def authz(self, method, resource):
if not self.arborist:
raise AuthError(
"Arborist is not configured; cannot perform authorization check"
)
try:
# A successful call from arborist returns a bool, else returns ArboristError
try:
authorized = self.arborist.auth_request(
get_jwt_token(), "indexd", method, resource)
except Exception as e:
logger.error(
f"Request to Arborist failed; now checking admin access. Details:\n{e}"
)
authorized = False
if not authorized:
# admins can perform all operations
is_admin = self.arborist.auth_request(
get_jwt_token(), "indexd", method,
["/services/indexd/admin"])
if not is_admin and not resource:
# if `authz` is empty (no `resource`), admin == access to
# `/programs` (deprecated - for backwards compatibility).
is_admin = self.arborist.auth_request(
get_jwt_token(), "indexd", method, ["/programs"])
if is_admin:
logger.warning(
"The indexd admin '/programs' logic is deprecated. Please update your policy to '/services/indexd/admin'"
)
if not is_admin:
raise AuthError("Permission denied.")
except Exception as err:
logger.error(err)
raise AuthzError(err)
def authz(self, method, resource):
if not self.arborist:
raise AuthError(
"Arborist is not configured; cannot perform authorization check"
)
if not resource:
# TODO: fix this. Setting authz to [] throws this error but
# admins should be able to do it
raise AuthError("Permission denied.")
if not self.arborist.auth_request(get_jwt_token(), "indexd", method,
resource):
raise AuthError("Permission denied.")
def authz(self, method, resource):
if not self.arborist:
raise AuthError(
"Arborist is not configured; cannot perform authorization check"
)
if not resource:
# if the `authz` is empty, admins should still be able to perform
# operations on the record. For now, admin = access to `/programs`.
# TODO: Figure out how to handle Gen3 operational admins in a better way
resource = ["/programs"]
if not self.arborist.auth_request(get_jwt_token(), "indexd", method,
resource):
raise AuthError("Permission denied.")
def authz(self, method, resource):
if not self.arborist:
raise AuthError(
"Arborist is not configured; cannot perform authorization check"
)
try:
# A successful call from arborist returns a bool, else returns ArboristError
if not self.arborist.auth_request(get_jwt_token(), "indexd",
method, resource):
# admins can perform all operations
is_admin = self.arborist.auth_request(
get_jwt_token(), "indexd", method,
["/services/indexd/admin"])
if not is_admin and not resource:
# if `authz` is empty (no `resource`), admin == access to
# `/programs` (deprecated - for backwards compatibility).
is_admin = self.arborist.auth_request(
get_jwt_token(), "indexd", method, ["/programs"])
if not is_admin:
raise AuthError("Permission denied.")
except Exception as err:
logger.error(err)
raise AuthzError(err)