|
Post by AMI_Mani on Jul 9, 2021 18:25:48 GMT
Hi, I'm creating new role(testrole) with Assigned Privileges as below(without providing login privileges)
"AssignedPrivileges": [
"ConfigureManager",
"ConfigureComponents"
]
Now I'm creating new user(testuser) with above role(testrole). As per Redfish_1.1.0_PrivilegeRegistry.json, most of Get operation has privilege as Login
Entity: "LogService",
OperationMap: {
GET: [
{
Privilege: [
"Login"
]
}
],
HEAD: [
{
Privilege: [
"Login"
]
}
],
testuser doesn't have login privilege but have ConfigureManager, ConfigureComponents, so in this case we can allow get operation for testuser Every role needs to have default login privilege or while creating role we need to mandate to provide Login privilege also in request like below
"AssignedPrivileges": [
"Login", "ConfigureManager",
"ConfigureComponents"
]
Since if a new role has ConfigureManager automatically login also allowed or we need to explicitly mention Login while creating new roles As per my understanding ConfigureManager should include login privilege and any user needs login privilege by default(No need to provide login privilege for new role if created with ConfigureManager, ConfigureComponents)
Do we have any details in spec/schema mentioning new role can have login privilege as default when assigning ConfigureComponents, ConfigureManager, ConfigureUsers, ConfigureSelf, please confirm
Thanks, Mani
|
|
|
Post by mraineri on Jul 12, 2021 15:51:06 GMT
There is no "default" behavior as you're speaking of. With the way the privilege registry is constructed today and the definition of the "Redfish service operation-to-privilege mapping" clause, that type of user you've created essentially cannot perform very many operations, and at least at the moment that's intentional. The privilege registry is really meant to be a mechanical mapping of the privileges in a role to an allowable operation.
You either need to change the role you're creating to contain the Login privilege, or use a different privilege registry that does not make use of the Login privilege. Keep in mind, the privilege registry published by the DMTF is meant as guidance and not a mandatory registry. As an implementer, you're allowed to create your own privilege registry that maps to the needs of your product.
|
|
|
Post by AMI_Mani on Jul 12, 2021 17:33:43 GMT
Thanks for reply. Assume if a user is created without login privilege, then he will not be able to use Get request(s). User can do Post, patch, delete, get URI doesn't have authentication(like service root)
User can't browse from Service root to Resource collection/instance since Get requested is not allowed due to unavailability of Login Privilege. User needs to know Post, Patch, delete URI's to use redfish service. I'm unable to find a use case for user without authentication(basic, session etc.) to use redfish service(except like service root and some other URI's doesn't have authentication).
Since all request needs some authentication which is equivalent to login privilege, is authentication using username, password related to login privilege?
Thanks, Mani
|
|
|
Post by mraineri on Jul 12, 2021 20:05:56 GMT
No, that's not an assumption we make today. While the privilege registry we publish today does essentially contain "Login" for just about every GET operation, there are certainly use cases where GET operations on particular resources are more constrained an require a specific privilege. Effectively we're not assuming that just because a user has successfully logged in they automatically get "Login" as a privilege; everything we do from a mapping perspective is explicitly called out. If a role is missing a particular privilege (like "Login") then the role does not have access to the operations granted by "Login".
|
|