def list_account_attributes(account): """ Returns all the attributes for the given account. :param account: The account name. """ return account_core.list_account_attributes(account)
def perm_get_global_account_usage(issuer, kwargs): """ Checks if an account can get the account usage of an account. :param issuer: Account identifier which issues the command. :param kwargs: List of arguments for the action. :returns: True if account is allowed, otherwise False """ if _is_root(issuer) or has_account_attribute( account=issuer, key='admin') or kwargs.get('account') == issuer: return True # Check if user is a country admin for all involved countries for kv in list_account_attributes(account=issuer): if kv['key'].startswith('country-') and kv['value'] == 'admin': return True return False
def perm_get_local_account_usage(issuer, kwargs, session=None): """ Checks if an account can get the account usage of an account. :param issuer: Account identifier which issues the command. :param kwargs: List of arguments for the action. :param session: The DB session to use :returns: True if account is allowed, otherwise False """ if _is_root(issuer) or has_account_attribute(account=issuer, key='admin', session=session) \ or kwargs.get('account') == issuer or has_account_attribute(account=issuer, key='get_local_account_usage', session=session): return True # Check if user is a country admin for kv in list_account_attributes(account=issuer, session=session): if kv['key'].startswith('country-') and kv['value'] == 'admin': return True return False
def perm_delete_account_limit(issuer, kwargs): """ Checks if an account can delete an account limit. :param account: Account identifier which issues the command. :param kwargs: List of arguments for the action. :returns: True if account is allowed, otherwise False """ if issuer == 'root' or has_account_attribute(account=issuer, key='admin'): return True # Check if user is a country admin admin_in_country = [] for kv in list_account_attributes(account=issuer): if kv['key'].startswith('country-') and kv['value'] == 'admin': admin_in_country.append(kv['key'].partition('-')[2]) if admin_in_country and list_rse_attributes(rse=kwargs['rse'], rse_id=None).get('country') in admin_in_country: return True return False
def perm_update_rule(issuer, kwargs): """ Checks if an issuer can update a replication rule. :param issuer: Account identifier which issues the command. :param kwargs: List of arguments for the action. :returns: True if account is allowed to call the API call, otherwise False """ # Admin accounts can do everything if issuer == 'root' or has_account_attribute(account=issuer, key='admin'): return True # Only admin accounts can change account, state, priority of a rule if 'account' in kwargs['options'] or\ 'state' in kwargs['options'] or\ 'priority' in kwargs['options'] or\ 'child_rule_id' in kwargs['options'] or\ 'meta' in kwargs['options']: return False # Only priv accounts are allowed to change that # Country admins are allowed to change the rest. admin_in_country = [] for kv in list_account_attributes(account=issuer): if kv['key'].startswith('country-') and kv['value'] == 'admin': admin_in_country.append(kv['key'].partition('-')[2]) rule = get_rule(rule_id=kwargs['rule_id']) rses = parse_expression(rule['rse_expression']) if admin_in_country: for rse in rses: if list_rse_attributes( rse=None, rse_id=rse['id']).get('country') in admin_in_country: return True # Only admin and country-admin are allowed to change locked state of rule if 'locked' in kwargs['options']: return False # Owner can change the rest of a rule if get_rule(kwargs['rule_id'])['account'] == issuer: return True return False
