From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Authentication-Results: lists.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=linux.intel.com (client-ip=134.134.136.126; helo=mga18.intel.com; envelope-from=richard.marian.thomaiyar@linux.intel.com; receiver=) Authentication-Results: lists.ozlabs.org; dmarc=none (p=none dis=none) header.from=linux.intel.com Received: from mga18.intel.com (mga18.intel.com [134.134.136.126]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by lists.ozlabs.org (Postfix) with ESMTPS id 49XkJG5fbXzDqBr for ; Thu, 28 May 2020 20:21:34 +1000 (AEST) IronPort-SDR: IVU5QAe/1pTQT/X3aVAQ7u/Rh+w0ehBDvBCCg0/hgSgdGvZ/pI56ChGOvpIzh32E9O03HevCVk KGfkN4stFKxg== X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga005.fm.intel.com ([10.253.24.32]) by orsmga106.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 28 May 2020 03:21:31 -0700 IronPort-SDR: uLQ55GkiFvFKqJEWqv7VpaT/DEH7HfwigNNfYE1yUBsYCMxQlzqPARAucx+T9GX+H3lerdMW9U jG1CaPrpMIWQ== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.73,444,1583222400"; d="scan'208";a="469066565" Received: from rthomaiy-mobl2.gar.corp.intel.com (HELO [10.252.69.146]) ([10.252.69.146]) by fmsmga005.fm.intel.com with ESMTP; 28 May 2020 03:21:29 -0700 Subject: Re: Question of ipmi command "Set User Access" in phosphor-host-ipmid To: =?UTF-8?B?VG9ueSBMZWUgKOadjuaWh+WvjCk=?= Cc: "openbmc@lists.ozlabs.org" References: <420a769b740b4ec58c5f4702c5bb2fc2@quantatw.com> From: "Thomaiyar, Richard Marian" Message-ID: Date: Thu, 28 May 2020 15:51:27 +0530 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.8.1 MIME-Version: 1.0 In-Reply-To: <420a769b740b4ec58c5f4702c5bb2fc2@quantatw.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US X-BeenThere: openbmc@lists.ozlabs.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development list for OpenBMC List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 28 May 2020 10:21:35 -0000 Hi Tony, Yes, that's correct. We already support  channel configuration using json(channel_config.json under phosphor-ipmi-config), and sync channel can be identified by the first LAN medium channel number - else we can add one more configuration as well). I am ok if you want to go ahead and fix it, else will try to fix the same in couple of weeks. Regards, Richard On 5/28/2020 1:39 PM, Tony Lee (李文富) wrote: > Hi Richard, > > So, it need to check the request channel number before setting the dbus > because it has to be in sync with system user privilege level. > > Since my LAN1 and the request channel number are both 2. > Once we can get LAN1 channel number dynamically > https://github.com/openbmc/phosphor-host-ipmid/blob/master/user_channel/user_mgmt.cpp#L512 > > This issue will be solved right? > >> From: Thomaiyar, Richard Marian >> Sent: Tuesday, May 26, 2020 12:28 AM >> To: Tony Lee (李文富) >> Cc: openbmc@lists.ozlabs.org >> Subject: Re: Question of ipmi command "Set User Access" in >> phosphor-host-ipmid >> >> Hi Tony, >> >> Only IPMI offers channel based user level privilege as of now, Redfish uses >> single privilege across all channels. OpenBMC user management is designed to >> have single user level privilege. IPMI is designed to bind one of the channel >> privilege user to the user management, and rest maintain in it's own database. >> LAN 1 is used for that sync. >> >> Note: Discussion started in Redfish forum to have a channel based restriction, >> but it's not yet materialized and requires more takers. >> >> Regards, >> >> Richard >> >> On 5/25/2020 12:58 PM, Tony Lee (李文富) wrote: >>> In the process of creating an user, >>> I used the ipmi command "ipmitool priv >> []". >>> The "UserPrivilege" of the user I created in dbus is empty. Because my LAN >> channel number is not 1. >>> >> https://github.com/openbmc/phosphor-host-ipmid/blob/master/user_chann >> e >>> l/user_mgmt.cpp#L878 >>> >>> Why did it need to check the request channel number before setting the >> dbus? >>> I can't find the related restriction of it in "Set User Access Command" in IPMI >> SPEC. >>> Thanks >>> Best Regards, >>> Tony