diff options
Diffstat (limited to 'xyz/openbmc_project/User')
-rw-r--r-- | xyz/openbmc_project/User/AccountPolicy.interface.yaml | 41 | ||||
-rw-r--r-- | xyz/openbmc_project/User/Attributes.interface.yaml | 39 | ||||
-rw-r--r-- | xyz/openbmc_project/User/Common.errors.yaml | 18 | ||||
-rw-r--r-- | xyz/openbmc_project/User/Common.metadata.yaml | 19 | ||||
-rw-r--r-- | xyz/openbmc_project/User/Ldap/Config.interface.yaml | 83 | ||||
-rw-r--r-- | xyz/openbmc_project/User/Ldap/Create.interface.yaml | 79 | ||||
-rw-r--r-- | xyz/openbmc_project/User/Manager.interface.yaml | 124 | ||||
-rw-r--r-- | xyz/openbmc_project/User/Password.interface.yaml | 27 | ||||
-rw-r--r-- | xyz/openbmc_project/User/PrivilegeMapper.interface.yaml | 46 | ||||
-rw-r--r-- | xyz/openbmc_project/User/PrivilegeMapperEntry.interface.yaml | 26 | ||||
-rw-r--r-- | xyz/openbmc_project/User/README.md | 52 |
11 files changed, 527 insertions, 27 deletions
diff --git a/xyz/openbmc_project/User/AccountPolicy.interface.yaml b/xyz/openbmc_project/User/AccountPolicy.interface.yaml new file mode 100644 index 0000000..9e81b08 --- /dev/null +++ b/xyz/openbmc_project/User/AccountPolicy.interface.yaml @@ -0,0 +1,41 @@ +description: > + Provides global user account policy related management. + +properties: + - name: MaxLoginAttemptBeforeLockout + type: uint16 + description: > + Configures the maximum permissible attempt before locking + out the user. Value of 0 indicates that account lockout + feature is disabled. + errors: + - xyz.openbmc_project.Common.Error.InternalFailure + + - name: AccountUnlockTimeout + type: uint32 + description: > + Configures timeout needed (in seconds) to unlock the account + after a lockout. Value of 0 indicates that account must be + unlocked manually. + errors: + - xyz.openbmc_project.Common.Error.InternalFailure + + - name: MinPasswordLength + type: byte + description: > + Configures the minimum password length. Minimum password length + specified in build time is marked as default value. This property + cannot be configured below the build time default value but can be + set to higher one for security reasons. + errors: + - xyz.openbmc_project.Common.Error.InternalFailure + + - name: RememberOldPasswordTimes + type: byte + description: > + Configures the number of times old password shouldn't be allowed + when trying to update new password. Value of 0 (by default) indicates + this feature is not enforced. + errors: + - xyz.openbmc_project.Common.Error.InternalFailure +# vim: tabstop=8 expandtab shiftwidth=4 softtabstop=4 diff --git a/xyz/openbmc_project/User/Attributes.interface.yaml b/xyz/openbmc_project/User/Attributes.interface.yaml new file mode 100644 index 0000000..c4f18ad --- /dev/null +++ b/xyz/openbmc_project/User/Attributes.interface.yaml @@ -0,0 +1,39 @@ +description: > + Provides user objects, their properties. + As communication to this service is done through authenticated + & authorized session, there won't be any validation for the both. + +properties: + - name: UserGroups + type: array[string] + description: > + Groups to which the user belong. + errors: + - xyz.openbmc_project.Common.Error.InternalFailure + + - name: UserPrivilege + type: string + description: > + Privilege of the user. + errors: + - xyz.openbmc_project.Common.Error.InternalFailure + + - name: UserEnabled + type: boolean + description: > + Enabled or disabled state of the user. + errors: + - xyz.openbmc_project.Common.Error.InternalFailure + + - name: UserLockedForFailedAttempt + type: boolean + description: > + Locked or unlocked state of the user. After repeated failed + login attempt (configured through MaxLoginAttemptBeforeLockout), + locked out user can be unlocked manually by setting false to + this property. This property will return true if user is locked + out user. AccountUnlockTimeout property can be configured to unlock + the user after a timeout. + errors: + - xyz.openbmc_project.Common.Error.InternalFailure +# vim: tabstop=8 expandtab shiftwidth=4 softtabstop=4 diff --git a/xyz/openbmc_project/User/Common.errors.yaml b/xyz/openbmc_project/User/Common.errors.yaml new file mode 100644 index 0000000..2bcfb38 --- /dev/null +++ b/xyz/openbmc_project/User/Common.errors.yaml @@ -0,0 +1,18 @@ +# xyz.openbmc_project.User.Common.Error.UserNameExists +- name: UserNameExists + description: Specified user name already exists. +# xyz.openbmc_project.User.Common.Error.UserNameDoesNotExist +- name: UserNameDoesNotExist + description: Specified user name does not exist. +# xyz.openbmc_project.User.Common.Error.UserNameGroupFail +- name: UserNameGroupFail + description: Specified Group related restriction failure for user name. +# xyz.openbmc_project.User.Common.Error.UserNamePrivFail +- name: UserNamePrivFail + description: Specified privilege related restriction failure for user name. +# xyz.openbmc_project.User.Common.Error.NoResource +- name: NoResource + description: No resource available. +# xyz.openbmc_project.User.Common.Error.PrivilegeMappingExists +- name: PrivilegeMappingExists + description: Specified privilege mapping already exists.
