Hi,
I'm running a project which requires changes in device status in LAVA. It will request the device to be put into 'maintenance' and later on into 'good' state. Initially I was using my personal API token. Since I was a superuser it all worked. A few weeks ago I tried to move to a more permanent solution with a dedicated user. I granted all required access rights to the new user, but PUT calls to api/v0.2/devices/<device_name> were rejected. After looking at the code it seems that only superuser is allowed to make such calls. Is there a reason for that?
Changes were introduced in this commit: https://git.lavasoftware.org/lava/lava/-/commit/2bdbd462d745b45308faf86dd376...
Best Regards, Milosz
Hi Milosz,
The actions mentioned in the patch were not going through are own authorization mechanism, so they had to be limited in a hacky fashion. I can't recall the exact issue, but looking at this, it's not straightforward to implement. Simply removing this would allow everyone to do such requests.
The proper way to implement this would probably be to override devicetype, device and testjob models' save(), update() and delete() methods to introduce the auth permission checks there, then remove this part of the code that I've introduced.
HTH,
On 11/18/21 21:18, Milosz Wasilewski wrote:
Hi,
I'm running a project which requires changes in device status in LAVA. It will request the device to be put into 'maintenance' and later on into 'good' state. Initially I was using my personal API token. Since I was a superuser it all worked. A few weeks ago I tried to move to a more permanent solution with a dedicated user. I granted all required access rights to the new user, but PUT calls to api/v0.2/devices/<device_name> were rejected. After looking at the code it seems that only superuser is allowed to make such calls. Is there a reason for that?
Changes were introduced in this commit: https://git.lavasoftware.org/lava/lava/-/commit/2bdbd462d745b45308faf86dd376...
Best Regards, Milosz
Lava-users mailing list Lava-users@lists.lavasoftware.org https://lists.lavasoftware.org/mailman/listinfo/lava-users
On Fri, Nov 19, 2021 at 6:16 AM Stevan Radaković stevan.radakovic@linaro.org wrote:
Hi Milosz,
The actions mentioned in the patch were not going through are own authorization mechanism, so they had to be limited in a hacky fashion. I can't recall the exact issue, but looking at this, it's not straightforward to implement. Simply removing this would allow everyone to do such requests.
The proper way to implement this would probably be to override devicetype, device and testjob models' save(), update() and delete() methods to introduce the auth permission checks there, then remove this part of the code that I've introduced.
OK, got it. I'll try to find some time to fix it. Running everything as superuser isn't great.
milosz
lava-users@lists.lavasoftware.org
-
Milosz Wasilewski -
Stevan Radaković