2024-04-16
IPMI connections have privilege levels, not just IPMI users
If you want to connect to a server's IPMI over the network, you normally need to authenticate as some IPMI user. When you set that IPMI user up, you'll give it one of three or four privilege levels; ADMINISTRATOR, OPERATOR, USER, or what I believe is rarely used, CALLBACK. For years, when I tried to set up IPMIs for things like reading sensors over the network, remote power cycling, or Serial over LAN console access, I'd make a special IPMI user for the purpose and try to give it a low privilege level, but the low privilege level basically never worked so I'd give up, grumble, and make yet another ADMINISTRATOR user. Recently I discovered that I had misunderstood what was going on, which is that both IPMI users and IPMI connections have a privilege level.
When you make an IPMI connection with, for example, ipmitool, it will ask for that connection to be at some privilege level. Generally the default privilege level that things ask for is 'ADMINISTRATOR', and it's honestly hard to blame them. As far as I know there is no standard for what operations require what privilege level; instead it's up to the server or BMC vendor to decide what level they want to require for any particular IPMI command. But everyone agrees that 'ADMINISTRATOR' is the highest level, so it's the safest to ask for as the connection privilege level; if the BMC doesn't let you do it at ADMINISTRATOR, you probably can't do it at all.
The flaw in this is that an IPMI user's privilege level constraints what privilege level you can ask for when you authenticate as that user. If you make a 'USER' privileged IPMI user, connect as it, and ask for ADMINISTRATOR privileges, the BMC is going to tell you no. Since ipmitool and other tools were always asking for ADMINISTRATOR by default, they would get errors unless I made my IPMI users have that privilege level. Once I discovered and realized this, I could explicitly tell ipmitool and other things to ask for less privilege and then work out exactly what privilege level I needed for a particular operation on a particular BMC.
(It is probably safe to assume that a 'USER' privileged IPMI user (well, connection) can read sensor data. Experimentally, at least one vendor's BMC will do Serial over LAN at 'OPERATOR' privilege, but I wouldn't be surprised if some require 'ADMINISTRATOR' for that, since serial console access is often the keys to the server itself. Hopefully power cycling the server is an 'OPERATOR' level thing, but again perhaps not on some BMCs.)
PS: If there's a way to have ipmitool and other things ask for 'whatever the (maximum) privilege level this user has', it's not obvious to me in things like the ipmitool manual page.