def test_site(self): pdp = PDP() # empty pdp.setup(None) res = pdp.takeDecision() self.assert_(res['OK']) # site decisionParams = { 'element': 'Site', 'name': 'Site1', 'elementType': None, 'statusType': 'ReadAccess', 'status': 'Active', 'reason': None, 'tokenOwner': None } pdp.setup(decisionParams) res = pdp.takeDecision() self.assert_(res['OK']) self.assertEqual(res['Value']['policyCombinedResult']['Status'], 'Banned') # mySE decisionParams = { 'element': 'Resource', 'name': 'mySE', 'elementType': 'StorageElement', 'statusType': 'ReadAccess', 'status': 'Active', 'reason': None, 'tokenOwner': None } pdp.setup(decisionParams) res = pdp.takeDecision() self.assert_(res['OK']) self.assertEqual(res['Value']['policyCombinedResult']['Status'], 'Active') # SE1 decisionParams = { 'element': 'Resource', 'name': 'SE1', 'elementType': 'StorageElement', 'statusType': 'ReadAccess', 'status': 'Active', 'reason': None, 'tokenOwner': None } pdp.setup(decisionParams) res = pdp.takeDecision() self.assert_(res['OK']) self.assertEqual(res['Value']['policyCombinedResult']['Status'], 'Banned')
def test_site( self ): pdp = PDP() # empty pdp.setup( None ) res = pdp.takeDecision() self.assert_( res['OK'] ) # site decisionParams = {'element' : 'Site', 'name' : 'Site1', 'elementType' : None, 'statusType' : 'ReadAccess', 'status' : 'Active', 'reason' : None, 'tokenOwner' : None} pdp.setup( decisionParams ) res = pdp.takeDecision() self.assert_( res['OK'] ) self.assertEqual( res['Value']['policyCombinedResult']['Status'], 'Banned' ) # mySE decisionParams = {'element' : 'Resource', 'name' : 'mySE', 'elementType' : 'StorageElement', 'statusType' : 'ReadAccess', 'status' : 'Active', 'reason' : None, 'tokenOwner' : None} pdp.setup( decisionParams ) res = pdp.takeDecision() self.assert_( res['OK'] ) self.assertEqual( res['Value']['policyCombinedResult']['Status'], 'Active' ) # SE1 decisionParams = {'element' : 'Resource', 'name' : 'SE1', 'elementType' : 'StorageElement', 'statusType' : 'ReadAccess', 'status' : 'Active', 'reason' : None, 'tokenOwner' : None} pdp.setup( decisionParams ) res = pdp.takeDecision() self.assert_( res['OK'] ) self.assertEqual( res['Value']['policyCombinedResult']['Status'], 'Banned' )
class PEP: ''' PEP (Policy Enforcement Point) initialization :params: :attr:`granularity` : string - a ValidElement (optional) :attr:`name` : string - optional name (e.g. of a site) :attr:`status` : string - optional status :attr:`formerStatus` : string - optional former status :attr:`reason` : string - optional reason for last status change :attr:`siteType` : string - optional site type :attr:`serviceType` : string - optional service type :attr:`resourceType` : string - optional resource type :attr:`futureEnforcement` : optional [ { 'PolicyType': a PolicyType 'Granularity': a ValidElement (optional) } ] ''' def __init__( self, pdp = None, clients = None ): ''' Enforce policies, using a PDP (Policy Decision Point), based on self.__granularity (optional) self.__name (optional) self.__status (optional) self.__formerStatus (optional) self.__reason (optional) self.__siteType (optional) self.__serviceType (optional) self.__realBan (optional) self.__user (optional) self.__futurePolicyType (optional) self.__futureGranularity (optional) :params: :attr:`pdp` : a custom PDP object (optional) :attr:`clients` : a dictionary containing modules corresponding to clients. ''' if clients is None: clients = {} try: self.rsClient = clients[ 'ResourceStatusClient' ] except KeyError: self.rsClient = ResourceStatusClient() try: self.rmClient = clients[ 'ResourceManagementClient' ] except KeyError: self.rmClient = ResourceManagementClient() self.clients = clients if not pdp: self.pdp = PDP( **clients ) def enforce( self, granularity = None, name = None, statusType = None, status = None, formerStatus = None, reason = None, siteType = None, serviceType = None, resourceType = None, tokenOwner = None, useNewRes = False, knownInfo = None ): ''' Enforce policies for given set of keyworkds. To