def set_object_perm_endpoint(request):
"""
设置文件对象的读写权限
:param request: WSGI request
"""
fields = (('*obj_id', int, (verify_pk, Objects)),
('*permission', str, (verify_in_array,
('private', 'public-read',
'public-read-write', 'authenticated'))))
data = validate_post_data(request.data, fields)
o = Objects.objects.select_related('bucket').select_related(
'bucket__bucket_region').get(obj_id=data['obj_id'])
if o.type == 'd':
raise ParseError('object is a directory')
verify_file_owner_and_permission(request, PermAction.RW, o)
try:
# 当权限为authenticated时,不推送到后端上游服务器
if 'authenticated' not in data['permission']:
s3 = s3_client(o.bucket.bucket_region.reg_id,
o.bucket.user.username)
s3.put_object_acl(ACL=data['permission'],
Bucket=o.bucket.name,
Key=o.key)
o.permission = data['permission']
o.save()
except Exception as e:
raise ParseError(detail=str(e))
return Response({'code': 0, 'msg': 'success'})
def put(self, request):
fields = (
self.pk_field[0],
('*bucket_region_id', int, (verify_pk, BucketRegion)),
)
data = validate_post_data(request.body, fields)
bucket_region = BucketRegion.objects.get(pk=data['bucket_region_id'])
if bucket_region.state != 'e':
raise ParseError('region is not enable state')
b = Buckets.objects.get(pk=data['bucket_id'])
if request.user != b.user:
raise ParseError('user not match')
if b.pid > 0:
raise ParseError('bucket is backup bucket')
if b.backup:
raise ParseError('backup function is already enable')
b.create_backup(data['bucket_region_id'])
return Response({
'code': 0,
'msg': 'success'
})
def post(self, request):
fields = (('*obj_id', int, (verify_pk, Objects)), ('*username', str,
verify_username),
('*permission', str, (verify_in_array,
('authenticated-read',
'authenticated-read-write'))))
data = validate_post_data(request.body, fields)
try:
self.queryset = Objects.objects.get(obj_id=int(data['obj_id']))
authorize_user = User.objects.get(username=data['username'])
except Objects.DoesNotExist:
raise ParseError('not found this bucket')
except User.DoesNotExist:
raise ParseError('not found this user')
if authorize_user.profile.root_uid != request.user.username and \
authorize_user.profile.parent_uid != request.user.username:
raise ParseError('only support authorized to sub user')
verify_file_owner_and_permission(request, PermAction.RW, self.queryset)
ObjectAcl.objects.update_or_create(object=self.queryset,
user=authorize_user,
permission=data['permission'])
return Response(
{
'code': 0,
'msg': 'success',
'data': self.queryset.json
},
status=HTTP_201_CREATED)
def delete(self, request):
data = validate_post_data(request.body, tuple(self.pk_field))
bucket = self.model.objects.select_related('bucket_region').get(pk=data['bucket_id'])
if bucket.user != request.user and not request.user.is_superuser:
raise ParseError(detail='illegal delete bucket')
if bucket.pid > 0:
self.model.objects.filter(pk=bucket.pid).update(backup=False)
try:
# ceph集群删除bucket
rgw = rgw_client(bucket.bucket_region.reg_id)
rgw.remove_bucket(bucket=bucket.name, purge_objects=True)
# 删除数据记录
bucket.delete()
except NoSuchKey:
raise ParseError('delete bucket failed, purge objects not found any key')
except NoSuchBucket:
raise ParseError('delete bucket failed, not found this bucket')
except Exception as e:
raise ParseError(detail=str(e))
return Response({
'code': 0,
'msg': 'success'
})
def put(self, request):
fields = (('allow_ip', str, verify_ip_addr), )
data = validate_post_data(request.body, fields)
self.queryset = request.user.keys
if 'allow_ip' in data: self.queryset.set_allow_access(data['allow_ip'])
self.queryset.change_user_key()
return Response({'code': 0, 'msg': 'success'})
def post(self, request):
fields = (('*bucket_id', int, (verify_pk, Buckets)), ('*username', str,
verify_username),
('*permission', str, (verify_in_array,
('authenticated-read',
'authenticated-read-write'))))
data = validate_post_data(request.body, fields)
try:
bucket = Buckets.objects.get(bucket_id=int(data['bucket_id']))
user = User.objects.get(username=data['username'])
except Buckets.DoesNotExist:
raise ParseError('not found this bucket')
except User.DoesNotExist:
raise ParseError('not found this user')
