def list_account_attributes(account):
"""
Returns all the attributes for the given account.
:param account: The account name.
"""
return account_core.list_account_attributes(account)
def perm_get_global_account_usage(issuer, kwargs):
"""
Checks if an account can get the account usage of an account.
:param issuer: Account identifier which issues the command.
:param kwargs: List of arguments for the action.
:returns: True if account is allowed, otherwise False
"""
if _is_root(issuer) or has_account_attribute(
account=issuer, key='admin') or kwargs.get('account') == issuer:
return True
# Check if user is a country admin for all involved countries
for kv in list_account_attributes(account=issuer):
if kv['key'].startswith('country-') and kv['value'] == 'admin':
return True
return False
def perm_get_local_account_usage(issuer, kwargs, session=None):
"""
Checks if an account can get the account usage of an account.
:param issuer: Account identifier which issues the command.
:param kwargs: List of arguments for the action.
:param session: The DB session to use
:returns: True if account is allowed, otherwise False
"""
if _is_root(issuer) or has_account_attribute(account=issuer, key='admin', session=session) \
or kwargs.get('account') == issuer or has_account_attribute(account=issuer, key='get_local_account_usage', session=session):
return True
# Check if user is a country admin
for kv in list_account_attributes(account=issuer, session=session):
if kv['key'].startswith('country-') and kv['value'] == 'admin':
return True
return False
def perm_delete_account_limit(issuer, kwargs):
"""
Checks if an account can delete an account limit.
:param account: Account identifier which issues the command.
:param kwargs: List of arguments for the action.
:returns: True if account is allowed, otherwise False
"""
if issuer == 'root' or has_account_attribute(account=issuer, key='admin'):
return True
# Check if user is a country admin
admin_in_country = []
for kv in list_account_attributes(account=issuer):
if kv['key'].startswith('country-') and kv['value'] == 'admin':
admin_in_country.append(kv['key'].partition('-')[2])
if admin_in_country and list_rse_attributes(rse=kwargs['rse'], rse_id=None).get('country') in admin_in_country:
return True
return False
def perm_update_rule(issuer, kwargs):
"""
Checks if an issuer can update a replication rule.
:param issuer: Account identifier which issues the command.
:param kwargs: List of arguments for the action.
:returns: True if account is allowed to call the API call, otherwise False
"""
# Admin accounts can do everything
if issuer == 'root' or has_account_attribute(account=issuer, key='admin'):
return True
# Only admin accounts can change account, state, priority of a rule
if 'account' in kwargs['options'] or\
'state' in kwargs['options'] or\
'priority' in kwargs['options'] or\
'child_rule_id' in kwargs['options'] or\
'meta' in kwargs['options']:
return False # Only priv accounts are allowed to change that
# Country admins are allowed to change the rest.
admin_in_country = []
for kv in list_account_attributes(account=issuer):
if kv['key'].startswith('country-') and kv['value'] == 'admin':
admin_in_country.append(kv['key'].partition('-')[2])
rule = get_rule(rule_id=kwargs['rule_id'])
rses = parse_expression(rule['rse_expression'])
if admin_in_country:
for rse in rses:
if list_rse_attributes(
rse=None,
rse_id=rse['id']).get('country') in admin_in_country:
return True
# Only admin and country-admin are allowed to change locked state of rule
if 'locked' in kwargs['options']:
return False
# Owner can change the rest of a rule
if get_rule(kwargs['rule_id'])['account'] == issuer:
return True
return False
def perm_move_rule(issuer, kwargs):
"""
Checks if an issuer can move a replication rule.
:param issuer: Account identifier which issues the command.
:param kwargs: List of arguments for the action.