be better explained. ''' ## real ban flag ######################################################### realBan = False if tokenOwner is not None: if tokenOwner == 'RS_SVC': realBan = True ## sanitize input ########################################################## ## IS IT REALLY NEEDED ?? validElements = RssConfiguration.getValidElements() if granularity is not None and granularity not in validElements: return S_ERROR( 'Granularity "%s" not valid' % granularity ) validStatusTypes = RssConfiguration.getValidStatusTypes() if statusType is not None and statusType not in validStatusTypes[ granularity ]['StatusType']: return S_ERROR( 'StatusType "%s" not valid' % statusType ) validStatus = RssConfiguration.getValidStatus() if status is not None and status not in validStatus: return S_ERROR( 'Status "%s" not valid' % status ) validStatus = RssConfiguration.getValidStatus() if formerStatus is not None and formerStatus not in validStatus: return S_ERROR( 'FormerStatus "%s" not valid' % formerStatus ) validSiteTypes = RssConfiguration.getValidSiteTypes() if siteType is not None and siteType not in validSiteTypes: return S_ERROR( 'SiteType "%s" not valid' % siteType ) validServiceTypes = RssConfiguration.getValidServiceTypes() if serviceType is not None and serviceType not in validServiceTypes: return S_ERROR( 'ServiceType "%s" not valid' % serviceType ) validResourceTypes = RssConfiguration.getValidResourceTypes() if resourceType is not None and resourceType not in validResourceTypes: return S_ERROR( 'ResourceType "%s" not valid' % resourceType ) ## policy setup ############################################################ self.pdp.setup( granularity = granularity, name = name, statusType = statusType, status = status, formerStatus = formerStatus, reason = reason, siteType = siteType, serviceType = serviceType, resourceType = resourceType, useNewRes = useNewRes ) ## policy decision ######################################################### resDecisions = self.pdp.takeDecision( knownInfo = knownInfo ) ## record all results before doing anything else for resP in resDecisions[ 'SinglePolicyResults' ]: if not resP.has_key( 'OLD' ): self.clients[ "rmClient" ].insertPolicyResultLog( granularity, name, resP[ 'PolicyName' ], statusType, resP[ 'Status' ], resP[ 'Reason' ], now ) else: gLogger.warn( 'OLD: %s' % resP ) res = resDecisions[ 'PolicyCombinedResult' ] actionBaseMod = "DIRAC.ResourceStatusSystem.PolicySystem.Actions" # Security mechanism in case there is no PolicyType returned if res == {}: EmptyAction(granularity, name, statusType, resDecisions).run() else: policyType = res[ 'PolicyType' ] if 'Resource_PolType' in policyType: action = Utils.voimport( '%s.ResourceAction' % actionBaseMod ) action.ResourceAction(granularity, name, statusType, resDecisions, rsClient=self.rsClient, rmClient=self.rmClient).run() if 'Alarm_PolType' in policyType: action = Utils.voimport( '%s.AlarmAction' % actionBaseMod ) action.AlarmAction(granularity, name, statusType, resDecisions, Clients=self.clients, Params={"Granularity" : granularity, "SiteType" : siteType, "ServiceType" : serviceType, "ResourceType" : resourceType}).run() if 'RealBan_PolType' in policyType and realBan: action = Utils.voimport( '%s.RealBanAction' % actionBaseMod ) action.RealBanAction(granularity, name, resDecisions).run() return resDecisions ################################################################################ #EOF#EOF#EOF#EOF#EOF#EOF#EOF#EOF#EOF#EOF#EOF#EOF#EOF#EOF#EOF#EOF#EOF#EOF#EOF#EOF
