Lines Matching +full:user +full:- +full:management
1 # User Management - OpenBMC - Design document
6 user-management components. The implementation detail is beyond the scope of
11 1. Use common user-management (e.g. phosphor-user-manager) rather than
12 application-based user-management. Especially, avoid IPMI based
13 user-management.
14 2. For security reasons, avoid transmitting passwords over any D-Bus API.
15 Observe this rule even while creating, modifying or authenticating the user.
16 3. Have applications use the PAM module to authenticate the user instead of
17 relying on a D-Bus API-based approach.
18 4. User creation has to be generic in nature wherever possible.
20 13.19-13.33 inclusive for more details), new PAM module (e.g. pam-ipmi
22 pam-unix), which will store the password in encrypted form. Implementation
24 or if the user created doesn't have an 'ipmi' group role.
25 6. User name, Password, Group and Privilege roles are maintained by the common
26 user-management (e.g. phosphor-user-manager), whereas individual user-related
28 words, with the exception of User Name, Password, Group and Privileged Role,
31 restriction etc. for the corresponding user). Design is made to cover this
36 The purpose of group roles is to determine the first-level authorization of the
37 corresponding user. This is used to determine at a high level whether the user
40 SSH. Also having group roles in common user-management (e.g.
41 phosphor-user-manager) allows different application to create roles for the
42 other (e.g. Administrative user will be able to create a new user through
49 | -----: | ----------- | ------------------------------------------------------------------- |
59 groups (i.e. User will have same privilege for REDFISH / Webserver / IPMI / SSH
60 / HostConsole). User can belong to any one of the following privilege roles at
67 …-----: | --------------- | -----------------------------------------------------------------------…
68 | 1 | admin | Users are allowed to configure all OpenBMC (including user-management,…
69 …f the host, etc. But users are not allowed to change other configuration like user, network, etc. |
70 | 3 | user | Users only have read access and can't change any behavior of the syste…
71 | 4 | no-access | Users having empty or no privilege will be reported as no-access, from…
73 ## Common User Manager - D-Bus API (phosphor-user-manager)
75 User Manager service exposes D-Bus methods for user-management operations. It
76 exposes `xyz.openbmc_project.User.Manager` as a service and handles objects
78 https://github.com/openbmc/phosphor-dbus-interfaces/tree/master/yaml/xyz/openbmc_project/User
79 for detailed user management D-Bus API and interfaces.
81 ## OpenBMC - User Management - High Level architectural diagram
87 || |PAM for user | | |Create new user| | | Redfish specific 1:1 | ||
88 || |authentication | | |or delete or | | | user settings storage| ||
92 …V Storage | |--------------------------|| MaxPrivilege - max ||
94 …| pam_unix - | pam_ipmi- encrypted| | | || channel …
95 …| /etc/shadow | password (only if | | | NET-IPMID *******************…
96 | (hashed) or | user in ipmi group)| | | =========================== |
99 +---<-----------------<---------<---- clear text password| || |
102 D-Bus Call | | || _____________________ || |
103 +------------+ ^ || | Create new user | || |
105 Common user manager | D-Bus Call | || | update | || |
106 ||==========================V==||<---------------------<----|(Note: Host-IPMID | || |
107 || phosphor-user-manager || | || | must use same logic| || |
112 | | || | user mappings | || |
113 +------>-------------->-----+------>| storage |<--------|
123 ## User management - overview
126 user management
127 +---------------------------------------------------------+
128 | phosphor-user-manager |
129 | +---------------------------------------------+ |
130 | | Local user management: | |