:returns: True if account is allowed to call the API call, otherwise False
"""
# Admin accounts can do everything
if issuer == 'root' or has_account_attribute(account=issuer, key='admin'):
return True
# Country admins are allowed to change the but need to be admin for the original, as well as future rule
admin_in_country = []
for kv in list_account_attributes(account=issuer):
if kv['key'].startswith('country-') and kv['value'] == 'admin':
admin_in_country.append(kv['key'].partition('-')[2])
admin_source = False
admin_destination = False
if admin_in_country:
rule = get_rule(rule_id=kwargs['rule_id'])
rses = parse_expression(rule['rse_expression'])
for rse in rses:
if list_rse_attributes(
rse=None,
rse_id=rse['id']).get('country') in admin_in_country:
admin_source = True
break
rses = parse_expression(kwargs['rse_expression'])
for rse in rses:
if list_rse_attributes(
rse=None,
rse_id=rse['id']).get('country') in admin_in_country:
admin_destination = True
break
if admin_source and admin_destination:
return True
return False
def perm_set_local_account_limit(issuer, kwargs, session=None):
"""
Checks if an account can set an account limit.
:param account: Account identifier which issues the command.
:param kwargs: List of arguments for the action.
:param session: The DB session to use
:returns: True if account is allowed, otherwise False
"""
if _is_root(issuer) or has_account_attribute(account=issuer, key='admin', session=session):
return True
# Check if user is a country admin
admin_in_country = []
for kv in list_account_attributes(account=issuer, session=session):
if kv['key'].startswith('country-') and kv['value'] == 'admin':
admin_in_country.append(kv['key'].partition('-')[2])
if admin_in_country and list_rse_attributes(rse_id=kwargs['rse_id'], session=session).get('country') in admin_in_country:
return True
return False
def perm_set_global_account_limit(issuer, kwargs):
"""
Checks if an account can set a global account limit.
:param account: Account identifier which issues the command.
:param kwargs: List of arguments for the action.
:returns: True if account is allowed, otherwise False
"""
if _is_root(issuer) or has_account_attribute(account=issuer, key='admin'):
return True
# Check if user is a country admin
admin_in_country = set()
for kv in list_account_attributes(account=issuer):
if kv['key'].startswith('country-') and kv['value'] == 'admin':
admin_in_country.add(kv['key'].partition('-')[2])
resolved_rse_countries = {list_rse_attributes(rse_id=rse['rse_id']).get('country') for rse in parse_expression(kwargs['rse_exp'])}
if resolved_rse_countries.issubset(admin_in_country):
return True
return False
def perm_del_rse_attribute(issuer, kwargs):
"""
Checks if an account can delete a RSE attribute.
:param issuer: Account identifier which issues the command.
:param kwargs: List of arguments for the action.
:returns: True if account is allowed, otherwise False
"""
if issuer == 'root' or has_account_attribute(account=issuer, key='admin'):
return True
if kwargs['key'] in ['rule_deleters', 'auto_approve_bytes', 'auto_approve_files', 'rule_approvers', 'default_account_limit_bytes', 'default_limit_files', 'block_manual_approve']:
# Check if user is a country admin
admin_in_country = []
for kv in list_account_attributes(account=issuer):
if kv['key'].startswith('country-') and kv['value'] == 'admin':
admin_in_country.append(kv['key'].partition('-')[2])
if admin_in_country:
if list_rse_attributes(rse=kwargs['rse']).get('country') in admin_in_country:
return True
return False
def perm_add_bad_pfns(issuer, kwargs):
"""
Checks if an account can declare bad PFNs.
:param issuer: Account identifier which issues the command.
:param kwargs: List of arguments for the action.
:returns: True if account is allowed, otherwise False
"""
if kwargs['state'] in [
BadPFNStatus.BAD.name, BadPFNStatus.TEMPORARY_UNAVAILABLE.name
]:
is_cloud_admin = bool([
acc_attr for acc_attr in list_account_attributes(account=issuer)
if (acc_attr['key'].startswith('cloud-')) and (
acc_attr['value'] == 'admin')
])
return _is_root(issuer) or has_account_attribute(
account=issuer, key='admin') or is_cloud_admin
elif kwargs['state'] == BadPFNStatus.SUSPICIOUS.name:
return True
return _is_root(issuer)
def perm_delete_global_account_limit(issuer, kwargs, session=None):
"""
Checks if an account can delete a global account limit.
:param issuer: Account identifier which issues the command.
:param kwargs: List of arguments for the action.