class PEP: def __init__(self, clients=None): if clients is None: clients = {} if 'ResourceStatusClient' in clients: self.rsClient = clients['ResourceStatusClient'] else: self.rsClient = ResourceStatusClient() if 'ResourceManagementClient' in clients: self.rmClient = clients['ResourceManagementClient'] else: self.rmClient = ResourceManagementClient() self.clients = clients self.pdp = PDP(clients) def enforce(self, decissionParams): ''' Enforce policies for given set of keyworkds. To be better explained. ''' ## policy decision point setup ############################################# self.pdp.setup(decissionParams) ## policy decision ######################################################### resDecisions = self.pdp.takeDecision() if not resDecisions['OK']: gLogger.error( 'PEP: Something went wrong, not enforcing policies for %s' % decissionParams) return resDecisions resDecisions = resDecisions['Value'] # We take from PDP the decision parameters used to find the policies decissionParams = resDecisions['decissionParams'] policyCombinedResult = resDecisions['policyCombinedResult'] singlePolicyResults = resDecisions['singlePolicyResults'] for policyActionName, policyActionType in policyCombinedResult[ 'PolicyAction']: try: actionMod = Utils.voimport( 'DIRAC.ResourceStatusSystem.PolicySystem.Actions.%s' % policyActionType) except ImportError: gLogger.error('Error importing %s action' % policyActionType) continue try: action = getattr(actionMod, policyActionType) except AttributeError: gLogger.error('Error importing %s action class' % policyActionType) continue actionObj = action(policyActionName, decissionParams, policyCombinedResult, singlePolicyResults, self.clients) gLogger.debug((policyActionName, policyActionType)) actionResult = actionObj.run() if not actionResult['OK']: gLogger.error(actionResult['Message']) return S_OK(resDecisions) ################################################################################ #EOF#EOF#EOF#EOF#EOF#EOF#EOF#EOF#EOF#EOF#EOF#EOF#EOF#EOF#EOF#EOF#EOF#EOF#EOF#EOF
class PEP(object): """PEP ( Policy Enforcement Point )""" def __init__(self, clients=dict()): """Constructor examples: >>> pep = PEP() >>> pep1 = PEP( { 'ResourceStatusClient' : ResourceStatusClient() } ) >>> pep2 = PEP( { 'ResourceStatusClient' : ResourceStatusClient(), 'ClientY' : None } ) :Parameters: **clients** - [ None, `dict` ] dictionary with clients to be used in the commands issued by the policies. If not defined, the commands will import them. It is a measure to avoid opening the same connection every time a policy is evaluated. """ self.clients = dict(clients) # Creating the client in the PEP is a convenience for the PDP, that uses internally the RSS clients res = ObjectLoader().loadObject("DIRAC.ResourceStatusSystem.Client.ResourceStatusClient") if not res["OK"]: self.log.error("Failed to load ResourceStatusClient class: %s" % res["Message"]) raise ImportError(res["Message"]) rsClass = res["Value"] res = ObjectLoader().loadObject("DIRAC.ResourceStatusSystem.Client.ResourceManagementClient") if not res["OK"]: self.log.error("Failed to load ResourceManagementClient class: %s" % res["Message"]) raise ImportError(res["Message"]) rmClass = res["Value"] res = ObjectLoader().loadObject("DIRAC.ResourceStatusSystem.Client.SiteStatus") if not res["OK"]: self.log.error("Failed to load SiteStatus class: %s" % res["Message"]) raise ImportError(res["Message"]) ssClass = res["Value"] if "ResourceStatusClient" not in clients: self.clients["ResourceStatusClient"] = rsClass() if "ResourceManagementClient" not in clients: self.clients["ResourceManagementClient"] = rmClass() if "SiteStatus" not in clients: self.clients["SiteStatus"] = ssClass() # Pass to the PDP the clients that are going to be used on the Commands self.pdp = PDP(self.clients) self.log = gLogger def enforce(self, decisionParams): """Given a dictionary with decisionParams, it is passed to the PDP, which will return ( in case there is a/are positive match/es ) a dictionary containing three key-pair values: the original decisionParams ( `decisionParams` ), all the policies evaluated ( `singlePolicyResults` ) and the computed final result ( `policyCombinedResult` ). To know more about decisionParams, please read PDP.setup where the decisionParams are sanitized. examples: >>> pep.enforce( { 'element' : 'Site', 'name' : 'MySite' } ) >>> pep.enforce( { 'element' : 'Resource', 'name' : 'myce.domain.ch' } ) :Parameters: **decisionParams** - `dict` dictionary with the parameters