137 | | PATH: /xyz/openbmc_project/user/<name> | |
148 | +---------------------------------------------+ |
150 | Remote User Management - Configuration |
151 | +--------------------------+------------------+ |
153 | | user management configuration | |
155 | +---------------------------------------------+ |
157 +---------------------------------------------------------+
161 ## OpenBMC - User Management - User creation from webserver flow - with all groups
164 ------------------------------------|---------------------------------- -|-------------------------…
165 WEBSERVER | Common User Manager | IPMI & REDFISH(webserv…
166 ------------------------------------|------------------------------------|-------------------------…
167 1.Request to add new user | | …
169 Webserver sends D-Bus command | | …
170 to user-manager with User Name, | | …
172 … (REQ)---------> | |
177 … | too many users, user name is too | |
180 … <-------------(FAILURE) | |
181 3. Throw error to the user | | …
183 … | 4. Add User Name, Groups and | |
185 … | for User Name created ---(SIGNAL)-> |
191 … <-------------(SUCCESS) | |
192 6. User created successfully but | | …
197 the user using pam_chauthtok() | | …
198 (which will store clear-text | | …
200 user is part of 'ipmi' Group) | | …
202 8. User created successfully | | …
203 ---------------------------------------------------------------------------------------------------…
206 ## OpenBMC - User Management - User creation from IPMI - 'ipmi' Group only
209 ------------------------------------|---------------------------------- -|-------------------------…
210 IPMI | Common User Manager | pam_unix/pam_ipmi stor…
211 ------------------------------------|------------------------------------|-------------------------…
212 1. User sends Set User Name command.| | …
213 IPMI Sends D-Bus command to | | …
214 to user-manager with User Name | | …
215 Groups & privileges (No Password) (REQ)---------> | …
217 commands like Set User Access / | | …
219 in IPMI NV along with User Name) | | …
224 … <-------------(FAILURE) | |
225 3. Return error to the Set User | | …
226 Name command. User creation failed. | | …
227 … | 4. Add User Name, Groups and | |
229 … | for User Name created | |
230 … <-------------(SIGNAL) (InterfacesAdded) | |
235 … <-------------(SUCCESS) | |
236 6. User sends Set User Password | | …
237 command. IPMI uses pam-ipmi | | …
240 Set User Name command in first | | …
241 place as User Name has to exist | | …
245 after Set User Name command) (SET)----------------------------------------> pam-ipmi will store …
248 … | |hashed password by pam-unix, |
249 … | |when the user belongs to IPMI|
250 … <----------------------------------------------(SUCCESS) |
251 7. User created successfully | | …
252 but will allow only when user is | | …
253 enabled. IPMI shouldn't allow user | | …
254 to login if user is disabled | | …
256 ---------------------------------------------------------------------------------------------------…
259 ## OpenBMC - User Management - User deletion from webserver flow - with all groups
262 ------------------------------------|---------------------------------- -|-------------------------…
263 WEBSERVER | Common User Manager | IPMI & REDFISH(webserv…
264 ------------------------------------|------------------------------------|-------------------------…
265 1.Request to delete existing user | | …
267 Webserver sends D-Bus command | | …
268 to user-manager with User Name | | …
269 to be deleted (REQ)---------> | …
274 … | Can be user does not exist etc. | |
275 … <-------------(FAILURE) | |
276 3. Throw error to the user | | …
278 … | 4. Delete User Name, Group and | |
280 … | User Name deleted ---(SIGNAL)-> |
288 … <-------------(SUCCESS) | |
289 6. User deleted successfully, | | …
291 ---------------------------------------------------------------------------------------------------…