def perm_move_rule(issuer, kwargs): """ Checks if an issuer can move a replication rule. :param issuer: Account identifier which issues the command. :param kwargs: List of arguments for the action. :returns: True if account is allowed to call the API call, otherwise False """ # Admin accounts can do everything if issuer == 'root' or has_account_attribute(account=issuer, key='admin'): return True # Country admins are allowed to change the but need to be admin for the original, as well as future rule admin_in_country = [] for kv in list_account_attributes(account=issuer): if kv['key'].startswith('country-') and kv['value'] == 'admin': admin_in_country.append(kv['key'].partition('-')[2]) admin_source = False admin_destination = False if admin_in_country: rule = get_rule(rule_id=kwargs['rule_id']) rses = parse_expression(rule['rse_expression']) for rse in rses: if list_rse_attributes( rse=None, rse_id=rse['id']).get('country') in admin_in_country: admin_source = True break rses = parse_expression(kwargs['rse_expression']) for rse in rses: if list_rse_attributes( rse=None, rse_id=rse['id']).get('country') in admin_in_country: admin_destination = True break if admin_source and admin_destination: return True return False
def perm_set_local_account_limit(issuer, kwargs, session=None): """ Checks if an account can set an account limit. :param account: Account identifier which issues the command. :param kwargs: List of arguments for the action. :param session: The DB session to use :returns: True if account is allowed, otherwise False """ if _is_root(issuer) or has_account_attribute(account=issuer, key='admin', session=session): return True # Check if user is a country admin admin_in_country = [] for kv in list_account_attributes(account=issuer, session=session): if kv['key'].startswith('country-') and kv['value'] == 'admin': admin_in_country.append(kv['key'].partition('-')[2]) if admin_in_country and list_rse_attributes(rse_id=kwargs['rse_id'], session=session).get('country') in admin_in_country: return True return False
def perm_set_global_account_limit(issuer, kwargs): """ Checks if an account can set a global account limit. :param account: Account identifier which issues the command. :param kwargs: List of arguments for the action. :returns: True if account is allowed, otherwise False """ if _is_root(issuer) or has_account_attribute(account=issuer, key='admin'): return True # Check if user is a country admin admin_in_country = set() for kv in list_account_attributes(account=issuer): if kv['key'].startswith('country-') and kv['value'] == 'admin': admin_in_country.add(kv['key'].partition('-')[2]) resolved_rse_countries = {list_rse_attributes(rse_id=rse['rse_id']).get('country') for rse in parse_expression(kwargs['rse_exp'])} if resolved_rse_countries.issubset(admin_in_country): return True return False
def perm_del_rse_attribute(issuer, kwargs): """ Checks if an account can delete a RSE attribute. :param issuer: Account identifier which issues the command. :param kwargs: List of arguments for the action. :returns: True if account is allowed, otherwise False """ if issuer == 'root' or has_account_attribute(account=issuer, key='admin'): return True if kwargs['key'] in ['rule_deleters', 'auto_approve_bytes', 'auto_approve_files', 'rule_approvers', 'default_account_limit_bytes', 'default_limit_files', 'block_manual_approve']: # Check if user is a country admin admin_in_country = [] for kv in list_account_attributes(account=issuer): if kv['key'].startswith('country-') and kv['value'] == 'admin': admin_in_country.append(kv['key'].partition('-')[2]) if admin_in_country: if list_rse_attributes(rse=kwargs['rse']).get('country') in admin_in_country: return True return False
def perm_add_bad_pfns(issuer, kwargs): """ Checks if an account can declare bad PFNs. :param issuer: Account identifier which issues the command. :param kwargs: List of arguments for the action. :returns: True if account is allowed, otherwise False """ if kwargs['state'] in [ BadPFNStatus.BAD.name, BadPFNStatus.TEMPORARY_UNAVAILABLE.name ]: is_cloud_admin = bool([ acc_attr for acc_attr in list_account_attributes(account=issuer) if (acc_attr['key'].startswith('cloud-')) and ( acc_attr['value'] == 'admin') ]) return _is_root(issuer) or has_account_attribute( account=issuer, key='admin') or is_cloud_admin elif kwargs['state'] == BadPFNStatus.SUSPICIOUS.name: return True return _is_root(issuer)