that will be used to match policies. """ if not decisionParams: self.log.warn("No decision params...?") return S_OK() standardParamsDict = { "element": None, "name": None, "elementType": None, "statusType": None, "status": None, "reason": None, "tokenOwner": None, # Last parameter allows policies to be de-activated "active": "Active", } standardParamsDict.update(decisionParams) if standardParamsDict["element"] is not None: self.log = gLogger.getSubLogger("PEP/%s" % standardParamsDict["element"]) if standardParamsDict["name"] is not None: self.log = gLogger.getSubLogger( "PEP/%s/%s" % (standardParamsDict["element"], standardParamsDict["name"]) ) self.log.verbose( "Enforce - statusType: %s, status: %s" % (standardParamsDict["statusType"], standardParamsDict["status"]) ) decisionParams = dict(standardParamsDict) # Setup PDP with new parameters dictionary self.pdp.setup(decisionParams) # Run policies, get decision, get actions to apply resDecisions = self.pdp.takeDecision() if not resDecisions["OK"]: self.log.error("Something went wrong, not enforcing policies", "%s" % decisionParams) return resDecisions resDecisions = resDecisions["Value"] # We take from PDP the decision parameters used to find the policies decisionParams = resDecisions["decisionParams"] policyCombinedResult = resDecisions["policyCombinedResult"] singlePolicyResults = resDecisions["singlePolicyResults"] # We have run the actions and at this point, we are about to execute the actions. # One more final check before proceeding isNotUpdated = self.__isNotUpdated(decisionParams) if not isNotUpdated["OK"]: return isNotUpdated for policyActionName, policyActionType in policyCombinedResult["PolicyAction"]: try: actionMod = Utils.voimport("DIRAC.ResourceStatusSystem.PolicySystem.Actions.%s" % policyActionType) except ImportError: self.log.error("Error importing %s action" % policyActionType) continue try: action = getattr(actionMod, policyActionType) except AttributeError: self.log.error("Error importing %s action class" % policyActionType) continue actionObj = action( policyActionName, decisionParams, policyCombinedResult, singlePolicyResults, self.clients ) self.log.debug((policyActionName, policyActionType)) actionResult = actionObj.run() if not actionResult["OK"]: self.log.error(actionResult["Message"]) return S_OK(resDecisions) def __isNotUpdated(self, decisionParams): """Checks for the existence of the element as it was passed to the PEP. It may happen that while being the element processed by the PEP an user through the web interface or the CLI has updated the status for this particular element. As a result, the PEP would overwrite whatever the user had set. This check is not perfect, as still an user action can happen while executing the actions, but the probability is close to 0. However, if there is an action that takes seconds to be executed, this must be re-evaluated. ! :Parameters: **decisionParams** - `dict` dictionary with the parameters that will be used to match policies :return: S_OK / S_ERROR """ # Copy original dictionary and get rid of one key we cannot pass as kwarg selectParams = dict(decisionParams) del selectParams["element"] del selectParams["active"] # We expect to have an exact match. If not, then something has changed and # we cannot proceed with the actions. if decisionParams["element"] == "Site": unchangedRow = self.clients["SiteStatus"].getSiteStatuses([decisionParams["name"]]) else: unchangedRow = self.clients["ResourceStatusClient"].selectStatusElement( decisionParams["element"], "Status", **selectParams ) if not unchangedRow["OK"]: return unchangedRow if not unchangedRow["Value"]: msg = "%(name)s ( %(status)s / %(statusType)s ) has been updated after PEP started running" % selectParams self.log.error(msg) return S_ERROR(msg) return S_OK()
