UpdateService POST method have ConfigureComponents Privilege

hieuhuynh
Minnow

Posts: 2

UpdateService POST method have ConfigureComponents Privilege Mar 1, 2023 4:27:30 GMT

Quote

Post by hieuhuynh on Mar 1, 2023 4:27:30 GMT

Hi DMTF Team,

We facing the issue that Operator user can login to WebUI and start Firmware update.

Steps to reproduce the behavior:

1.Create a new user usertest from WebUI with Operator privilege.
2.Login to WebUI via usertest.
3.Click on Operators -> Firmware. In Update firmware -> Image file, click Add file to select new firmware. Then select Start update to start update process.
4.New firmware is uploaded and then update process start. After complete, the BMC boots with new firmware

Based on the the DMTF registries, the UpdateService's POST method has 'ConfigureComponents' privilege[1].
Reference Table 41 — Required standard roles in the redfish specification, which specifies Operator should have ConfigureComponents privilege[2].
That why Operator user can login to WebUI and start Firmware update.

Expect that only Administrator user can flash the firmware? For the UpdateService, need to change privilege to ConfigureManager?

[1] redfish.dmtf.org/registries/Redfish_1.3.1_PrivilegeRegistry.json#UpdateService
[2] www.dmtf.org/sites/default/files/standards/documents/DSP0266_1.15.0.pdf#Roles

Thanks

qthangnp Minnow Posts: 1	UpdateService POST method have ConfigureComponents Privilege Mar 1, 2023 4:43:06 GMT Quote Select Post Deselect Post Link to Post Back to Top Post by qthangnp on Mar 1, 2023 4:43:06 GMT The question is do we expect Operator user to be able to do firmware update? Or just Administrator can do firmware update?

mraineri
Administrator

Posts: 1,050

UpdateService POST method have ConfigureComponents Privilege Mar 1, 2023 21:22:18 GMT

Quote

Post by mraineri on Mar 1, 2023 21:22:18 GMT

I think at the time we were considering that operators could apply updates to components in a system. But I'm second guessing that reasoning now; I tend to think of an administrator as the one to decide when components are updated. I can raise this for others to discuss.

But in the meantime, you're certainly allowed to modify the privilege registry to meet your implementation's needs; there's no requirement to use the DMTF-published privilege registry as-is.

Last Edit: Mar 1, 2023 21:23:11 GMT by mraineri

hieuhuynh Minnow Posts: 2	UpdateService POST method have ConfigureComponents Privilege Mar 7, 2023 3:10:28 GMT Quote Select Post Deselect Post Link to Post Back to Top Post by hieuhuynh on Mar 7, 2023 3:10:28 GMT Hi mraineri, Thank you for your answer, may I have a question: When can the discussion take place? We will wait until the discussion reaches a conclusion. Thanks,

mraineri
Administrator

Posts: 1,050

UpdateService POST method have ConfigureComponents Privilege Mar 17, 2023 14:39:21 GMT

Quote

Post by mraineri on Mar 17, 2023 14:39:21 GMT

The forum thinks the registry is correct as-is. We still see there's the possibility that Operators could perform updates on a limited set of devices in some products. However, you have no requirement to use the registry as-is from DMTF; you're free to add your own changes to it to map it to your product.

UpdateService POST method have ConfigureComponents Privilege

Post by hieuhuynh on Mar 1, 2023 4:27:30 GMT

Post by qthangnp on Mar 1, 2023 4:43:06 GMT

Post by mraineri on Mar 1, 2023 21:22:18 GMT

Post by hieuhuynh on Mar 7, 2023 3:10:28 GMT

Post by mraineri on Mar 17, 2023 14:39:21 GMT