def perm_delete_global_account_limit(issuer, kwargs, session=None): """ Checks if an account can delete a global account limit. :param issuer: Account identifier which issues the command. :param kwargs: List of arguments for the action. :param session: The DB session to use :returns: True if account is allowed, otherwise False """ if _is_root(issuer) or has_account_attribute(account=issuer, key='admin', session=session): return True # Check if user is a country admin admin_in_country = set() for kv in list_account_attributes(account=issuer, session=session): if kv['key'].startswith('country-') and kv['value'] == 'admin': admin_in_country.add(kv['key'].partition('-')[2]) if admin_in_country: resolved_rse_countries = {list_rse_attributes(rse_id=rse['rse_id'], session=session).get('country') for rse in parse_expression(kwargs['rse_expression'], filter_={'vo': issuer.vo}, session=session)} if resolved_rse_countries.issubset(admin_in_country): return True return False
def perm_set_local_account_limit(issuer, kwargs): """ Checks if an account can set an account limit. :param account: Account identifier which issues the command. :param kwargs: List of arguments for the action. :returns: True if account is allowed, otherwise False """ if _is_root(issuer) or has_account_attribute(account=issuer, key='admin'): return True # Check if user is a country admin admin_in_country = [] for kv in list_account_attributes(account=issuer): if kv['key'].startswith('country-') and kv['value'] == 'admin': admin_in_country.append(kv['key'].partition('-')[2]) rse_attr = list_rse_attributes(rse_id=kwargs['rse_id']) if admin_in_country and rse_attr.get('country') in admin_in_country: return True quota_approvers = rse_attr.get('quota_approvers', None) if quota_approvers and issuer.external in quota_approvers.split(','): return True return False
def perm_update_replicas_states(issuer, kwargs): """ Checks if an account can delete replicas. :param issuer: Account identifier which issues the command. :param kwargs: List of arguments for the action. :returns: True if account is allowed, otherwise False """ rse = str(kwargs.get('rse', '')) phys_group = [] for kv in list_account_attributes(account=issuer): if kv['key'].startswith('group-') and kv['value'] in ['admin', 'user']: phys_group.append(kv['key'].partition('-')[2]) rse_attr = list_rse_attributes(rse=rse) if phys_group: if rse_attr.get('type', '') == 'GROUPDISK': if rse_attr.get('physgroup', '') in phys_group: return True else: return rse_attr.get('type', '') in ['SCRATCHDISK', 'MOCK', 'LOCALGROUPDISK', 'TEST']\ or issuer == 'root'\ or has_account_attribute(account=issuer, key='admin')
def perm_del_rule(issuer, kwargs): """ Checks if an issuer can delete a replication rule. :param issuer: Account identifier which issues the command. :param kwargs: List of arguments for the action. :returns: True if account is allowed to call the API call, otherwise False """ if issuer == 'root' or issuer == 'ddmadmin': return True if get_rule(kwargs['rule_id'])['account'] == issuer: return True # Check if user is a country admin admin_in_country = [] for kv in list_account_attributes(account=issuer): if kv['key'].startswith('country-') and kv['value'] == 'admin': admin_in_country.append(kv['key'].partition('-')[2]) rule = get_rule(rule_id=kwargs['rule_id']) rses = parse_expression(rule['rse_expression']) if admin_in_country: for rse in rses: if list_rse_attributes( rse=None, rse_id=rse['id']).get('country') in admin_in_country: return True # DELETERS can approve the rule for rse in rses: rse_attr = list_rse_attributes(rse=None, rse_id=rse['id']) if rse_attr.get('rule_deleters'): if issuer in rse_attr.get('rule_deleters').split(','): return True return False
def perm_declare_bad_file_replicas(issuer, kwargs): """ Checks if an account can declare bad file replicas. :param issuer: Account identifier which issues the command. :param kwargs: List of arguments for the action. :returns: True if account is allowed, otherwise False """ is_cloud_admin = bool(filter(lambda x: (x['key'].startswith('cloud-')) and (x['value'] == 'admin'), list_account_attributes(account=issuer))) return issuer == 'root' or has_account_attribute(account=issuer, key='admin') or is_cloud_admin