\ No newline at end of file diff --git a/xyz/openbmc_project/User/Common.metadata.yaml b/xyz/openbmc_project/User/Common.metadata.yaml new file mode 100644 index 0000000..49ef492 --- /dev/null +++ b/xyz/openbmc_project/User/Common.metadata.yaml @@ -0,0 +1,19 @@ +- name: UserNameExists + level: ERR +- name: UserNameDoesNotExist + level: ERR +- name: UserNameGroupFail + level: ERR + meta: + - str: "REASON = %s" + type: string +- name: UserNamePrivFail + level: ERR + meta: + - str: "REASON = %s" + type: string +- name: NoResource + level: ERR + meta: + - str: "REASON = %s" + type: string diff --git a/xyz/openbmc_project/User/Ldap/Config.interface.yaml b/xyz/openbmc_project/User/Ldap/Config.interface.yaml new file mode 100644 index 0000000..42c7126 --- /dev/null +++ b/xyz/openbmc_project/User/Ldap/Config.interface.yaml @@ -0,0 +1,83 @@ +description: > + Implement to update LDAP mandatory properties. + +properties: + - name: LDAPServerURI + type: string + description: > + Specifies the LDAP URI of the server to connect to. + errors: + - xyz.openbmc_project.Common.Error.InternalFailure + - xyz.openbmc_project.Common.Error.InvalidArgument + - xyz.openbmc_project.Common.Error.NoCACertificate + - name: LDAPBindDN + type: string + description: > + Specifies the distinguished name with which to bind to the directory + server for lookups. + errors: + - xyz.openbmc_project.Common.Error.InternalFailure + - xyz.openbmc_project.Common.Error.InvalidArgument + - name: LDAPBindDNPassword + type: string + description: > + Specifies the credentials with which to bind,Implementation should + consider changing the permissions of the underlying file to + only grant access to the root user. + This property value should not be reflected on the D-bus object itself. + Implementation can use the given value and update the service + implementing the LDAP client.This is just to facilitate the support + for changing the bin dn password if needed. + Currently this property is over D-bus, There are security concerns + for the same, but once we find better way to update the ldap password + we would fix it. + - name: LDAPBaseDN + type: string + description: > + Specifies the base distinguished name to use as search base. + errors: + - xyz.openbmc_project.Common.Error.InternalFailure + - xyz.openbmc_project.Common.Error.InvalidArgument + - name: LDAPSearchScope + type: enum[self.SearchScope] + description: > + Specifies the search scope:subtree, one level or base object. + default: sub + errors: + - xyz.openbmc_project.Common.Error.InternalFailure + - name: LDAPType + type: enum[self.Type] + description: > + Specifies the the configured server is ActiveDirectory(AD) or + OpenLdap. It's just an indication for the LDAP stack running on + the BMC, in case the app is implemented in such a way that it has + to react differently for AD vs openldap. + errors: + - xyz.openbmc_project.Common.Error.InternalFailure + - name: GroupNameAttribute + type: string + description: > + The value of this property shall be the attribute name + that contains the name of the Group in the LDAP server. + - name: UserNameAttribute + type: string + description: > + The value of this property shall be the attribute name + that contains the username in the LDAP server. +enumerations: + - name: SearchScope + description: > + Possible base scopes. + values: + - name: sub + - name: one + - name: base + + - name: Type + description: > + Possible LDAP Types. + values: + - name: ActiveDirectory + - name: OpenLdap + +# vim: tabstop=8 expandtab shiftwidth=4 softtabstop=4 diff --git a/xyz/openbmc_project/User/Ldap/Create.interface.yaml b/xyz/openbmc_project/User/Ldap/Create.interface.yaml new file mode 100644 index 0000000..69c03e6 --- /dev/null +++ b/xyz/openbmc_project/User/Ldap/Create.interface.yaml @@ -0,0 +1,79 @@ +description: > + Implement to create LDAP name service daemon configuration file. + +methods: + - name: CreateConfig + description: > + This method always creates a new config file as well as a D-Bus + object to represent the config, it will destroy an existing one, + if found. In other words, this is not an update API. Individual + properties can be updated as per the + xyz/openbmc_project/User/Ldap/Config.interface.yaml. + parameters: + - name: LDAPServerURI + type: string + description: > + Specifies the LDAP URI of the server to connect to. + - name: LDAPBindDN + type: string + description: > + Specifies the distinguished name with which to bind to the + directory server for lookups. + - name: LDAPBaseDN + type: string + description: > + Specifies the base distinguished name to use as search base. + - name: LDAPBINDDNpassword + type: string + description: > + Specifies the clear text credentials with which to bind. This + option is only applicable when used with LDAPBindDN. + - name: LDAPSearchScope + type: enum[self.SearchScope] + description: > + Specifies the search scope:subtree, one level or base object. + - name: LDAPType + type: enum[self.Type] + description: > + Specifies the the configured server is ActiveDirectory(AD) or + OpenLdap. It's just an indication for the LDAP stack running on + the BMC, in case the app is implemented in such a way that it has + to react differently for AD vs openldap. + - name: GroupNameAttribute + type: string + description: > + Specifies the attribute name that contains the name + of the Group in the LDAP server. + - name: UsernameAttribute + type: string + description: > + Specifies the attribute name that contains + the username in the LDAP server. + returns: + - name: path + type: string + description: > + The object path of the D-Bus object representing the config. + + errors: + - xyz.openbmc_project.Common.Error.InternalFailure + - xyz.openbmc_project.Common.Error.InvalidArgument + - xyz.openbmc_project.Common.Error.NoCACertificate + +enumerations: + - name: SearchScope + description: > + Possible base scopes. + values: + - name: sub + - name: one + - name: base + + - name: Type + description: > + Possible LDAP Types. + values: + - name: ActiveDirectory + - name: OpenLdap + +# vim: tabstop=8 expandtab shiftwidth=4 softtabstop=4 diff --git a/xyz/openbmc_project/User/Manager.interface.yaml b/xyz/openbmc_project/User/Manager.interface.yaml new file mode 100644 index 0000000..3874071 --- /dev/null +++ b/xyz/openbmc_project/User/Manager.interface.yaml @@ -0,0 +1,124 @@ +description: > + Provides user management functionality. + As communication to this service is done through authenticated + & authorized session, there won't be any validation for both. + +methods: + - name: CreateUser + description: > + Creates a new user. If the user already exists, then it will throw + an error. + parameters: + - name: UserName + type: string + description: > + User name which has to be created. + - name: GroupNames + type: array[string] + description: > + List of groups to which the user has to be added. + - name: Privilege + type: string + description: > + Privilege of the user to be added. + - name: Enabled + type: boolean + description: > + User enabled / disabled. + errors: + - xyz.openbmc_project.Common.Error.InternalFailure + - xyz.openbmc_project.Common.Error.InsufficientPermission + - xyz.openbmc_project.Common.Error.InvalidArgument + - xyz.openbmc_project.User.Common.Error.UserNameExists + - xyz.openbmc_project.User.Common.Error.UserNameGroupFail + - xyz.openbmc_project.User.Common.Error.UserNamePrivFail + - xyz.openbmc_project.User.Common.Error.NoResource + + - name: RenameUser + description: > + Rename's existing user to new one. All other properties of the + user will remain same. + parameters: + - name: UserName + type: string + description: > + User name which has to be updated. + - name: NewUserName + type: string + description: > + New User name to which user has to be updated. + errors: + - xyz.openbmc_project.Common.Error.InternalFailure + - xyz.openbmc_project.Common.Error.InsufficientPermission + - xyz.openbmc_project.Common.Error.InvalidArgument + - xyz.openbmc_project.User.Common.Error.UserNameDoesNotExist + - xyz.openbmc_project.User.Common.Error.UserNameExists + - xyz.openbmc_project.User.Common.Error.UserNameGroupFail + - xyz.openbmc_project.User.Common.Error.UserNamePrivFail + - xyz.openbmc_project.User.Common.Error.NoResource + + - name: GetUserInfo + description: > + Get user properites. + If its local user, method returns + -user privilege + -user groups + -user enabled state + -user locked state + -remote user flag + If its ldap user, method returns + -user privilege + -remote user flag + parameters: + - name: UserName + type: string + description: > + User name whose properties have to be returned. + returns: + - name: UserInfo + type: dict[string,variant[string,array[string],boolean]] + description: > + Dictionary of user properties. + List of key name and data type of properties below. + UserPrivilege -> privilege of the user(string) + UserGroups -> list of groups user belongs to(array[string]) + UserEnabled -> user enabled state(boolean) + UserLockedForFailedAttempt -> user locked state(boolean) + RemoteUser -> remote or local user(boolean) + + For detailed documentation of user properties refer + Attributes.interface.yaml + examples: + 1.UserInfo["RemoteUser"] returns true for ldap user + and false for local user. + 2.UserInfo["UserGroups"] gets list of groups of user. + errors: + - xyz.openbmc_project.Common.Error.InternalFailure + - xyz.openbmc_project.Common.Error.InsufficientPermission + - xyz.openbmc_project.Common.Error.InvalidArgument + - xyz.openbmc_project.User.Common.Error.UserNameDoesNotExist + +properties: + - name: AllPrivileges + type: array[string] + description: > + Lists all available user privileges in the system. + + - name: AllGroups + type: array[string] + description: > + Lists all available groups in the system. + +signals: + - name: UserRenamed + description: > + Signal indicating user's name is updated. + properties: + - name: UserName + type: string + description: Name of the user which got renamed. + - name: NewUserName + type: string + description: New name of the user. + +# vim: tabstop=8 expandtab shiftwidth=4 softtabstop=4 diff --git a/xyz/openbmc_project/User/Password.interface.yaml b/xyz/openbmc_project/User/Password.interface.yaml deleted file mode 100644 index 24697a3..0000000 --- a/xyz/openbmc_project/User/Password.interface.yaml +++ /dev/null @@ -1,27 +0,0 @@ -description: > - Implement to provide user password set functionality. Since this - needs an authenticated session, there is no need of old password. - User ID is part of the dbus object. -methods: - - name: SetPassword - description: > - Set the user password. If the user already had a password, it will - be updated, else sets the password. - - InsufficientPermission error doing so would mean that, the caller - does not have required permission to update the password. - - InternalFailure error would mean that, caller had required - permissions, but, there was a software error. - Errorlog metadata would need to be looked into when this happens. - Re-try once on this error and if that fails, do not try anymore. - parameters: - - name: NewPassword - type: string - description: > - new password string - errors: - - xyz.openbmc_project.Common.Error.InternalFailure - - xyz.openbmc_project.Common.Error.InsufficientPermission - -# vim: tabstop=8 expandtab shiftwidth=4 softtabstop=4 diff --git a/xyz/openbmc_project/User/PrivilegeMapper.interface.yaml b/xyz/openbmc_project/User/PrivilegeMapper.interface.yaml new file mode 100644 index 0000000..aac9fc0 --- /dev/null +++ b/xyz/openbmc_project/User/PrivilegeMapper.interface.yaml @@ -0,0 +1,46 @@ +description: > + Implement this interface to set the privilege of the user based on the + group name. The users in the group will inherit the privilege mapping of + the group. The Create method on success creates the object which implements + xyz.openbmc_project.User.PrivilegeMapperEntry. For example in the case of + LDAP, the object path will be + /xyz/openbmc_project/user/ldap/privilege_mapper/<id>. The <id> will be + a unique number generated by the application. If the privilege mapping + already exists then it throws the exception + xyz.openbmc_project.User.Common.Error.PrivilegeMappingExists. To modify the + privilege for a mapping which already exists, the Privilege property in the + xyz.openbmc_project.User.PrivilegeMapperEntry interface needs to be set. + Any application consuming the privilege mapping should not cache the object + path and use the GetManagedObjects method on the + org.freedesktop.DBus.ObjectManager interface to figure out the D-Bus object + path associated with the group name. + +methods: + - name: Create + description: > + Creates a mapping for the group to the privilege. + parameters: + - name: GroupName + type: string + description: > + Group Name to which the privilege is to