On Tue, 21 Aug 2018 at 22:46, Kevin Hilman khilman@baylibre.com wrote:
Hello,
When trying to use lavacli to add a remote worker, it works fine if the user is a superuser.
Adding remote workers to an instance would be an easy way to DDOS an instance by swamping the ZMQ ports with fake attempts - the process needs to be under the control of the admins of the instance.
If the remote worker is properly configured, it will register itself automatically - this is why encryption of the master:slave communication is so important. A LAVA master which is visible to the internet should always use encryption.
In most cases, the lavacli workers add command isn't required.
However, if I drop the superuser privileges and add just the privileges for adding workers, it fails with:
Unable to call 'workers.add': <Fault 403: "User 'testuser' is not superuser."
we even tried enabling all the permissions for that user, but leaving the superuser flag off, and it still fails.
The check is made at the remote end, in the XMLRPC.
Why does this require superuser and the specific permissions related to workers don't work?
Kevin _______________________________________________ Lava-users mailing list Lava-users@lists.linaro.org https://lists.linaro.org/mailman/listinfo/lava-users