vanou | Hello. I have question about Redfish driver in Ironic. Currently, Ironic user is able to set redfish_verify_ca in driver_info to filesystem path of certification file or path to directory containig certification files. | 09:34 |
---|---|---|
vanou | But if this Ironic user is the person who doesn't have access right to the machine on which Ironic conductor is running, the fact redfish_verify_ca can be set to any filesystem path seems not good for me. | 09:34 |
vanou | Ironic user may specify any filesystem path on the machine Ironic conductor running. Then, Ironic conductor will fetch any file specified, because Ironic conductor may run with high privilege. If specified file is not certification file, Redfish may return with error. | 09:35 |
vanou | But above Ironic behavior seems not to be appropriate for me. | 09:35 |
TheJulia | vanou: not any user, one has to be a system_admin or project admin with ownership rights over the machine. i.e. trusted entities. | 23:19 |
TheJulia | vanou: the conductor can also be run in a container and as an unprivileged user if iscsi deployment is not used. In fact, there is work underway to eliminate the only conductor side elevated privilege use at this point, which is ISO file generation at the moment. | 23:21 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!