:param session: The DB session to use
:returns: True if account is allowed, otherwise False
"""
if _is_root(issuer) or has_account_attribute(account=issuer, key='admin', session=session):
return True
# Check if user is a country admin
admin_in_country = set()
for kv in list_account_attributes(account=issuer, session=session):
if kv['key'].startswith('country-') and kv['value'] == 'admin':
admin_in_country.add(kv['key'].partition('-')[2])
if admin_in_country:
resolved_rse_countries = {list_rse_attributes(rse_id=rse['rse_id'], session=session).get('country')
for rse in parse_expression(kwargs['rse_expression'], filter_={'vo': issuer.vo}, session=session)}
if resolved_rse_countries.issubset(admin_in_country):
return True
return False
def perm_set_local_account_limit(issuer, kwargs):
"""
Checks if an account can set an account limit.
:param account: Account identifier which issues the command.
:param kwargs: List of arguments for the action.
:returns: True if account is allowed, otherwise False
"""
if _is_root(issuer) or has_account_attribute(account=issuer, key='admin'):
return True
# Check if user is a country admin
admin_in_country = []
for kv in list_account_attributes(account=issuer):
if kv['key'].startswith('country-') and kv['value'] == 'admin':
admin_in_country.append(kv['key'].partition('-')[2])
rse_attr = list_rse_attributes(rse_id=kwargs['rse_id'])
if admin_in_country and rse_attr.get('country') in admin_in_country:
return True
quota_approvers = rse_attr.get('quota_approvers', None)
if quota_approvers and issuer.external in quota_approvers.split(','):
return True
return False
def perm_update_replicas_states(issuer, kwargs):
"""
Checks if an account can delete replicas.
:param issuer: Account identifier which issues the command.
:param kwargs: List of arguments for the action.
:returns: True if account is allowed, otherwise False
"""
rse = str(kwargs.get('rse', ''))
phys_group = []
for kv in list_account_attributes(account=issuer):
if kv['key'].startswith('group-') and kv['value'] in ['admin', 'user']:
phys_group.append(kv['key'].partition('-')[2])
rse_attr = list_rse_attributes(rse=rse)
if phys_group:
if rse_attr.get('type', '') == 'GROUPDISK':
if rse_attr.get('physgroup', '') in phys_group:
return True
else:
return rse_attr.get('type', '') in ['SCRATCHDISK', 'MOCK', 'LOCALGROUPDISK', 'TEST']\
or issuer == 'root'\
or has_account_attribute(account=issuer, key='admin')
def perm_del_rule(issuer, kwargs):
"""
Checks if an issuer can delete a replication rule.
:param issuer: Account identifier which issues the command.
:param kwargs: List of arguments for the action.
:returns: True if account is allowed to call the API call, otherwise False
"""
if issuer == 'root' or issuer == 'ddmadmin':
return True
if get_rule(kwargs['rule_id'])['account'] == issuer:
return True
# Check if user is a country admin
admin_in_country = []
for kv in list_account_attributes(account=issuer):
if kv['key'].startswith('country-') and kv['value'] == 'admin':
admin_in_country.append(kv['key'].partition('-')[2])
rule = get_rule(rule_id=kwargs['rule_id'])
rses = parse_expression(rule['rse_expression'])
if admin_in_country:
for rse in rses:
if list_rse_attributes(
rse=None,
rse_id=rse['id']).get('country') in admin_in_country:
return True
# DELETERS can approve the rule
for rse in rses:
rse_attr = list_rse_attributes(rse=None, rse_id=rse['id'])
if rse_attr.get('rule_deleters'):
if issuer in rse_attr.get('rule_deleters').split(','):
return True
return False
def perm_declare_bad_file_replicas(issuer, kwargs):
"""
Checks if an account can declare bad file replicas.
:param issuer: Account identifier which issues the command.
:param kwargs: List of arguments for the action.
:returns: True if account is allowed, otherwise False
"""
is_cloud_admin = bool(filter(lambda x: (x['key'].startswith('cloud-')) and (x['value'] == 'admin'), list_account_attributes(account=issuer)))
return issuer == 'root' or has_account_attribute(account=issuer, key='admin') or is_cloud_admin
