Hello,
for information, this features has been implemented as https://git.lavasoftware.org/lava/lava/merge_requests/126
This will be available in the next lava version (should be 2018.10).
Rgds
Le lun. 10 sept. 2018 à 15:03, Remi Duraffort remi.duraffort@linaro.org a écrit :
Hello,
LAVA and more precisely the xmlrpc api in that case, are not using the Django fine grained permissions ( https://docs.djangoproject.com/en/2.1/topics/auth/default/#default-permissio... ). We are only using the is_superuser flag to know if a user is able or not to make the corresponding calls.
That's in fact a good idea to use the django permissions (like adding a decorator that calls has_perm("lava_scheduler_app.add_worker")) in the xmlrpc api. If you have some time to write a patch about it, I will be happy to review it.
Cheers
2018-08-30 13:11 GMT+02:00 Jan-Simon Moeller < jsmoeller@linuxfoundation.org>:
Hi all!
Am 30.08.2018 um 09:38 schrieb Neil Williams:
> Yes - with an up to date lava-master, (2018.5 and later IIRC, possibly a release or two earlier, I'd have to check) , the process is automatic. Thanks, that seems to work. The next blocker to having a non-superuser remote worker is theadding the dispatcher_ip, which also requires superuser privileges[1], and doesn't appear to have an individual user permission ACL.
Assuming ZMQ encryption between master/slave, is it possible to havea remote worker without admin privileges? Is this something that has been validated?
No. Adding and managing workers is solely a superuser task because such operations can fundamentally change the topology of the lab and undermine ongoing CI.
JSM: @Neil: but for this we have the ACL's . So why not *enable* ppl to do this if they choose so by granting the ACL. The superuser flag is IMHO just a shortcut for 'ALL ACL'.
Here is the use-case:
- Remove lab being brought up. Keys exchanged, the remote lab should be
able to register and manager its internal settings (like dispatcher_ip) .
dispatcher_ip is a good example. B/C the *server* admin does not need to know this. It is in the domain of the admin of the *worker lab*.
Jan-Simon
Kevin [1] lab-slave-0_1 | Add dispatcher_ip 192.168.66.1 to lab-slave-0 lab-slave-0_1 | Traceback (most recent call last): lab-slave-0_1 | File "/usr/local/bin/setdispatcherip.py", line 11, in <module> lab-slave-0_1 | server.scheduler.workers.set_config("%s" % sys.argv[2], "dispatcher_ip: %s" % sys.argv[3]) lab-slave-0_1 | File "/usr/lib/python2.7/xmlrpclib.py", line 1243, in _call_ lab-slave-0_1 | return self._send(self._name, args) lab-slave-0_1 | File "/usr/lib/python2.7/xmlrpclib.py", line 1602, in __request lab-slave-0_1 | verbose=self.__verbose lab-slave-0_1 | File "/usr/lib/python2.7/xmlrpclib.py", line 1283, in request lab-slave-0_1 | return self.single_request(host, handler, request_body, verbose) lab-slave-0_1 | File "/usr/lib/python2.7/xmlrpclib.py", line 1316, in single_request lab-slave-0_1 | return self.parse_response(response) lab-slave-0_1 | File "/usr/lib/python2.7/xmlrpclib.py", line 1493, in parse_response lab-slave-0_1 | return u.close() lab-slave-0_1 | File "/usr/lib/python2.7/xmlrpclib.py", line 800, in close lab-slave-0_1 | raise Fault(**self._stack[0]) lab-slave-0_1 | xmlrpclib.Fault: <Fault 403: "User 'nonadminuser' is not superuser.">--
Neil Williams
neil.williams@linaro.org mailto:neil.williams@linaro.org http://www.linux.codehelp.co.uk/
-- Rémi Duraffort LAVA Team