class PEP: """ PEP ( Policy Enforcement Point ) """ def __init__(self, clients=None): """ Constructor examples: >>> pep = PEP() >>> pep1 = PEP( { 'ResourceStatusClient' : ResourceStatusClient() } ) >>> pep2 = PEP( { 'ResourceStatusClient' : ResourceStatusClient(), 'ClientY' : None } ) :Parameters: **clients** - [ None, `dict` ] dictionary with clients to be used in the commands issued by the policies. If not defined, the commands will import them. It is a measure to avoid opening the same connection every time a policy is evaluated. """ if clients is None: clients = {} # PEP uses internally two of the clients: ResourceStatusClient and ResouceManagementClient if 'ResourceStatusClient' in clients: self.rsClient = clients['ResourceStatusClient'] else: self.rsClient = ResourceStatusClient() if 'ResourceManagementClient' in clients: self.rmClient = clients['ResourceManagementClient'] else: self.rmClient = ResourceManagementClient() self.clients = clients # Pass to the PDP the clients that are going to be used on the Commands self.pdp = PDP(clients) def enforce(self, decisionParams): """ Given a dictionary with decisionParams, it is passed to the PDP, which will return ( in case there is a/are positive match/es ) a dictionary containing three key-pair values: the original decisionParams ( `decisionParams` ), all the policies evaluated ( `singlePolicyResults` ) and the computed final result ( `policyCombinedResult` ). To know more about decisionParams, please read PDP.setup where the decisionParams are sanitized. examples: >>> pep.enforce( { 'element' : 'Site', 'name' : 'MySite' } ) >>> pep.enforce( { 'element' : 'Resource', 'name' : 'myce.domain.ch' } ) :Parameters: **decisionParams** - `dict` dictionary with the parameters that will be used to match policies. """ # Setup PDP with new parameters dictionary self.pdp.setup(decisionParams) # Run policies, get decision, get actions to apply resDecisions = self.pdp.takeDecision() if not resDecisions['OK']: gLogger.error( 'PEP: Something went wrong, not enforcing policies for %s' % decisionParams) return resDecisions resDecisions = resDecisions['Value'] # We take from PDP the decision parameters used to find the policies decisionParams = resDecisions['decissionParams'] policyCombinedResult = resDecisions['policyCombinedResult'] singlePolicyResults = resDecisions['singlePolicyResults'] # We have run the actions and at this point, we are about to execute the actions. # One more final check before proceeding isNotUpdated = self.__isNotUpdated(decisionParams) if not isNotUpdated['OK']: return isNotUpdated for policyActionName, policyActionType in policyCombinedResult[ 'PolicyAction']: try: actionMod = Utils.voimport( 'DIRAC.ResourceStatusSystem.PolicySystem.Actions.%s' % policyActionType) except ImportError: gLogger.error('Error importing %s action' % policyActionType) continue try: action = getattr(actionMod, policyActionType) except AttributeError: gLogger.error('Error importing %s action class' % policyActionType) continue actionObj = action(policyActionName, decisionParams, policyCombinedResult, singlePolicyResults, self.clients) gLogger.debug((policyActionName, policyActionType)) actionResult = actionObj.run() if not actionResult['OK']: gLogger.error(actionResult['Message']) return S_OK(resDecisions) def __isNotUpdated(self, decisionParams): """ Checks for the existence of the element as it was passed to the PEP. It may happen that while being the element processed by the PEP an user through the web interface or the CLI has updated the status for this particular element. As a result, the PEP would overwrite whatever the user had set. This check is not perfect, as still an user action can happen while executing the actions, but the probability is close to 0. However, if there is an action that takes seconds to be executed, this must be re-evaluated. ! :Parameters: **decisionParams** - `dict` dictionary with the parameters that will be used to match policies :return: S_OK / S_ERROR """ # Copy original dictionary and get rid of one key we cannot pass as kwarg selectParams = decisionParams.copy() del selectParams['element'] del selectParams['active'] # We expect to have an exact match. If not, then something has changed and # we cannot proceed with the actions. unchangedRow = self.rsClient.selectStatusElement( decisionParams['element'], 'Status', **selectParams) if not unchangedRow['OK']: return unchangedRow if not unchangedRow['Value']: msg = '%(name)s ( %(status)s / %(statusType)s ) has been updated after PEP started running' return S_ERROR(msg % selectParams) return S_OK() #............................................................................... #EOF#EOF#EOF#EOF#EOF#EOF#EOF#EOF#EOF#EOF#EOF#EOF#EOF#EOF#EOF#EOF#EOF#EOF#EOF#EOF
