Access Control List Management - autotest-rpc-client acl

The following actions are available to manage the ACLs:

# autotest-rpc-client acl help
usage: autotest-rpc-client acl [create|delete|list|add|rm] [options] <acls>

Creating an ACL

# autotest-rpc-client acl create help
usage: autotest-rpc-client acl create [options] <acls>

options:
  -h, --help            show this help message and exit
  -g, --debug           Print debugging information
  --kill-on-failure     Stop at the first failure
  --parse               Print the output using colon separated key=value
                        fields
  -v, --verbose
  -w WEB_SERVER, --web=WEB_SERVER
                        Specify the autotest server to talk to
  -d DESC, --desc=DESC  Creates the ACL with the DESCRIPTION

Only one ACL can be create at a time. You must specify the ACL name and its description:

# autotest-rpc-client acl create my_acl -d "For testing" -w autotest-dev
Created ACL:
        my_acl

Deleting an ACL

# autotest-rpc-client acl delete help
usage: autotest-rpc-client acl delete [options] <acls>

options:
  -h, --help            show this help message and exit
  -g, --debug           Print debugging information
  --kill-on-failure     Stop at the first failure
  --parse               Print the output using colon separated key=value
                        fields
  -v, --verbose
  -w WEB_SERVER, --web=WEB_SERVER
                        Specify the autotest server to talk to
  -a ACL_FLIST, --alist=ACL_FLIST
                        File listing the ACLs

You can delete multiple ACLs at a time. They can be specified on the command line or in a file, using the -a|--alist option.

autotest-rpc-client acl delete my_acl,my_acl_2
Deleted ACLs:
        my_acl, my_acl_2

Listing ACLs

# autotest-rpc-client acl list help
usage: autotest-rpc-client acl list [options] <acls>

options:
  -h, --help            show this help message and exit
  -g, --debug           Print debugging information
  --kill-on-failure     Stop at the first failure
  --parse               Print the output using colon separated key=value
                        fields
  -v, --verbose
  -w WEB_SERVER, --web=WEB_SERVER
                        Specify the autotest server to talk to
  -a ACL_FLIST, --alist=ACL_FLIST
                        File listing the ACLs
  -u USER, --user=USER  List ACLs containing USER
  -m MACHINE, --machine=MACHINE
                        List ACLs containing MACHINE

You can list all the ACLs, or filter on specific ACLs, users or machines (exclusively). The --verbose option provides the list of users and hosts belonging to the ACLs.

# autotest-rpc-client acl list -w autotest-dev
Name                     Description
Everyone
reserved-qual            Qualification machines
benchmarking_group       Benchmark machines
my_acl                   For testing

# autotest-rpc-client acl list -v -w autotest-dev
Name                     Description
Everyone
Hosts:
        qual0, qual1, qual2, qual3, qual4, host0, host1, host2, host3, host4
        bench0, bench1, bench2, bench3, bench4, test0
Users:
        user0, user1, user2, user3, user4


reserved-qual            Qualification machines
Hosts:
        qual0, qual1, qual2, qual3, qual4
Users:
        user0


benchmarking_group       Benchmark machines
Hosts:
        bench0, bench1, bench2, bench3, bench4
Users:
        user1, user2

my_acl                   For testing


# autotest-rpc-client acl list -w autotest-dev -u user0
Name                Description
Everyone
reserved-qual       Qualification machines


# autotest-rpc-client acl list -w autotest-dev -m bench0 -v
Name                   Description
Everyone
benchmarking_group     Benchmark machines
Hosts:
        bench0, bench1, bench2, bench3, bench4
Users:
        user1, user2

Adding Hosts or Users to an ACL

# autotest-rpc-client acl add help
usage: autotest-rpc-client acl add [options] <acls>

options:
  -h, --help            show this help message and exit
  -g, --debug           Print debugging information
  --kill-on-failure     Stop at the first failure
  --parse               Print the output using colon separated key=value
                        fields
  -v, --verbose
  -w WEB_SERVER, --web=WEB_SERVER
                        Specify the autotest server to talk to
  -a ACL_FLIST, --alist=ACL_FLIST
                        File listing the ACLs
  -u USER, --user=USER  Add USER(s) to the ACL
  --ulist=USER          File containing users to add to the ACL
  -m MACHINE, --machine=MACHINE
                        Add MACHINE(s) to the ACL
  --mlist=MACHINE       File containing machines to add to the ACL

You must specify at least one ACL and one machine or user.