if user.profile.root_uid != request.user.username and user.profile.parent_uid != request.user.username:
raise ParseError('only support authorized to sub user')
if request.user != bucket.user:
raise ParseError('bucket owner and user not match')
self.queryset, created = self.model.objects.update_or_create(
bucket=bucket, user=user, permission=data['permission'])
return Response(
{
'code': 0,
'msg': 'success',
'data': self.queryset.json
},
status=HTTP_201_CREATED)
def post(self, request):
data = validate_post_data(request.body, tuple(self.fields))
self.queryset, create = self.model.objects.update_or_create(**data)
return Response({
'code': 0,
'msg': 'success',
'data': self.queryset.values()
})
def create_directory_endpoint(request):
"""
在指定的bucket内创建目录
该操作仅存在本地数据库,在ceph不会有任何记录
"""
validate_license_expire()
req_user = request.user
_fields = (('*bucket_name', str, verify_bucket_name),
('*folder_name', str, verify_object_name), ('path', str,
verify_object_path))
# 检验字段
data = validate_post_data(request.body, _fields)
# 检验bucket name是否为非法
try:
b = Buckets.objects.select_related('bucket_region').get(
name=data['bucket_name'])
except Buckets.DoesNotExist:
raise NotFound(detail='not fount this bucket')
if b.read_only:
raise ParseError('this bucket is read only')
verify_bucket_owner_and_permission(request, PermAction.RW, b)
try:
if 'path' in data:
# 验证目录是否在正确的bucket下面
data['path'] = data['path'].replace(',', '/')
p = verify_path(data['path'])
if not p or p.owner != req_user or p.bucket.name != data[
'bucket_name']:
raise ParseError(detail='illegal path')
key = data['path'] + data['folder_name'] + '/'
else:
key = data['folder_name'] + '/'
record_data = {
'name': data['folder_name'] + '/',
'bucket': b,
'type': 'd',
'key': key,
'root': data['path'] if 'path' in data else None,
'owner':
b.user if b.permission == 'public-read-write' else req_user
}
Objects.objects.create(**record_data)
except Exception as e:
raise ParseError(detail=str(e))
return Response({'code': 0, 'msg': 'success'})
def set_default_user_role(request):
if not request.user.is_superuser:
raise PermissionDenied()
fields = (
('*group_id', int, (verify_pk, Group)),
)
data = validate_post_data(request.body, fields)
group = Group.objects.get(pk=data['group_id'])
group.default_group.set_default()
return Response({
'code': 0,
'msg': 'success'
})
def post(self, request):
# if not verify_super_user(request):
# raise PermissionDenied()
data = validate_post_data(request.body, tuple(self.model_fields))
self.queryset, created = self.model.objects.update_or_create(**data)
return Response(
{
'code': 0,
'msg': 'success',
'data': self.queryset.json()
},
status=HTTP_201_CREATED)
def get_group_and_member(request):
fields = [
('*role', str, (verify_max_length, 20)),
('*username', str, (verify_max_length, 20))
]
data = validate_post_data(request.body, tuple(fields))
try:
g = Group.objects.get(name=data['role'])
u = User.objects.get(username=data['username'])
except Group.DoesNotExist:
raise NotFound('not found this group')
except User.DoesNotExist:
raise NotFound('not found this user')
return g, u
def put(self, request):
# if not verify_super_user(request):
# raise PermissionDenied()
fields = self.model_fields
fields.append(self.model_pk[0])
data = validate_post_data(request.body, tuple(fields))
self.queryset = self.model.objects.get(pk=data['id'])
self.queryset.__dict__.update(**data)
self.queryset.save()
return Response({
'code': 0,
'msg': 'success',
})
def post(self, request):
"""
新增一个角色
"""
fields = [
('*name', str, (verify_max_length, 20))
]
data = validate_post_data(request.body, fields)
self.queryset, _ = Group.objects.update_or_create(
name=data['name']
)
return Response({
'code': 0,
'msg': 'success',
}, status=HTTP_201_CREATED)
def change_password_endpoint(request):
"""
修改用户名密码,如果是超级管理员则不需要提供原密码,直接更改某个用户的密码
普通用户更改密码需要提供原始密码和新密码
"""
fields = [
('*username', str, verify_username),
('*pwd1', str, (verify_max_length, 30)),
('*pwd2', str, (verify_max_length, 30)),
]
if not request.user.is_superuser:
fields.append(('*old_pwd', str, (verify_max_length, 30)))
data = validate_post_data(request.body, tuple(fields))
# 验证两次密码是否一样
if data['pwd1'] != data['pwd2']:
raise ParseError(detail='the old and new password is not match!')