def test_site(self): pdp = PDP() # empty pdp.setup(None) res = pdp.takeDecision() self.assertTrue(res["OK"]) # site decisionParams = { "element": "Site", "name": "Site1", "elementType": None, "statusType": "ReadAccess", "status": "Active", "reason": None, "tokenOwner": None, } pdp.setup(decisionParams) res = pdp.takeDecision() self.assertTrue(res["OK"]) self.assertEqual(res["Value"]["policyCombinedResult"]["Status"], "Banned") # site2 decisionParams = { "element": "Site", "name": "Site2", "elementType": "CE", "statusType": "ReadAccess", "status": "Active", "domain": "test", "reason": None, "tokenOwner": None, } pdp.setup(decisionParams) res = pdp.takeDecision() self.assertTrue(res["OK"]) self.assertEqual(res["Value"]["policyCombinedResult"]["Status"], "Banned") # mySE decisionParams = { "element": "Resource", "name": "mySE", "elementType": "StorageElement", "statusType": "ReadAccess", "status": "Active", "reason": None, "tokenOwner": None, } pdp.setup(decisionParams) res = pdp.takeDecision() self.assertTrue(res["OK"]) self.assertEqual(res["Value"]["policyCombinedResult"]["Status"], "Active") # SE1 decisionParams = { "element": "Resource", "name": "SE1", "elementType": "StorageElement", "statusType": "ReadAccess", "status": "Active", "reason": None, "tokenOwner": None, } pdp.setup(decisionParams) res = pdp.takeDecision() self.assertTrue(res["OK"]) self.assertEqual(res["Value"]["policyCombinedResult"]["Status"], "Banned")
class PEP: """ PEP ( Policy Enforcement Point ) """ def __init__( self, clients = None ): """ Constructor examples: >>> pep = PEP() >>> pep1 = PEP( { 'ResourceStatusClient' : ResourceStatusClient() } ) >>> pep2 = PEP( { 'ResourceStatusClient' : ResourceStatusClient(), 'ClientY' : None } ) :Parameters: **clients** - [ None, `dict` ] dictionary with clients to be used in the commands issued by the policies. If not defined, the commands will import them. It is a measure to avoid opening the same connection every time a policy is evaluated. """ if clients is None: clients = {} # PEP uses internally two of the clients: ResourceStatusClient and ResouceManagementClient if 'ResourceStatusClient' in clients: self.rsClient = clients[ 'ResourceStatusClient' ] else: self.rsClient = ResourceStatusClient() if 'ResourceManagementClient' in clients: self.rmClient = clients[ 'ResourceManagementClient' ] else: self.rmClient = ResourceManagementClient() self.clients = clients # Pass to the PDP the clients that are going to be used on the Commands self.pdp = PDP( clients ) def enforce( self, decisionParams ): """ Given a dictionary with decisionParams, it is passed to the PDP, which will return ( in case there is a/are positive match/es ) a dictionary containing three key-pair values: the original decisionParams ( `decisionParams` ), all the policies evaluated ( `singlePolicyResults` ) and the computed final result ( `policyCombinedResult` ). To know more about decisionParams, please read PDP.setup where the decisionParams are sanitized. examples: >>> pep.enforce( { 'element' : 'Site', 'name' : 'MySite' } ) >>> pep.enforce( { 'element' : 'Resource', 'name' : 'myce.domain.ch' } ) :Parameters: **decisionParams** - `dict` dictionary with the parameters that will be used to match policies. """ # Setup PDP with new parameters dictionary self.pdp.setup( decisionParams ) # Run policies, get decision, get actions to apply resDecisions = self.pdp.takeDecision() if not resDecisions[ 'OK' ]: gLogger.error( 'PEP: Something went wrong, not enforcing policies for %s' % decisionParams ) return resDecisions resDecisions = resDecisions[ 'Value' ] # We take from PDP the decision parameters used to find the policies decisionParams = resDecisions[ 'decissionParams' ] policyCombinedResult = resDecisions[ 'policyCombinedResult' ] singlePolicyResults = resDecisions[ 'singlePolicyResults' ] # We have run the actions and at this point, we are about to execute the actions. # One more final check before proceeding isNotUpdated = self.