# autotest-rpc-client acl add my_acl -u user0,user1 -v -w autotest-dev
Added to ACL my_acl user:
        user0, user1

# cat machine_list
host0 host1
host2
host3,host4

# autotest-rpc-client acl add my_acl --mlist machine_list -w autotest-dev
Added to ACL my_acl hosts:
        host0, host1, host2, host3, host4

# autotest-rpc-client acl list -w autotest-dev -v my*
Name    Description
my_acl  For testing
Hosts:
        host0, host1, host2, host3, host4
Users:
        user0, user1

Note the usage of wildcard to specify the ACL in the last example: my*

Removing Hosts or Users from an ACL

# autotest-rpc-client acl rm help
usage: autotest-rpc-client acl rm [options] <acls>

options:
  -h, --help            show this help message and exit
  -g, --debug           Print debugging information
  --kill-on-failure     Stop at the first failure
  --parse               Print the output using colon separated key=value
                        fields
  -v, --verbose
  -w WEB_SERVER, --web=WEB_SERVER
                        Specify the autotest server to talk to
  -a ACL_FLIST, --alist=ACL_FLIST
                        File listing the ACLs
  -u USER, --user=USER  Remove USER(s) from the ACL
  --ulist=USER          File containing users to remove from the ACL
  -m MACHINE, --machine=MACHINE
                        Remove MACHINE(s) from the ACL
  --mlist=MACHINE       File containing machines to remove from the ACL

The options are the same than for adding hosts or users. You must specify at least one ACL and one machine or user.

# autotest-rpc-client acl rm my_acl -m host3 -w autotest-dev
Removed from ACL my_acl host:
        host3

# autotest-rpc-client acl rm my_acl -u user0 -v -w autotest-dev
Removed from ACL my_acl user:
        user0

# autotest-rpc-client acl list -w autotest-dev -v my_*
Name    Description
my_acl  For testing
Hosts:
        host0, host1, host2, host4
Users:
        user1

# autotest-rpc-client acl delete my_acl -w autotest-dev
Deleted ACL:
        my_acl

Possible errors and troubleshooting

In case of error, add the -v option to gather more information.

Duplicate ACL:

# autotest-rpc-client acl create my_acl -d "For testing" -w autotest-dev
Operation add_acl_group failed for: my_acl

# autotest-rpc-client acl create my_acl -d "For testing" -w autotest-dev -v
Operation add_acl_group failed for: my_acl
        ValidationError: {'name': 'This value must be unique (my_acl)'}

Adding an unknown user or host:

# autotest-rpc-client acl add my_acl -u foo
Operation acl_group_add_users failed for: my_acl (foo)

# autotest-rpc-client acl add my_acl -u foo -v
Operation acl_group_add_users failed for: my_acl (foo)
        DoesNotExist: User matching query does not exist.

Removing an ACL requires that you are part of this ACL:

# autotest-rpc-client acl delete my_acl -w autotest-dev
Operation delete_acl_group failed for: my_acl

# autotest-rpc-client acl delete my_acl -w autotest-dev -v
Operation delete_acl_group failed for: my_acl
        AclAccessViolation: You do not have access to my_acl

# Adding yourself to the ACL:
# autotest-rpc-client acl add -u mylogin my_acl -w autotest-dev
Added to ACL my_acl user:
        mylogin

# autotest-rpc-client acl delete my_acl -w autotest-dev
Deleted ACL:
        my_acl