Privilege of deep PATCH using ReadOnly account

kennyliu
Minnow

Posts: 3

Privilege of deep PATCH using ReadOnly account Oct 17, 2022 10:40:47 GMT

Quote

Post by kennyliu on Oct 17, 2022 10:40:47 GMT

Hi,
I want to know how to determine the privilege of deep operation.
There are some situations of deep PATCH below.
What response will be expected when using the ReadOnly account to do deep PATCH?
The ReadOnly account's ID is 5.

1.
PATCH /redfish/v1/AccountService.Deep
-----request body-----
{
"Accounts":{
        "@odata.id": "/redfish/v1/AccountService/Accounts",
      "Members":[
            {
              "@odata.id": "/redfish/v1/AccountService/Accounts/5",
              "Password": "12345678"
          }
        ]
    }
}

The PATCH privilege of AccountService is
"PATCH": [

    {

        "Privilege": [

            "ConfigureUsers"

        ]

    }

]

Will the response of this situation be 204 or 403 with InsufficientPrivilege message or others?

2.
If we could change the password in situation 1, how about this situation?

PATCH /redfish/v1/AccountService.Deep
-----request body-----
{

    "Accounts":{

        "@odata.id": "/redfish/v1/AccountService/Accounts",

        "Members":[

            {

                "@odata.id": "/redfish/v1/AccountService/Accounts/5",

                "Password": "12345678"

            },
          {
                "@odata.id": "/redfish/v1/AccountService/Accounts/3",

                "Password": "12345678"
            }
        ]

    }

}

Will it be only ReadOnly account's password changed successfully or this action be rejected?
And what message will be return?

mraineri
Administrator

Posts: 1,047

Privilege of deep PATCH using ReadOnly account Oct 18, 2022 16:22:59 GMT

Quote

Post by mraineri on Oct 18, 2022 16:22:59 GMT

While deep operations contains multiple resources, each resource in the payload can be mapped to an entry in the privilege registry. This does add complexity in that the service will need to inspect each of the resources requested for modification and perform a privilege lookup.

In the first example, assuming the client has the privilege to modify ManagerAccount "5", the request will be successful.

In the second example, assuming the client has the privilege to modify ManagerAccount "5", but not "3", the service would fail the privilege check for ManagerAccount "3", and the request will fail with 403 just like if the client performed a PATCH directly on ManagerAccount "3".

kennyliu Minnow Posts: 3	Privilege of deep PATCH using ReadOnly account Oct 21, 2022 8:15:28 GMT Quote Select Post Deselect Post Link to Post Back to Top Post by kennyliu on Oct 21, 2022 8:15:28 GMT Hi, In the second example, it meaned that ManagerAccount "3" would not be changed and "5" either and the response would be 403. Did I get that right?

mraineri
Administrator

Posts: 1,047

Privilege of deep PATCH using ReadOnly account Oct 24, 2022 16:42:02 GMT

Quote

Post by mraineri on Oct 24, 2022 16:42:02 GMT

Nothing at all would change in either resource. If you return a 4XX or 5XX, the service is not allowed to change any data. From the "Modification error responses" clause:

"Otherwise, if the service returns a client 4XX or service 5XX status code, the service encountered an error and the resource shall not have been modified or created as a result of the operation."

kennyliu Minnow Posts: 3	Privilege of deep PATCH using ReadOnly account Oct 25, 2022 1:47:47 GMT Quote Select Post Deselect Post Link to Post Back to Top Post by kennyliu on Oct 25, 2022 1:47:47 GMT I got it. Thanks for your reply.

Privilege of deep PATCH using ReadOnly account

Post by kennyliu on Oct 17, 2022 10:40:47 GMT

Post by mraineri on Oct 18, 2022 16:22:59 GMT

Post by kennyliu on Oct 21, 2022 8:15:28 GMT

Post by mraineri on Oct 24, 2022 16:42:02 GMT

Post by kennyliu on Oct 25, 2022 1:47:47 GMT