def view_acl(cls, identifier, object_type):
""" View object permissions
"""
try:
if object_type == 'pipeline':
model = Pipeline.get(identifier,
load_storage_rules=False,
load_run_parameters=False,
load_versions=False)
identifier = model.identifier
elif object_type == 'folder':
model = Folder.load(identifier)
identifier = model.id
elif object_type == 'data_storage':
model = DataStorage.get(identifier)
identifier = model.identifier
permissions_list = User.get_permissions(identifier, object_type)
if len(permissions_list) > 0:
permissions_table = prettytable.PrettyTable()
permissions_table.field_names = [
"SID", "Principal", "Allow", "Deny"
]
permissions_table.align = "r"
for permission in permissions_list:
permissions_table.add_row([
permission.name, permission.principal,
permission.get_allowed_permissions_description(),
permission.get_denied_permissions_description()
])
click.echo(permissions_table)
click.echo()
else:
click.echo('No user permissions are configured')
except ConfigNotFoundError as config_not_found_error:
click.echo(str(config_not_found_error), err=True)
except requests.exceptions.RequestException as http_error:
click.echo('Http error: {}'.format(str(http_error)), err=True)
except RuntimeError as runtime_error:
click.echo('Error: {}'.format(str(runtime_error)), err=True)
except ValueError as value_error:
click.echo('Error: {}'.format(str(value_error)), err=True)
def set_acl(cls, identifier, object_type, sid, group, allow, deny,
inherit):
""" Set object permissions
"""
try:
if object_type == 'pipeline':
model = Pipeline.get(identifier,
load_storage_rules=False,
load_run_parameters=False,
load_versions=False)
identifier = model.identifier
elif object_type == 'folder':
model = Folder.load(identifier)
identifier = model.id
elif object_type == 'data_storage':
model = DataStorage.get(identifier)
identifier = model.identifier
all_permissions = User.get_permissions(identifier, object_type)
user_permissions = filter(
lambda permission: permission.name.lower() == sid.lower() and
permission.principal != group, all_permissions)
user_mask = 0
if len(user_permissions) == 1:
user_mask = user_permissions[0].mask
if allow is None and deny is None and inherit is None:
raise RuntimeError('You must specify at least one permission')
permissions_masks = {
'r': {
'allow': 1,
'deny': 1 << 1,
'inherit': 0,
'group': 1 | 1 << 1
},
'w': {
'allow': 1 << 2,
'deny': 1 << 3,
'inherit': 0,
'group': 1 << 2 | 1 << 3
},
'x': {
'allow': 1 << 4,
'deny': 1 << 5,
'inherit': 0,
'group': 1 << 4 | 1 << 5
}
}
def check_permission(permission):
exists_in_allow = allow is not None and permission.lower(
) in allow.lower()
exists_in_deny = deny is not None and permission.lower(
) in deny.lower()
exists_in_inherit = inherit is not None and permission.lower(
) in inherit.lower()
if exists_in_allow + exists_in_deny + exists_in_inherit > 1:
raise RuntimeError(
'You cannot set permission (\'{}\') in multiple groups'
.format(permission))
check_permission('r')
check_permission('w')
check_permission('x')
def modify_permissions_group(mask, permissions_group_mask,
permission_mask):
permissions_clear_mask = (1 | 1 << 1 | 1 << 2 | 1 << 3 | 1 << 4
| 1 << 5) ^ permissions_group_mask
return (mask & permissions_clear_mask) | permission_mask
def modify_permissions(mask, permissions_group_name, permissions):
if permissions is not None:
for permission in permissions:
if permission.lower() not in permissions_masks:
raise RuntimeError(
'Unknown permission \'{}\''.format(permission))
else:
permissions_group_mask = permissions_masks[
permission.lower()]['group']
permission_mask = permissions_masks[
permission.lower()][permissions_group_name]
mask = modify_permissions_group(
mask, permissions_group_mask, permission_mask)
return mask
user_mask = modify_permissions(user_mask, 'allow', allow)
user_mask = modify_permissions(user_mask, 'deny', deny)
user_mask = modify_permissions(user_mask, 'inherit', inherit)
User.grant_permission(identifier, object_type, sid, not group,
user_mask)
click.echo('Permissions set')
except ConfigNotFoundError as config_not_found_error:
click.echo(str(config_not_found_error), err=True)
except requests.exceptions.RequestException as http_error:
click.echo('Http error: {}'.format(str(http_error)), err=True)
except RuntimeError as runtime_error:
click.echo('Error: {}'.format(str(runtime_error)), err=True)
except ValueError as value_error:
click.echo('Error: {}'.format(str(value_error)), err=True)