def add(cls, app_id, name, description, perms): ResourceType.get_by(name=name, app_id=app_id) and abort( 400, "ResourceType <{0}> is already existed".format(name)) rt = ResourceType.create(name=name, description=description, app_id=app_id) cls.update_perms(rt.id, perms, app_id) return rt
def init_acl(): _app = AppCache.get('cmdb') or App.create(name='cmdb') app_id = _app.id # 1. add resource type for resource_type in ResourceTypeEnum.all(): try: ResourceTypeCRUD.add(app_id, resource_type, '', PermEnum.all()) except AbortException: pass # 2. add role try: RoleCRUD.add_role(RoleEnum.CONFIG, app_id, True) except AbortException: pass try: RoleCRUD.add_role(RoleEnum.CMDB_READ_ALL, app_id, False) except AbortException: pass # 3. add resource and grant ci_types = CIType.get_by(to_dict=False) type_id = ResourceType.get_by(name=ResourceTypeEnum.CI, first=True, to_dict=False).id for ci_type in ci_types: try: ResourceCRUD.add(ci_type.name, type_id, app_id) except AbortException: pass ACLManager().grant_resource_to_role(ci_type.name, RoleEnum.CMDB_READ_ALL, ResourceTypeEnum.CI, [PermEnum.READ]) relation_views = PreferenceRelationView.get_by(to_dict=False) type_id = ResourceType.get_by(name=ResourceTypeEnum.RELATION_VIEW, first=True, to_dict=False).id for view in relation_views: try: ResourceCRUD.add(view.name, type_id, app_id) except AbortException: pass ACLManager().grant_resource_to_role(view.name, RoleEnum.CMDB_READ_ALL, ResourceTypeEnum.RELATION_VIEW, [PermEnum.READ])
def has_permission(cls, rid, resource_name, resource_type, app_id, perm): resource_type = ResourceType.get_by(app_id=app_id, name=resource_type, first=True, to_dict=False) resource_type or abort( 404, "ResourceType <{0}> is not found".format(resource_type)) type_id = resource_type.id resource = Resource.get_by(name=resource_name, resource_type_id=type_id, first=True, to_dict=False) resource = resource or abort( 403, "Resource <{0}> is not in ACL".format(resource_name)) parent_ids = RoleRelationCRUD.recursive_parent_ids(rid) group_ids = cls.get_group_ids(resource.id) for parent_id in parent_ids: id2perms = RoleRelationCache.get_resources(parent_id) perms = id2perms['id2perms'].get(resource.id, []) if perms and {perm}.issubset(set(perms)): return True for group_id in group_ids: perms = id2perms['group2perms'].get(group_id, []) if perms and {perm}.issubset(set(perms)): return True return False
def grant_resource_to_role(self, name, role, resource_type_name=None): resource_type = ResourceType.get_by(name=resource_type_name, first=True, to_dict=False) if resource_type: return abort( 400, "ResourceType <{0}> cannot be found".format( resource_type_name))
def add_resource(self, name, resource_type_name=None): resource_type = ResourceType.get_by(name=resource_type_name, first=True, to_dict=False) resource_type or abort( 404, "ResourceType <{0}> cannot be found".format(resource_type_name)) ResourceCRUD.add(name, resource_type.id, self.app_id)
def _get_resource(self, name, resource_type_name): resource_type = ResourceType.get_by(name=resource_type_name, first=True, to_dict=False) resource_type or abort( 404, "ResourceType <{0}> cannot be found".format(resource_type_name)) return Resource.get_by(resource_type_id=resource_type.id, app_id=self.app_id, name=name, first=True, to_dict=False)
def update(cls, rt_id, **kwargs): kwargs.pop('app_id', None) rt = ResourceType.get_by_id(rt_id) or abort(404, "ResourceType <{0}> is not found".format(rt_id)) if 'name' in kwargs: other = ResourceType.get_by(name=kwargs['name'], app_id=rt.app_id, to_dict=False, first=True) if other and other.id != rt_id: return abort(400, "ResourceType <{0}> is duplicated".format(kwargs['name'])) if 'perms' in kwargs: cls.update_perms(rt_id, kwargs.pop('perms'), rt.app_id) return rt.update(**kwargs)
def del_resource(self, name, resource_type_name=None): resource_type = ResourceType.get_by(name=resource_type_name, first=True, to_dict=False) if resource_type: return abort( 400, "ResourceType <{0}> cannot be found".format( resource_type_name)) resource = Resource.get_by(resource_type_id=resource_type.id, app_id=self.app_id, name=name, first=True, to_dict=False) if resource: ResourceCRUD.delete(resource.id)