Re: Discussion on IPMI provider libraries

[tomjose <tomjose@linux.vnet.ibm.com>]

On Tuesday 15 November 2016 04:28 PM, Patrick Williams wrote:
> On Mon, Nov 14, 2016 at 03:59:08PM -0800, Brendan Higgins wrote:
>>> The privilege provided by each command is a registration parameter and it
>>> is consumed only by net-ipmid.
>>
>> That's fine, but in that case it should not go in the callback; it should
>> be maintained and enforced by net-ipmid when it looks up a handler.
> Neither net-ipmid nor host-ipmid intrinsically know all of the IPMI
> commands that will or may be registered.  This is especially true for
> OEM commands where the privilege level is determined by the command.
Agree.
>
> Are the privilege levels defined by the IPMI spec?  If so, I don't see
> anything incorrect about each provider having it.  If not, it is
> something that we have defined at build time, correct?  Would it be
> acceptable to have multiple symlink locations for net-ipmid providers?
> ie. /usr/lib/phosphor-net-ipmid/user/ ,
> /usr/lib/phosphor-net-ipmid/admin/ , etc.  I suspect we would need to
> break libraries up more because currently a single library provides
> commands at different privilege levels.
>
My earlier mail got stripped off when Brendan replied which had details 
about the privilege levels.

The Privilege levels are defined by the IPMI specification. Table G - 
Command Number Assignments and Privilege Levels in the IPMI 
specification gives more details on this.

Every command has a privilege level assigned to the command( Admin, 
User, Operator or Callback) or the command is system interface only.

The plan is to break down the system interface commands into a separate 
library.  The apphandler library in phospor-host-ipmid had support for 
Get Message Flags,
Set BMC Global Enables and Read Event Message Buffer which are System 
Interface commands only. So that net-ipmid would not load the system 
interface commands.
In a similar way if an OEM command need not be loaded for net-ipmid, 
then no symlink would be provided for that library in 
/usr/lib/phosphor-net-ipmid.

I have pushed a patch for separating system interface commands: 
https://gerrit.openbmc-project.xyz/#/c/1020/

I did not completely understand the rationale behind having multiple 
symlink locations for net-ipmid providers. The phosphor-net-ipmid would 
load the provider libraries
at starting and net-ipmid would allow multiple sessions with different 
privilege levels. There is a 'Set Session Privilege Level' command which 
would change the privilege level to a
higher( based on the maximum privilege supported for the user) or lower 
privilege level.

So the suggestion for multiple symlink  locations for net-ipmid 
providers(net-ipmid/user.. net-ipmid/admin) is a way for net-ipmid to 
figure out the privilege level of the command
instead of a registration parameter(privilege level) in the callback 
handler?