def recover_vo_root_identity(root_vo,
identity_key,
id_type,
email,
issuer,
default=False,
password=None,
vo='def'):
"""
Adds a membership association between identity and the root account for given VO.
:param root_vo: The VO whose root needs recovery
:param identity_key: The identity key name. For example x509 DN, or a username.
:param id_type: The type of the authentication (x509, gss, userpass, ssh, saml).
:param email: The Email address associated with the identity.
:param issuer: The issuer account.
:param default: If True, the account should be used by default with the provided identity.
:param password: Password if id_type is userpass.
:param vo: the VO to act on.
"""
kwargs = {}
if not has_permission(
issuer=issuer, vo=vo, action='recover_vo_root_identity',
kwargs=kwargs):
raise exception.AccessDenied(
'Account %s can not recover root identity' % (issuer))
account = InternalAccount('root', vo=root_vo)
return identity.add_account_identity(identity=identity_key,
type=IdentityType.from_sym(id_type),
default=default,
email=email,
account=account,
password=password)
def check_accounts(self, test_accounts):
db_identities = list_identities()
for account in test_accounts:
# check existence
db_account = get_account(account=account['account'])
assert_equal(db_account['account'], account['account'])
# check properties
email = account.get('email')
if email:
assert_equal(db_account['email'], account['email'])
# check identities
identities = account.get('identities')
if identities:
for identity in identities:
# check identity creation and identity-account association
identity_type = IdentityType.from_sym(identity['type'])
identity = identity['identity']
assert_in((identity, identity_type), db_identities)
accounts_for_identity = list_accounts_for_identity(
identity, identity_type)
assert_in(account['account'], accounts_for_identity)
# check removal of account
account = get_account(self.old_account_1)
assert_equal(account['status'], AccountStatus.DELETED)
# check removal of identities
accounts_for_identity = list_accounts_for_identity(
self.identity_to_be_removed, IdentityType.X509)
assert_true(account['account'] not in accounts_for_identity)
def add_account_identity(identity_key,
id_type,
account,
email,
issuer,
default=False,
password=None,
vo='def'):
"""
Adds a membership association between identity and account.
:param identity_key: The identity key name. For example x509 DN, or a username.
:param id_type: The type of the authentication (x509, gss, userpass, ssh, saml).
:param account: The account name.
:param email: The Email address associated with the identity.
:param issuer: The issuer account.
:param default: If True, the account should be used by default with the provided identity.
:param password: Password if id_type is userpass.
:param vo: the VO to act on.
"""
kwargs = {'identity': identity_key, 'type': id_type, 'account': account}
if not permission.has_permission(
issuer=issuer, vo=vo, action='add_account_identity',
kwargs=kwargs):
raise exception.AccessDenied(
'Account %s can not add account identity' % (issuer))
account = InternalAccount(account, vo=vo)
return identity.add_account_identity(identity=identity_key,
type=IdentityType.from_sym(id_type),
default=default,
email=email,
account=account,
password=password)
def import_identities(identities, account_name, old_identities, old_identity_account, account_email, session=None):
for identity in identities:
identity['type'] = IdentityType.from_sym(identity['type'])
missing_identities = [identity for identity in identities if (identity['identity'], identity['type']) not in old_identities]
missing_identity_account = [identity for identity in identities if (identity['identity'], identity['type'], account_name) not in old_identity_account]
to_be_removed_identity_account = [old_identity for old_identity in old_identity_account if (old_identity[0], old_identity[1], old_identity[2]) not in
[(identity['identity'], identity['type'], account_name) for identity in identities] and old_identity[2] == account_name]
# add missing identities
for identity in missing_identities:
identity_type = identity['type']
password = identity.get('password')
identity = identity['identity']
if identity_type == IdentityType.USERPASS:
identity_module.add_identity(identity=identity, password=password, email=account_email, type=identity_type, session=session)
elif identity_type == IdentityType.GSS or identity_type == IdentityType.SSH or identity_type == IdentityType.X509:
identity_module.add_identity(identity=identity, email=account_email, type=identity_type, session=session)
# add missing identity-account association
for identity in missing_identity_account:
identity_module.add_account_identity(identity['identity'], identity['type'], account_name, email=account_email, session=session)
# remove identities from account-identity association
for identity in to_be_removed_identity_account:
identity_module.del_account_identity(identity=identity[0], type=identity[1], account=identity[2], session=session)
def del_identity(identity_key, id_type):
"""
Deletes a user identity.
:param identity_key: The identity key name. For example x509 DN, or a username.
:param id_type: The type of the authentication (x509, gss, userpass).
"""
return identity.del_identity(identity_key, IdentityType.from_sym(id_type))
def get_default_account(identity_key, id_type):
"""
Returns the default account for this identity.
:param identity_key: The identity key name. For example x509 DN, or a username.
:param id_type: The type of the authentication (x509, gss, userpass, ssh).
"""
return identity.get_default_account(identity_key,
IdentityType.from_sym(id_type))
def add_identity(identity_key, id_type, email, password=None):
"""
Creates a user identity.
:param identity_key: The identity key name. For example x509 DN, or a username.