# 超级管理员则查询指定的用户
if request.user.is_superuser:
try:
user = User.objects.get(username=data['username'])
except User.DoesNotExist:
user = None
else:
user = request.user
if user and user.username != data['username']:
raise ParseError(detail='error username!')
if request.user.is_superuser:
user.set_password(data['pwd1'])
if not request.user.is_superuser and authenticate(
username=data['username'], password=data['old_pwd']):
user.set_password(data['pwd1'])
else:
raise ParseError('old password is error!')
user.save()
return Response({'code': 0, 'msg': 'success'})
def post(self, request):
data = validate_post_data(request.body, tuple(self.fields))
if query_bucket_exist(data['name']):
raise ParseError(detail='the bucket is already exist!')
# 判断容量是否足够
q = request.user.capacity_quota
if not q or not q.valid():
raise ParseError(detail='user capacity not enough')
bucket_region = BucketRegion.objects.get(pk=data['bucket_region_id'])
if bucket_region.state != 'e':
raise ParseError('region is not enable state')
# 使用用户key创建bucket
s3 = s3_client(data['bucket_region_id'], request.user.username)
s3.create_bucket(
Bucket=data['name'],
ACL=data['permission'],
)
if data['version_control']:
s3.put_bucket_versioning(
Bucket=data['name'],
VersioningConfiguration={
'MFADelete': 'Disabled',
'Status': 'Enabled',
},
)
# 本地数据库插入记录
self.model.objects.create(
name=data['name'],
bucket_region_id=data['bucket_region_id'],
version_control=data['version_control'],
user=request.user,
permission=data['permission']
)
return Response({
'code': 0,
'msg': 'success',
}, status=HTTP_201_CREATED)
def user_recharge_endpoint(request):
"""
用户充值
:param request:
:return:
"""
req_user = request.user
fields = (
('*order_id', str, (verify_length, 10)),
('*money', float, (verify_max_value, 99999.0))
)
data = validate_post_data(request.body, fields)
p = req_user.profile.get()
p.charge(data['money'])
return Response({
'code': 0,
'msg': 'success',
'balance': p.balance
})
def get_group_and_permission(request):
fields = [
('*role', str, (verify_max_length, 20)),
('*perms', list, len)
]
data = validate_post_data(request.body, tuple(fields))
try:
group = Group.objects.get(name=data['role'])
except Group.DoesNotExist:
raise NotFound('not found this group')
perms = []
for p in data['perms']:
try:
perm = Permission.objects.get(codename=p.split('.')[1])
except Permission.DoesNotExist:
continue
# raise NotFound('not found this permission object')
else:
perms.append(perm)
return group, perms
def user_delete_endpoint(request):
"""
删除指定的用户,该超作只允许超级管理员执行
:param request:
:return:
"""
