cannot fully delete user from Dell PowerEdge
Closed this issue · 11 comments
account_manager.py and rf_accounts.py do not complete remove user with delete.. only remove name .
root@testingvm:/usr/local/bin# python3 rf_accounts.py -u root -p mypassword -r https://172.26.15.212
Name | Role | Locked | Enabled
root | Administrator | False | True
| Operator | False | True
| Administrator | False | True
| Administrator | False | True
| Administrator | False | True
| Administrator | False | True
| Operator | False | True
| Operator | False | True
testuser | Operator | False | True
root@testingvm:/usr/local/bin# rf_accounts.py -u root -p mypassword -r https://172.26.15.212 -delete testuser
Deleting user 'testuser'
Traceback (most recent call last):
File "/usr/local/bin/rf_accounts.py", line 45, in
redfish_utilities.delete_user( redfish_obj, args.delete )
root@testingvm:/usr/local/bin# python3 rf_accounts.py -u root -p mypassword -r https://172.26.15.212
Name | Role | Locked | Enabled
root | Administrator | False | True
| Operator | False | True
| Administrator | False | True
| Administrator | False | True
| Administrator | False | True
| Administrator | False | True
| Operator | False | True
| Operator | False | True
"TestResults": {
"User Count": {
"pass": 1,
"fail": 0,
"skip": 0
},
"Add User": {
"pass": 2,
"fail": 0,
"skip": 0
},
"Credential Check": {
"pass": 2,
"fail": 0,
"skip": 0
},
"Change Role": {
"pass": 6,
"fail": 0,
"skip": 0
},
"Delete User": {
"pass": 0,
"fail": 1,
"skip": 0
},
"ErrorMessages": [
"Delete User: Failed to delete user 'alice73t'"
]
}
Is there further trace information from when you did the delete, or did it stop at "redfish_utilities.delete_user( redfish_obj, args.delete )"?
I know some implementations don't actually allow the account resources themselves to be deleted, and instead they pre-provision "account slots" to maintain compatibility with IPMI. But the lower level tools should be detecting this and clearing the user account (in addition to disabling the user), but it looks like it's not disabling anything.
The behavior of clearing the Name property on delete for the Dell Poweredge services is expected. Some Redfish services (including Dell Poweredge) have a fixed set of account slots and accounts are added by setting the Name property and deleted by clearing the Name.
See this code:
However, you seem to be getting an exception when trying to do the delete operation:
root@testingvm:/usr/local/bin# rf_accounts.py -u root -p mypassword -r https://172.26.15.212 -delete testuser
Deleting user 'testuser'
Traceback (most recent call last):
File "/usr/local/bin/rf_accounts.py", line 45, in
redfish_utilities.delete_user( redfish_obj, args.delete )
But from your output above, it seems like you didn't capture the full traceback and exception, so I can't tell why it failed. Can you try this again and capture the full output of the delete command?
more account_manager output.docx
only that error snipet is generated. another attachment with it and the account_manager.py results.json file. If there is a way to generate more error detail let me know how and I will do it.
Thank you.
Thanks. Your doc had the additional error text we were looking for:
root@testingvm:/usr/local/bin# python3 rf_accounts.py -u root -p mypassword -r https://172.26.15.212 --delete test1
Deleting user 'test1'
Traceback (most recent call last):
File "rf_accounts.py", line 45, in redfish_utilities.delete_user( redfish_obj, args.delete )
File "/usr/local/lib/python3.6/dist-packages/redfish_utilities/accounts.py", line 137, in delete_user
return modify_user( context, user_name, new_name = "", new_enabled = False ) File "/usr/local/lib/python3.6/dist-packages/redfish_utilities/accounts.py", line
176, in modify_user verify_response( response )
File "/usr/local/lib/python3.6/dist-packages/redfish_utilities/messages.py", line 71, in verify_response
raise RedfishOperationFailedError( "Operation failed: HTTP {}\n{}".format( response.status, exception_string ) ) redfish_utilities.messages.RedfishOperationFailedError: Operation failed: HTTP 400 A general error has occurred. See ExtendedInfo for more information
The specified value is not allowed to be configured if the user name \nor password is blank.
I guess that some services do not want the Enabled property to be specified when clearing the Username.
Ah, that's correct - the Enabled property is not a required property of ManagerAccount, so the test should probably not include it in the write if it wasn't in the GET payload.
That's true, but I think Enabled is expected to be supported on this implementation.
@cb371j could you please provide the output from the following URIs? That'll help us narrow down the issue:
- /redfish/v1/Managers/iDRAC.Embedded.1
- /redfish/v1/Managers/iDRAC.Embedded.1/AccountService/Accounts/1
here is the output for the
/redfish/v1/Managers/iDRAC.Embedded.1
/redfish/v1/Managers/iDRAC.Embedded.1/AccountService/Accounts/1
I think the second URL should be:
/redfish/v1/Managers/iDRAC.Embedded.1/Accounts/1
curl "https://172.26.15.212/redfish/v1/Managers/iDRAC.Embedded.1/Accounts/1" -k -u root:mypasswd| jq
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 409 100 409 0 0 1573 0 --:--:-- --:--:-- --:--:-- 1573
{
"@odata.context": "/redfish/v1/$metadata#ManagerAccount.ManagerAccount",
"@odata.id": "/redfish/v1/Managers/iDRAC.Embedded.1/Accounts/1",
"@odata.type": "#ManagerAccount.v1_1_1.ManagerAccount",
"Description": "User Account",
"Enabled": false,
"Id": "1",
"Links": {
"Role": {
"@odata.id": "/redfish/v1/Managers/iDRAC.Embedded.1/Roles/None"
}
},
"Locked": false,
"Name": "User Account",
"Password": null,
"RoleId": "None",
"UserName": ""
}
@cb371j thanks for all of the info. I've traced this down to being the way this implementation behaves with regards to how Redfish users are deleted. This type of design allocates fixed slots per user account, so accounts themselves are not deleted, but instead they are modified to clear out properties.
We have fallback code in place in our library to detect when a true DELETE is not allowed, and then PATCH some properties to clean up. It tries to do this in a single PATCH request, but it doesn't allow both UserName and Enabled to be PATCHed simultaneously when UserName is an empty string. So, we can make a change to break this into two PATCH operations.