:param id_type: The type of the authentication (x509, gss, userpass, ssh, saml)
:param email: The Email address associated with the identity.
:param password: If type==userpass, this sets the password.
"""
return identity.add_identity(identity_key, IdentityType.from_sym(id_type), email, password=password)
def list_accounts_for_identity(identity_key, id_type):
"""
Returns a list of all accounts for an identity.
:param identity: The identity key name. For example x509 DN, or a username.
:param id_type: The type of the authentication (x509, gss, userpass, ssh).
returns: A list of all accounts for the identity.
"""
return identity.list_accounts_for_identity(identity_key,
IdentityType.from_sym(id_type))
def del_account_identity(identity_key, id_type, account):
"""
Removes a membership association between identity and account.
:param identity_key: The identity key name. For example x509 DN, or a username.
:param id_type: The type of the authentication (x509, gss, userpass).
:param account: The account name.
"""
return identity.del_account_identity(identity_key,
IdentityType.from_sym(id_type),
account)
def select_account_name(identitystr, identity_type, vo=None):
"""
Looks for account (and VO if not known) corresponding to the provided identity.
:param identitystr: identity string
:param identity_type: identity_type e.g. x509, saml, oidc, userpass
:returns: Tuple of None or account string, None or VO string or list of VO strings
"""
ui_account = None
if not MULTI_VO:
vo = 'def'
if vo is not None:
accounts = identity.list_accounts_for_identity(identitystr,
identity_type)
else:
internal_accounts = identity_core.list_accounts_for_identity(
identitystr, IdentityType.from_sym(identity_type))
accounts = [account.external for account in internal_accounts]
vos = [account.vo for account in internal_accounts]
if vos:
vos = list(set(vos))
# If we only have 1 VO that matches the identity use that, otherwise return all possible VOs so the user can choose
if len(vos) == 1:
vo = vos[0]
else:
return None, vos
if len(accounts) == 0:
return None, vo
# check if ui_account param is set
if 'ui_account' in input():
ui_account = input()['ui_account']
# if yes check if the accounts provided for users identity include this account
if not ui_account and 'account' in input():
ui_account = input()['account']
if ui_account:
if ui_account not in accounts:
return None, vo
else:
return ui_account, vo
else:
# try to set the default account to the user account, if not available take the first account.
def_account = accounts[0]
for account in accounts:
account_info = get_account_info(account, vo=vo)
if account_info.account_type == AccountType.USER:
def_account = account
break
selected_account = cookies().get('rucio-selected-account')
if (selected_account):
def_account = selected_account
ui_account = def_account
return ui_account, vo
def del_identity(identity_key, id_type, issuer):
"""
Deletes a user identity.
:param identity_key: The identity key name. For example x509 DN, or a username.
:param id_type: The type of the authentication (x509, gss, userpass, ssh, saml).
:param issuer: The issuer account.
"""
id_type = IdentityType.from_sym(id_type)
kwargs = {'accounts': identity.list_accounts_for_identity(identity_key, id_type)}
if not permission.has_permission(issuer=issuer, action='del_identity', kwargs=kwargs):
raise exception.AccessDenied('Account %s can not delete identity' % (issuer))
return identity.del_identity(identity_key, id_type)
def del_account_identity(identity_key, id_type, account, issuer):
"""
Removes a membership association between identity and account.
:param identity_key: The identity key name. For example x509 DN, or a username.
:param id_type: The type of the authentication (x509, gss, userpass, ssh, saml).
:param account: The account name.
:param issuer: The issuer account.
"""
kwargs = {'account': account}
if not permission.has_permission(issuer=issuer, action='del_account_identity', kwargs=kwargs):
raise exception.AccessDenied('Account %s can not delete account identity' % (issuer))
account = InternalAccount(account)
return identity.del_account_identity(identity_key, IdentityType.from_sym(id_type), account)
def add_vo(vo, description, password, email, session=None):
"""
Add a VO and setup a new root user.
New root user will have account name 'root' and a userpass identity with username: '******' and password from the rootpass parameter
:param vo: 3-letter unique tag for a VO.
:param descrition: Descriptive string for the VO (e.g. Full name).
:param email: Contact email for the VO.
:param password: The password to set for the root user of the new VO
:param session: The db session in use.
"""
if len(vo) != 3:
raise exception.RucioException('Invalid VO tag, must be 3 chars.')
new_vo = models.VO(vo=vo, description=description, email=email)
try:
new_vo.save(session=session)
except IntegrityError:
raise exception.Duplicate('VO {} already exists!'.format(vo))
except DatabaseError as error:
raise exception.RucioException(error.args)
from rucio.core.account import add_account, list_identities
from rucio.core.identity import add_account_identity
new_root = InternalAccount('root', vo=vo)
add_account(account=new_root,
type=AccountType.from_sym('SERVICE'),
email=email,
session=session)
add_account_identity(identity='root@{}'.format(vo),
type=IdentityType.from_sym('userpass'),
account=new_root,
email=email,
default=False,
password=password,
session=session)
for ident in list_identities(account=InternalAccount('super_root',
vo='def'),
session=session):
add_account_identity(identity=ident['identity'],
type=ident['type'],
account=new_root,
email='',
session=session)
