def check_host_editable(
host, user=None,
check_in_installing=False
):
"""Check host is editable.
If we try to set reinstall_os or check the host is not in installing
state, we should set check_in_installing to True.
Otherwise we will check the host is not in installing or installed.
We also make sure the user is admin or the owner of the host to avoid
unauthorized user to update host attributes.
"""
if check_in_installing:
if host.state.state == 'INSTALLING':
raise exception.Forbidden(
'host %s is not editable '
'when state is in installing' % host.name
)
elif not host.reinstall_os:
raise exception.Forbidden(
'host %s is not editable '
'when not to be reinstalled' % host.name
)
if user and not user.is_admin and host.creator_id != user.id:
raise exception.Forbidden(
'host %s is not editable '
'when user is not admin or the owner of the host' % host.name
)
def start_check_cluster_health(cluster_id,
send_report_url,
user=None,
session=None,
check_health={}):
"""Start to check cluster health."""
cluster = cluster_api.get_cluster_internal(cluster_id, session=session)
if cluster.state.state != 'SUCCESSFUL':
logging.debug("state is %s" % cluster.state.state)
err_msg = "Healthcheck starts only after cluster finished deployment!"
raise exception.Forbidden(err_msg)
reports = utils.list_db_objects(session,
models.HealthCheckReport,
cluster_id=cluster.id,
state='verifying')
if reports:
err_msg = 'Healthcheck in progress, please wait for it to complete!'
raise exception.Forbidden(err_msg)
# Clear all preivous report
# TODO(grace): the delete should be moved into celery task.
# We should consider the case that celery task is down.
utils.del_db_objects(session,
models.HealthCheckReport,
cluster_id=cluster.id)
from compass.tasks import client as celery_client
celery_client.celery.send_task('compass.tasks.cluster_health',
(cluster.id, send_report_url, user.email))
return {
"cluster_id": cluster.id,
"status": "start to check cluster health."
}
def check_ip_available(subnet, ip):
if not subnet.reserved_range:
return
ip_int = int(ipaddress.IPv4Address(ip.decode()))
reserved_ranges = []
reserved_ips = []
for item in subnet.reserved_range.split(','):
ip_ends = item.split('-')
if len(ip_ends) == 2:
reserved_ranges.append(item)
elif len(ip_ends) == 1:
reserved_ips.append(item)
for item in reserved_ranges:
ends = item.split('-')
check_1 = int(ipaddress.IPv4Address(ends[0].decode())) - ip_int
check_2 = int(ipaddress.IPv4Address(ends[1].decode())) - ip_int
if (check_1 > 0) ^ (check_2 > 0):
raise exception.Forbidden(
'IP %s is reserved, reserved range: %s'
% (ip, subnet.reserved_range)
)
for item in reserved_ips:
if ip_int == int(ipaddress.IPv4Address(item.decode())):
raise exception.Forbidden(
'IP %s is reserved, reserved range: %s'
% (ip, subnet.reserved_range)
)
def update_report(cluster_id, name, session=None, **kwargs):
"""Update health check report."""
report = _get_report(cluster_id, name, session=session)
if report.state == 'finished':
err_msg = 'Report cannot be updated if state is in "finished"'
raise exception.Forbidden(err_msg)
return utils.update_db_object(session, report, **kwargs)
def wrapper(*args, **kwargs):
user = kwargs.get('user')
if user is not None:
if not user.is_admin:
raise exception.Forbidden('User %s is not admin.' %
(user.email))
return func(*args, **kwargs)
else:
return func(*args, **kwargs)
def _check_user_permission(user, permission, session=None):
"""Check user has permission."""
if not user:
logging.info('empty user means the call is from internal')
return
if user.is_admin:
return
user_permission = utils.get_db_object(session,
models.UserPermission,
False,
user_id=user.id,
name=permission.name)
if not user_permission:
raise exception.Forbidden('user %s does not have permission %s' %
(user.email, permission.name))
def wrapper(user_id, *args, **kwargs):
user = kwargs.get('user')
if user is not None:
session = kwargs.get('session')
if session is None:
raise exception.DatabaseException(
'wrapper check_user_admin_or_owner is '
'not called in session')
check_user = _get_user(user_id, session=session)
if not user.is_admin and user.id != check_user.id:
raise exception.Forbidden(
'User %s is not admin or the owner of user %s.' %
(user.email, check_user.email))
return func(user_id, *args, **kwargs)
else:
return func(user_id, *args, **kwargs)
def update_user(user_id, user=None, session=None, **kwargs):
"""Update a user and return the updated user object."""
update_user = _get_user(
user_id,
session=session,
)
allowed_fields = set()
if user.is_admin:
allowed_fields |= set(ADMIN_UPDATED_FIELDS)
if user.id == update_user.id:
allowed_fields |= set(SELF_UPDATED_FIELDS)
unsupported_fields = set(kwargs) - allowed_fields
if unsupported_fields:
# The user is not allowed to update a user.
raise exception.Forbidden(
'User %s has no permission to update user %s fields %s.' %
(user.email, user.email, unsupported_fields))
return utils.update_db_object(session, update_user, **kwargs)
def check_host_validated(host):
"""Check host is validated."""
if not host.config_validated:
raise exception.Forbidden('host %s is not validated' % host.name)