Skip to content
Commit f365910c authored by Gunnar Mills's avatar Gunnar Mills
Browse files

Update ManagerAccountCollection Privilege 

For the ManagerAccountCollection resource,
/redfish/v1/AccountService/Accounts/, allow a "ConfigureSelf"
user to GET but only return the user's account if the user does
not have ConfigureUsers privilege.

Took this code from other places in account_service.
https://github.com/openbmc/bmcweb/blob/61dbeef97168db1a1f7a351c5f95e09afd361e48/redfish-core/lib/account_service.hpp#L1528

There was some question whether all accounts should be returned,
Redfish clarified that only the user's account should be returned
without ConfigureUsers privilege.

https://redfishforum.com/thread/281/manageraccountcollection-change-allows-account-enumeration


"we assumed that the Login privilege would only pertain to the
current account and not allow viewing of other accounts"

This fixes 2 Redfish validator errors if running the validator
as a Readonly or Operator role.

"ERROR - Accounts: GET of resource at URI
/redfish/v1/AccountService/Accounts returned HTTP 403. Check URI."

"ERROR - /redfish/v1/AccountService/Accounts:  URI could not be
acquired: 403"

This was changed in Redfish 2019.3, redfish issue 1914 explains
more.

Tested: Ran the validator as operator role and admin role.
        No errors.
As root:
 curl -k https://${bmc}/redfish/v1/AccountService/Accounts/
{
  "@odata.id": "/redfish/v1/AccountService/Accounts",
  "@odata.type": "#ManagerAccountCollection.ManagerAccountCollection",
  "Description": "BMC User Accounts",
  "Members": [
    {
      "@odata.id": "/redfish/v1/AccountService/Accounts/readonly"
    },
    {
      "@odata.id": "/redfish/v1/AccountService/Accounts/operator"
    },
    {
      "@odata.id": "/redfish/v1/AccountService/Accounts/JimHalpert"
    },
    {
      "@odata.id": "/redfish/v1/AccountService/Accounts/root"
    }
  ],
  "Members@odata.count": 4,

As Operator:
curl -k https://${bmc}/redfish/v1/AccountService/Accounts/
{
  "@odata.id": "/redfish/v1/AccountService/Accounts",
  "@odata.type": "#ManagerAccountCollection.ManagerAccountCollection",
  "Description": "BMC User Accounts",
  "Members": [
    {
      "@odata.id": "/redfish/v1/AccountService/Accounts/operator"
    }
  ],
  "Members@odata.count": 1,

Change-Id: I0694011ed3c4ecd3ea0c386fc24d086be39ac804
Signed-off-by: default avatarGunnar Mills <gmills@us.ibm.com>
parent 250b0ebb
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment