In the data model, the access permissions of interface methods, properties, and IPMI commands need to be specified based on the openUBMC user permission model for authentication.
Key Features
Privilege Field Added to the Data Model to Specify Nine Permissions
Nine Permissions
"UserMgmt", "BasicSetting", "KVMMgmt", "VMMMgmt", "SecurityMgmt", "PowerMgmt", "DiagnoseMgmt", "ReadOnly", and "ConfigureSelf"
Permission Description
A user can have one or more permissions. The user can access the interface method, property, or IPMI command only when they have all the access permissions specified in the data model.
Access Permissions of Properties and Methods Specified in model.json
Permission Model
A hierarchical inheritance structure exists between the pathpermission, interface permission, and property/method permission. For example, if the UserMgmt permission is configured for a path, the UserMgmt permission is required for accessing any property or method under the path.
Syntax Definition
{
"ClassA":{
"path":"bmc/kepler/xxx/${id}",
"privilege":["UserMgmt", "BasicSetting"], // Syntax definition of the path access permission in the resource tree
"interfaces":{
"bmc.kepler.IClassA":{
"privilege":["SecurityMgmt"], // Syntax definition of the interface access permission in the resource tree
"properties":{
"PropA1":{
"usage":["CSR", "PoweroffPer"],
"privilege":{ // Syntax definition of the property access permission in the resource tree. The read and write permissions need to be specified separately.
"read":["ReadOnly"],
"write":["ConfigureSelf"]
}
}
},
"methods":{ // Syntax definition of the method access permission in the resource tree
"Method1":{
"privilege":["DiagnoseMgmt"]
}
}
}
}
}
}Access Permissions of IPMI Commands in ipmi.json
Syntax Definition
{
"package":"XXIpmiCmds",
"cmds":{
"CmdName1":{
"netfn":"0x06",
"cmd":"0x01",
"priority":"Default",
"role":"Administrator",
"privilege":["PowerMgmt"], //Permissions required for executing the command
"req":[
{"data":"lana","baseType":"U32", "len":"3B", "value" = "0x07db"},
{"data":"SubCmd","baseType":"U8", "len":"1B", "value" = "0x02"},
{"data":"Reserved","baseType":"U8", "len":"4b"},
{"data":"ChannelNum","baseType":"U8", "len":"4b"},
{"data":"Length","baseType":"U16", "len":"2B"},
{"data":"Data","baseType":"U8[]", "len":"Length"},
{"data":"Sign","baseType":"String", "len":"64B"},
{"data":"Padding","baseType":"U8[]", "len":"*"}
],
"rsp":[
{"data":"lana","baseType":"U32", "len":"3B"}
],
"sysLockedPolicy":"Allowed"
},
"CmdName2":{
}
}
}Northbound Interface Adaptation
Privilege Field Added to the Context
Use the get_privilege method of the privilege library to calculate the actual permission and insert the permission to the Privilege field in the context.
local mc_privilege = require 'mc.privilege'
local mc_context = require 'mc.context'
mc_context.get_context().Privilege = mc_privilege.get_privilege(privs)Auth Field Added to the Context
The Auth field in the context is added to the AuthRequired option in the privilege library, indicating that the request sent by the northbound interface to the service component needs to be authenticated.
local mc_privilege = require 'mc.privilege'
local mc_context = require 'mc.context'
mc_context.get_context().Auth = mc_privilege.AuthOption.AuthRequiedFAQs
Authentication Result Not as Expected
(1) Check whether the permission of the resource collaboration interface is correctly configured and whether the code is regenerated.
(2) Query the northbound interface to check whether the user permission is correct.
Rules for Redfish Permission Insufficiency Error Codes
If the PATCH property is mapped to the RPC interface, the InsufficientPrivilege error code is used.
If the PATCH property is mapped to the resource tree property, the PropertyModificationNeedPrivilege error code is used.
For other operations such as POST, the InsufficientPrivilege error code is used.