__isNotUpdated( decisionParams ) if not isNotUpdated[ 'OK' ]: return isNotUpdated for policyActionName, policyActionType in policyCombinedResult[ 'PolicyAction' ]: try: actionMod = Utils.voimport( 'DIRAC.ResourceStatusSystem.PolicySystem.Actions.%s' % policyActionType ) except ImportError: gLogger.error( 'Error importing %s action' % policyActionType ) continue try: action = getattr( actionMod, policyActionType ) except AttributeError: gLogger.error( 'Error importing %s action class' % policyActionType ) continue actionObj = action( policyActionName, decisionParams, policyCombinedResult, singlePolicyResults, self.clients ) gLogger.debug( ( policyActionName, policyActionType ) ) actionResult = actionObj.run() if not actionResult[ 'OK' ]: gLogger.error( actionResult[ 'Message' ] ) return S_OK( resDecisions ) def __isNotUpdated( self, decisionParams ): """ Checks for the existence of the element as it was passed to the PEP. It may happen that while being the element processed by the PEP an user through the web interface or the CLI has updated the status for this particular element. As a result, the PEP would overwrite whatever the user had set. This check is not perfect, as still an user action can happen while executing the actions, but the probability is close to 0. However, if there is an action that takes seconds to be executed, this must be re-evaluated. ! :Parameters: **decisionParams** - `dict` dictionary with the parameters that will be used to match policies :return: S_OK / S_ERROR """ # Copy original dictionary and get rid of one key we cannot pass as kwarg selectParams = decisionParams.copy() del selectParams[ 'element' ] del selectParams[ 'active' ] # We expect to have an exact match. If not, then something has changed and # we cannot proceed with the actions. unchangedRow = self.rsClient.selectStatusElement( decisionParams[ 'element' ], 'Status', **selectParams ) if not unchangedRow[ 'OK' ]: return unchangedRow if not unchangedRow[ 'Value' ]: msg = '%(name)s ( %(status)s / %(statusType)s ) has been updated after PEP started running' return S_ERROR( msg % selectParams ) return S_OK() #............................................................................... #EOF#EOF#EOF#EOF#EOF#EOF#EOF#EOF#EOF#EOF#EOF#EOF#EOF#EOF#EOF#EOF#EOF#EOF#EOF#EOF
class PEP: ''' PEP (Policy Enforcement Point) initialization :params: :attr:`granularity` : string - a ValidElement (optional) :attr:`name` : string - optional name (e.g. of a site) :attr:`status` : string - optional status :attr:`formerStatus` : string - optional former status :attr:`reason` : string - optional reason for last status change :attr:`siteType` : string - optional site type :attr:`serviceType` : string - optional service type :attr:`resourceType` : string - optional resource type :attr:`futureEnforcement` : optional [ { 'PolicyType': a PolicyType 'Granularity': a ValidElement (optional) } ] ''' def __init__(self, pdp=None, clients=None): ''' Enforce policies, using a PDP (Policy Decision Point), based on self.__granularity (optional) self.__name (optional) self.__status (optional) self.__formerStatus (optional) self.__reason (optional) self.__siteType (optional) self.__serviceType (optional) self.__realBan (optional) self.__user (optional) self.__futurePolicyType (optional) self.