be assigned. In the case + of LDAP, the GroupName will be the LDAP group the user is part of. + - name: Privilege + type: string + description: > + The privilege associated with the group. The set of available + privileges are xyz.openbmc_project.User.Manager.AllPrivileges. + xyz.openbmc_project.Common.Error.InvalidArgument exception will + be thrown if the privilege is invalid. Additional documentation + on privilege is available here. + https://github.com/openbmc/docs/blob/master/user_management.md + returns: + - name: Path + type: path + description: > + The path for the created privilege mapping object. + + errors: + - xyz.openbmc_project.Common.Error.InternalFailure + - xyz.openbmc_project.Common.Error.InvalidArgument + - xyz.openbmc_project.User.Common.Error.PrivilegeMappingExists
\ No newline at end of file diff --git a/xyz/openbmc_project/User/PrivilegeMapperEntry.interface.yaml b/xyz/openbmc_project/User/PrivilegeMapperEntry.interface.yaml new file mode 100644 index 0000000..cea3ca2 --- /dev/null +++ b/xyz/openbmc_project/User/PrivilegeMapperEntry.interface.yaml @@ -0,0 +1,26 @@ +description: > + Implement to provide privilege for the group. + +properties: + - name: GroupName + type: string + description: > + Group Name to which the privilege is to be assigned. In the case of + LDAP, the GroupName will be the LDAP group the user is part of. + errors: + - xyz.openbmc_project.Common.Error.InternalFailure + - xyz.openbmc_project.Common.Error.InvalidArgument + - xyz.openbmc_project.User.Common.Error.PrivilegeMappingExists + - name: Privilege + type: string + description: > + One of the privilege as defined by + xyz.openbmc_project.User.Manager.AllPrivileges. + xyz.openbmc_project.Common.Error.InvalidArgument exception will be + thrown if the privilege is invalid. Additional documentation + on privilege is available here. + https://github.com/openbmc/docs/blob/master/user_management.md + + errors: + - xyz.openbmc_project.Common.Error.InternalFailure + - xyz.openbmc_project.Common.Error.InvalidArgument
\ No newline at end of file diff --git a/xyz/openbmc_project/User/README.md b/xyz/openbmc_project/User/README.md new file mode 100644 index 0000000..1ce17e0 --- /dev/null +++ b/xyz/openbmc_project/User/README.md @@ -0,0 +1,52 @@ +# User Management + +## Overview +User Manager service exposes D-Bus methods for user management operations. + +### User Manager Interface +User manager interface `xyz.openbmc_project.User.Manager` provides following +methods, properties and signals. + +#### xyz.openbmc_project.User.Manager interface +##### methods +* CreateUser - To create new user to the system. +* RenameUser - To rename existing user to new name in the system. + +##### properties +* AllGroups - To list all the groups supported in the system. +* AllPrivileges - To list all the privileges supported in the system. + +##### signals +* UserRenamed - Signal sent out when user is renamed in the system. + +#### xyz.openbmc_project.User.AccountPolicy interface +##### properties +* MaxLoginAttemptBeforeLockout - Permissible attempt before locking out the +user for failed login attempts. +* AccountUnlockTimeout - Timeout (in seconds) to unlock the account after a +lockout. +* MinPasswordLength - Minimum password length, which can be set. +* RememberOldPasswordTimes – Number of times old password shouldn’t be allowed +when updating password for the user. + +### Users Interface +User manager daemon, will create user objects for every user existing +in the system under object path `/xyz/openbmc_project/user/<user name>`. +Each user object can be handled through 'org.freedesktop.DBus.ObjectManager'. +User object will expose following properties and methods. + +#### xyz.openbmc_project.User.Attributes interface +##### properties +* UserPrivilege - Privilege of the user. +* UserGroups - Groups to which the user belongs. +* UserEnabled - User enabled state. +* UserLockedForFailedAttempt - Locked or unlocked state of the user account. + +#### xyz.openbmc_project.Object.Delete +#### methods +* Delete - To delete the user object in the system. + +##Note +This interface doesn't provide ways to set / update password. The same must +be set / updated through pam_chauthtok() (PAM modules). This is to avoid +sending out password through D-Bus. |