Hello,

LAVA and more precisely the xmlrpc api in that case, are not using the Django fine grained permissions (https://docs.djangoproject.com/en/2.1/topics/auth/default/#default-permissions).
We are only using the is_superuser flag to know if a user is able or not to make the corresponding calls.

That's in fact a good idea to use the django permissions (like adding a decorator that calls has_perm("lava_scheduler_app.add_worker")) in the xmlrpc api.
If you have some time to write a patch about it, I will be happy to review it.


Cheers

2018-08-30 13:11 GMT+02:00 Jan-Simon Moeller <jsmoeller@linuxfoundation.org>:
Hi all!


Am 30.08.2018 um 09:38 schrieb Neil Williams:
>

    > Yes - with an up to date lava-master, (2018.5 and later IIRC,
    possibly a release or two earlier, I'd have to check) , the
    process is automatic.

    Thanks, that seems to work.

    The next blocker to having a non-superuser remote worker is the adding
    the dispatcher_ip, which also requires superuser privileges[1], and
    doesn't appear to have an individual user permission ACL.

    Assuming ZMQ encryption between master/slave, is it possible to have a
    remote worker without admin privileges?  Is this something that has
    been validated?


No. Adding and managing workers is solely a superuser task because such operations can fundamentally change the topology of the lab and undermine ongoing CI.

JSM: @Neil:  but for this we have the ACL's . So why not *enable* ppl to do this if they choose so by granting the ACL. The superuser flag is IMHO just a shortcut for 'ALL ACL'.

Here is the use-case:
- Remove lab being brought up. Keys exchanged, the remote lab should be able to register and manager its internal settings (like dispatcher_ip) .

dispatcher_ip is a good example. B/C the *server* admin does not need to know this. It is in the domain of the admin of the *worker lab*.

Jan-Simon



    Kevin

    [1]
    lab-slave-0_1  | Add dispatcher_ip 192.168.66.1 to lab-slave-0
    lab-slave-0_1  | Traceback (most recent call last):
    lab-slave-0_1  |   File "/usr/local/bin/setdispatcherip.py", line 11,
    in <module>
    lab-slave-0_1  |  server.scheduler.workers.set_config("%s" %
    sys.argv[2], "dispatcher_ip: %s" % sys.argv[3])
    lab-slave-0_1  |   File "/usr/lib/python2.7/xmlrpclib.py", line
    1243, in _call_
    lab-slave-0_1  |     return self._send(self._name, args)
    lab-slave-0_1  |   File "/usr/lib/python2.7/xmlrpclib.py", line 1602,
    in __request
    lab-slave-0_1  |     verbose=self.__verbose
    lab-slave-0_1  |   File "/usr/lib/python2.7/xmlrpclib.py", line
    1283, in request
    lab-slave-0_1  |     return self.single_request(host, handler,
    request_body, verbose)
    lab-slave-0_1  |   File "/usr/lib/python2.7/xmlrpclib.py", line 1316,
    in single_request
    lab-slave-0_1  |     return self.parse_response(response)
    lab-slave-0_1  |   File "/usr/lib/python2.7/xmlrpclib.py", line 1493,
    in parse_response
    lab-slave-0_1  |     return u.close()
    lab-slave-0_1  |   File "/usr/lib/python2.7/xmlrpclib.py", line
    800, in close
    lab-slave-0_1  |     raise Fault(**self._stack[0])
    lab-slave-0_1  | xmlrpclib.Fault: <Fault 403: "User 'nonadminuser' is
    not superuser.">



--

Neil Williams
=============
neil.williams@linaro.org <mailto:neil.williams@linaro.org>
http://www.linux.codehelp.co.uk/




--
Rémi Duraffort
LAVA Team