific port;
- multiple local users;
- multiple remote users (for example, an LDAP user group).

In this case, what would the implementation of restricting access to the host console for local and remote users in Redfish look like?

The "local" (locally defined on the BMC) users would have their ManagerAccount instance with `AccountTypes` listing at least the values of "Redfish" and "HostConsole".

For LDAP-created accounts, there doesn't appear to be a standard mechanism for doing this currently. My first thought is that we could provide another attribute-mapping property where a list of AccountTypes could be retrieved from the external account provider. But that would require the Redfish-defined list of AccountTypes to be added to the external provider...

But I'll bring up the question for the group, as I'm not an LDAP/AD expert, either.

Jeff

Last Edit: Jun 5, 2024 23:46:10 GMT by jautor

striker
Minnow

Posts: 4

Configuring access for local and remote users Jun 6, 2024 14:40:06 GMT

Quote

Post by striker on Jun 6, 2024 14:40:06 GMT

Thank you for confirming my thoughts.

Jun 5, 2024 23:45:10 GMT jautor said:

For LDAP-created accounts, there doesn't appear to be a standard mechanism for doing this currently. My first thought is that we could provide another attribute-mapping property where a list of AccountTypes could be retrieved from the external account provider. But that would require the Redfish-defined list of AccountTypes to be added to the external provider...

But I'll bring up the question for the group, as I'm not an LDAP/AD expert, either.

I would really appreciate it if you would share your thoughts on a possible implementation after discussing this with the group.

At the very least, I could try to implement this and point out some problems, if any.

Last Edit: Jun 6, 2024 14:41:16 GMT by striker