__futureGranularity (optional) :params: :attr:`pdp` : a custom PDP object (optional) :attr:`clients` : a dictionary containing modules corresponding to clients. ''' if clients is None: clients = {} try: self.rsClient = clients['ResourceStatusClient'] except KeyError: self.rsClient = ResourceStatusClient() try: self.rmClient = clients['ResourceManagementClient'] except KeyError: self.rmClient = ResourceManagementClient() self.clients = clients if not pdp: self.pdp = PDP(**clients) def enforce(self, granularity=None, name=None, statusType=None, status=None, formerStatus=None, reason=None, siteType=None, serviceType=None, resourceType=None, tokenOwner=None, useNewRes=False, knownInfo=None): ''' Enforce policies for given set of keyworkds. To be better explained. ''' ## real ban flag ######################################################### realBan = False if tokenOwner is not None: if tokenOwner == 'RS_SVC': realBan = True ## sanitize input ########################################################## ## IS IT REALLY NEEDED ?? validElements = RssConfiguration.getValidElements() if granularity is not None and granularity not in validElements: return S_ERROR('Granularity "%s" not valid' % granularity) validStatusTypes = RssConfiguration.getValidStatusTypes() if statusType is not None and statusType not in validStatusTypes[ granularity]['StatusType']: return S_ERROR('StatusType "%s" not valid' % statusType) validStatus = RssConfiguration.getValidStatus() if status is not None and status not in validStatus: return S_ERROR('Status "%s" not valid' % status) validStatus = RssConfiguration.getValidStatus() if formerStatus is not None and formerStatus not in validStatus: return S_ERROR('FormerStatus "%s" not valid' % formerStatus) validSiteTypes = RssConfiguration.getValidSiteTypes() if siteType is not None and siteType not in validSiteTypes: return S_ERROR('SiteType "%s" not valid' % siteType) validServiceTypes = RssConfiguration.getValidServiceTypes() if serviceType is not None and serviceType not in validServiceTypes: return S_ERROR('ServiceType "%s" not valid' % serviceType) validResourceTypes = RssConfiguration.getValidResourceTypes() if resourceType is not None and resourceType not in validResourceTypes: return S_ERROR('ResourceType "%s" not valid' % resourceType) ## policy setup ############################################################ self.pdp.setup(granularity=granularity, name=name, statusType=statusType, status=status, formerStatus=formerStatus, reason=reason, siteType=siteType, serviceType=serviceType, resourceType=resourceType, useNewRes=useNewRes) ## policy decision ######################################################### resDecisions = self.pdp.takeDecision(knownInfo=knownInfo) ## record all results before doing anything else for resP in resDecisions['SinglePolicyResults']: if not resP.has_key('OLD'): self.clients["rmClient"].insertPolicyResultLog( granularity, name, resP['PolicyName'], statusType, resP['Status'], resP['Reason'], now) else: gLogger.warn('OLD: %s' % resP) res = resDecisions['PolicyCombinedResult'] actionBaseMod = "DIRAC.ResourceStatusSystem.PolicySystem.Actions" # Security mechanism in case there is no PolicyType returned if res == {}: EmptyAction(granularity, name, statusType, resDecisions).run() else: policyType = res['PolicyType'] if 'Resource_PolType' in policyType: action = Utils.voimport('%s.ResourceAction' % actionBaseMod) action.ResourceAction(granularity, name, statusType, resDecisions, rsClient=self.rsClient, rmClient=self.rmClient).run() if 'Alarm_PolType' in policyType: action = Utils.voimport('%s.AlarmAction' % actionBaseMod) action.AlarmAction(granularity, name, statusType, resDecisions, Clients=self.clients, Params={ "Granularity": granularity, "SiteType": siteType, "ServiceType": serviceType, "ResourceType": resourceType }).run() if 'RealBan_PolType' in policyType and realBan: action = Utils.voimport('%s.RealBanAction' % actionBaseMod) action.RealBanAction(granularity, name, resDecisions).run() return resDecisions ################################################################################ #EOF#EOF#EOF#EOF#EOF#EOF#EOF#EOF#EOF#EOF#EOF#EOF#EOF#EOF#EOF#EOF#EOF#EOF#EOF#EOF