# if not request.user.is_superuser:
# raise NotAuthenticated(detail='permission denied!')
fields = (('*username', str, verify_username), ('*user_id', int, None))
data = validate_post_data(request.body, fields)
try:
u = User.objects.get(pk=data['user_id'])
except User.DoesNotExist:
raise NotFound(detail='not found this user')
if not request.user.is_superuser and u != request.user:
raise NotAuthenticated(detail='permission denied')
if u.username != data['username']:
raise ParseError(detail='username and user_id not match')
if u.profile.phone_verify:
region = BucketRegion.objects.all()
# 递归删除所有区域集群上的用户
for i in region:
rgw = rgw_client(i.reg_id)
try:
rgw.get_user(uid=u.keys.ceph_uid, stats=True)
except NoSuchUser:
continue
else:
rgw.remove_user(uid=u.keys.ceph_uid, purge_data=True)
u.delete()
return Response({'code': 0, 'msg': 'success'})
def delete(self, request):
data = validate_post_data(request.body, self.pk_field)
self.model.objects.get(pk=data['bucket_type_id']).delete()
return Response({'code': 0, 'msg': 'success'})
def put(self, request):
self.fields.append(self.pk_field[0])
data = validate_post_data(request.body, tuple(self.fields))
self.queryset = self.model.objects.filter(pk=data['bucket_type_id'])
self.queryset.update(**data)
return Response({'code': 0, 'msg': 'success'})
def create_user_endpoint(request):
"""
创建用户
请求参数sub_user为1时则创建子用户
创建子用户只能是一个已经登陆的普通用户
:param request:
:return:
"""
try:
sub_user = int(request.GET.get('sub_user', False))
except ValueError:
sub_user = 0
sub_user = True if sub_user == 1 else False
req_user = request.user
if sub_user and isinstance(req_user, AnonymousUser):
raise ParseError(detail='create sub user need a already exist user')
if sub_user and not isinstance(
req_user, AnonymousUser) and req_user.profile.level >= 3:
raise ParseError('sub user already max level')
fields = (
('*username', str, verify_username),
('*pwd', str, (verify_max_length, 30)),
# ('*pwd2', str, None),
('*email', str, verify_mail),
('*first_name', str, (verify_max_length, 8)),
('*phone', str, verify_phone),
('verify_code', str, verify_img_verification_code))
data = validate_post_data(request.body, fields)
try:
User.objects.get(username=data['username'])
except User.DoesNotExist:
pass
else:
raise ParseError(detail='the user is already exist')
try:
User.objects.get(email=data['email'])
except User.DoesNotExist:
pass
else:
raise ParseError(detail='the email is already exist')
try:
Profile.objects.get(phone=data['phone'])
except Profile.DoesNotExist:
pass
else:
raise ParseError(detail='the phone number already exist')
try:
user = User.objects.create_user(
username=data['username'],
password=data['pwd'],
email=data['email'],
first_name=data['first_name'],
)
p = user.profile
p.phone = data['phone']
if sub_user:
p.is_subuser = True
p.parent_uid = request.user.username
p.root_uid = request.user.profile.root_uid
p.level = request.user.profile.level + 1
p.save()
p.save()
except Exception as e:
raise ParseError(detail=str(e))
# 新注册用户加入默认用户角色
try:
dg = DefaultGroup.objects.get(default=True)
except DefaultGroup.DoesNotExist:
pass
else:
dg.group.user_set.add(user)
return Response({'code': 0, 'msg': 'success'}, status=HTTP_201_CREATED)
def user_login_endpoint(request):
"""
使用用户名和密码登陆
"""
fields = (('*username', str, verify_username), ('*password', str,
(verify_max_length, 30)),
('*verify_code', str, (verify_length, 6)))
data = validate_post_data(request.body, fields)
# 因为用户名与手机号码均为唯一字段,所以一下条件只会有一个成立
try:
u = User.objects.select_related('profile').get(
username=data['username'])
except User.DoesNotExist:
u = None
try:
p = Profile.objects.select_related('user').get(phone=data['username'])
except Profile.DoesNotExist:
p = None
if not u and not p:
raise NotFound('not found this user')
user = None
if u:
user = u
if p:
user = p.user
if not user.is_active:
raise ParseError('user is inactive')
if not authenticate(username=user.username, password=data['password']):
raise ParseError('username or password is wrong')
# if not verify_phone_verification_code(data['verify_code'], user.profile.phone):
# raise ParseError('phone verification code is wrong!')
try:
t = Token.objects.get(user=user)
tk = t.key
t.delete()
cache.delete('token_%s' % tk)
except Token.DoesNotExist:
pass
finally:
tk, create = Token.objects.update_or_create(user=user)
cache_request_user_meta_info(tk, request)
# 首次登陆将生成access_key, secret_key, ceph_uid
if not user.profile.phone_verify:
user.keys.init()
# 使用django login方法登陆,不然没有登陆记录,但是不需要任何session
login(request, user=user)
request.session.clear()
logout(request)
return Response({
'code': 0,
'msg': 'success',
'data': {
'token': tk.key,
'user_id': user.pk,
'username': user.username,
'phone_verify': user.profile.phone_verify,
'phone_number': user.profile.phone,
'user_type': 'superuser' if user.is_superuser else 'normal',
'is_subuser': user.profile.is_subuser,
'level': user.profile.level,
}
})