294 ## OpenBMC - User Management - User deletion from IPMI - 'ipmi' Group only
297 ------------------------------------|---------------------------------- -|
298 IPMI | Common User Manager |
299 ------------------------------------|------------------------------------|
300 1. User sends Set User Name command | |
301 to clear user name. Send D-Bus API | |
302 to user-manager with User Name | |
303 to delete (REQ)---------> |
305 commands like Set User Access / | |
307 in IPMI NV along with User Name) | |
312 | User name doesn't exists etc.) |
313 <-------------(FAILURE) |
314 3. Return error to the Set User | |
315 Name command. User deletion failed. | |
317 <-------------(SIGNAL) 4. User Name deleted |
322 <-------------(SUCCESS) |
323 6. User deleted successfully | |
325 --------------------------------------------------------------------------
330 Applications must use `pam_authenticate()` API to authenticate user. Stacked PAM
335 +----------------------------------+
337 | +-----------------------+ |
339 | | user failed attempt | |
341 | +-----------------------+ |
343 | +-----------------------+ |
345 | | user authentication | |
347 | +-----------------------+ |
349 | +-----------------------+ |
353 | +-----------------------+ |
354 +----------------------------------+
359 Applications must use `pam_chauthtok()` API to set / change user password.
360 Stacked PAM modules allow all 'ipmi' group user passwords to be stored in
366 +------------------+---------------+
367 | Stacked PAM - Password |
369 | +----------------------------+ |
373 | +----------------------------+ |
375 | +----------------------------+ |
379 | +----------------------------+ |
381 | +----------------------------+ |
385 | +----------------------------+ |
387 | +-------------+--------------+ |
388 | | pam_unix.so - to update | |
389 | | local user's password | |
391 | +----------------------------+ |
393 | +-----------------+----------+ |
394 | | pam_ipmisave.so - stores | |
395 | | 'ipmi' group user's | |
397 | +----------------------------+ |
399 +----------------------------------+
408 +-------------v--------------+
410 |authenticate the user |
412 +-------------+--------------+
415 +-------------v--------------+
416 |Read user properties using |
421 +-------------+--------------+
424 +-------------v--------------+
428 |minimum of user & channel |
435 +----------------------------+
442 SSH, Redfish, Webserver and HostConsole interface allows the user to
450 For the LDAP user accounts, there is no LDAP attribute type that corresponds to
451 the OpenBMC privilege roles. The preferred way is to group LDAP user accounts
452 into LDAP groups. D-Bus API is provided for the user to assign privilege role to
457 This section explains how the privilege roles of the user accounts are consumed
458 by the webserver interface. The privilege role is a property of the user D-Bus
459 object for the local users. For the LDAP user accounts, the privilege role will
461 configured prior to authenticating with the LDAP user accounts.
463 1. Invoke PAM API for authenticating with user credentials. Proceed, if the
465 2. Check if the user is a local user account. If the user account is local,
466 fetch the privilege role from the D-Bus object and update the session
468 3. If the user account is not local, read the group name for the user.
471 5. If there is no mapping for group name to privilege role, default to `user`
476 1. As per IPMI spec the max user list can be 15 (+1 for NULL User). Hence
478 getting added to the 'ipmi' Group. Phosphor-user-manager has to enforce this
480 2. Should add IPMI_NULL_USER by default and keep the user in disabled state.
481 This is to prevent IPMI_NULL_USER from being created as an actual user. This
482 is needed as NULL user with NULL password in IPMI can't be added as an entry
483 from Unix user-management point of it.
484 3. User creation request from IPMI / REDFISH must be handled in the same manner
486 4. Adding / removing a user name from 'ipmi' Group role must force a Password
487 change to the user. This is needed as adding to the 'ipmi' Group of existing
488 user requires clear text password to be stored in encrypted form. Similarly
489 when removing a user from IPMI group, must force the password to be changed
491 5. IPMI spec doesn't support groups for the user-management. Hence the same can
492 be implemented through OEM Commands, thereby creating a user in IPMI with
494 6. Do no use 'Set User Name' IPMI command to extend already existing non-ipmi
495 group users to 'ipmi' group. 'Set User Name' IPMI command will not be able to
496 differentiate between new user request or request to extend an existing user
498 Note: 'Set User Name' IPMI command will return CCh 'Invalid data field in
499 Request' completion code, if tried to add existing user in the system.
501 ## Deployment - Out of factory
506 [SB-327 Information Privacy](https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=…
507 Connected devices must avoid shipping with generic user name & password. The
511 2. Forcing user to generate new authentication account, before using the device.
513 ### Generating user during deployment:
516 specifies about forcing end-user to generate a new account, during deployment
517 through any of the system in-band interfaces (like KCS etc.). IPMI 2.0
519 `SetUserAccess`, which must be used to create a new user account instead of
520 using any generic default user name and password. Accounts created through this
522 accounts through out-of-band interfaces.
524 ### Special user - root – user id 0:
526 Exposing root account (user id 0) to end-user by default (other than debug /
528 to enable root user by default for end-user. For general login for debug /
529 developer builds, a new default user with password can be created by specifying
531 default (CI systems etc. can use this account). From OpenBMC package user name
534 #### Debugging use-case
536 `root` user / sudo privilege access are required during development / debug
538 OEM action(TBD) to can be used to set password for the root user, after which
539 `root` user can be used to login to the serial console and for further debugging
540 (Note: `root` user will not be listed as user account in any interfaces like
541 IPMI / REDFISH from user management point of view).
543 ### Deployment for systems without in-band interfaces:
545 Any systems which doesn’t have in-band system interface can generate passwords
546 uniquely for each & every device or can expose a default user name & password
547 forcing end-user to update the same, before using the device (TBD).