def delete_replicas(rse, files, issuer, ignore_availability=False):
"""
Bulk delete file replicas.
:param rse: The RSE name.
:param files: The list of files.
:param issuer: The issuer account.
:param ignore_availability: Ignore the RSE blacklisting.
:returns: True is successful, False otherwise
"""
validate_schema(name='r_dids', obj=files)
kwargs = {'rse': rse}
if not permission.has_permission(issuer=issuer, action='delete_replicas', kwargs=kwargs):
raise exception.AccessDenied('Account %s can not delete file replicas on %s' % (issuer, rse))
if not permission.has_permission(issuer=issuer, action='skip_availability_check', kwargs=kwargs):
ignore_availability = False
replica.delete_replicas(rse=rse, files=files, ignore_availability=ignore_availability)
def declare_bad_file_replicas(pfns, rse, issuer):
"""
Declare a list of bad replicas.
:param pfns: The list of PFNs.
:param rse: The RSE name.
:param issuer: The issuer account.
"""
kwargs = {}
if not permission.has_permission(issuer=issuer, action='declare_bad_file_replicas', kwargs=kwargs):
raise exception.AccessDenied('Account %s can not declare bad replicas on %s' % (issuer, rse))
return replica.declare_bad_file_replicas(pfns=pfns, rse=rse)
def add_section(section, issuer=None):
"""
Add a section to the configuration.
:param section: The name of the section.
:param issuer: The issuer account.
"""
kwargs = {'issuer': issuer, 'section': section}
if not permission.has_permission(issuer=issuer, action='config_add_section', kwargs=kwargs):
raise exception.AccessDenied('%s cannot add section %s' % (issuer, section))
return config.add_section(section)
def delete_replication_rule(rule_id, issuer):
"""
Deletes a replication rule and all associated locks.
:param rule_id: The id of the rule to be deleted
:param issuer: The issuing account of this operation
:raises: RuleNotFound, AccessDenied
"""
kwargs = {'rule_id': rule_id}
if not has_permission(issuer=issuer, action='del_rule', kwargs=kwargs):
raise AccessDenied('Account %s can not remove this replication rule.' % (issuer))
rule.delete_rule(rule_id)
def sections(issuer=None):
"""
Return a list of the sections available.
:param issuer: The issuer account.
:returns: ['section_name', ...]
"""
kwargs = {'issuer': issuer}
if not permission.has_permission(issuer=issuer, action='config_sections', kwargs=kwargs):
raise exception.AccessDenied('%s cannot retrieve sections' % issuer)
return config.sections()
def list_replicas(dids,
schemes=None,
unavailable=False,
request_id=None,
ignore_availability=True,
all_states=False,
rse_expression=None,
client_location=None,
domain=None,
signature_lifetime=None,
resolve_archives=True,
resolve_parents=False,
issuer=None):
"""
List file replicas for a list of data identifiers.
:param dids: The list of data identifiers (DIDs).
:param schemes: A list of schemes to filter the replicas. (e.g. file, http, ...)
:param unavailable: Also include unavailable replicas in the list.
:param request_id: ID associated with the request for debugging.
:param all_states: Return all replicas whatever state they are in. Adds an extra 'states' entry in the result dictionary.
:param rse_expression: The RSE expression to restrict replicas on a set of RSEs.
:param client_location: Client location dictionary for PFN modification {'ip', 'fqdn', 'site'}
:param domain: The network domain for the call, either None, 'wan' or 'lan'. Compatibility fallback: None falls back to 'wan'.
:param signature_lifetime: If supported, in seconds, restrict the lifetime of the signed PFN.
:param resolve_archives: When set to True, find archives which contain the replicas.
:param resolve_parents: When set to True, find all parent datasets which contain the replicas.
:param issuer: The issuer account.
"""
validate_schema(name='r_dids', obj=dids)
# Allow selected authenticated users to retrieve signed URLs.
# Unauthenticated users, or permission-less users will get the raw URL without the signature.
sign_urls = False
if permission.has_permission(issuer=issuer,
action='get_signed_url',
kwargs={}):
sign_urls = True
return replica.list_replicas(dids=dids,
schemes=schemes,
unavailable=unavailable,
request_id=request_id,
ignore_availability=ignore_availability,
all_states=all_states,
rse_expression=rse_expression,
client_location=client_location,
domain=domain,
sign_urls=sign_urls,
signature_lifetime=signature_lifetime,
resolve_archives=resolve_archives,
resolve_parents=resolve_parents)
def add_section(section, issuer=None, vo='def'):
"""
Add a section to the configuration.
:param section: The name of the section.
:param issuer: The issuer account.
:param vo: The VO to act on.
"""
kwargs = {'issuer': issuer, 'section': section}
if not permission.has_permission(issuer=issuer, vo=vo, action='config_add_section', kwargs=kwargs):
raise exception.AccessDenied('%s cannot add section %s' % (issuer, section))
return config.add_section(section)
def has_section(section, issuer=None):
"""
Indicates whether the named section is present in the configuration.
:param section: The name of the section.
:param issuer: The issuer account.
:returns: True/False
"""
kwargs = {'issuer': issuer, 'section': section}
if not permission.has_permission(issuer=issuer, action='config_has_section', kwargs=kwargs):
raise exception.AccessDenied('%s cannot check existence of section %s' % (issuer, section))
return config.has_section(section)
def del_rse(rse, issuer):
"""
Disables a RSE with the provided RSE name.
:param rse: The RSE name.
:param issuer: The issuer account.
"""
kwargs = {'rse': rse}
if not permission.has_permission(issuer=issuer, action='del_rse', kwargs=kwargs):
raise exception.AccessDenied('Account %s can not delete RSE' % (issuer))
return rse_module.del_rse(rse)
def remove_section(section, issuer=None):
"""
Remove the specified option from the specified section.
:param section: The name of the section.
:param issuer: The issuer account.
:returns: True/False.
"""
kwargs = {'issuer': issuer, 'section': section}
if not permission.has_permission(issuer=issuer, action='config_remove_section', kwargs=kwargs):
raise exception.AccessDenied('%s cannot remove section %s' % (issuer, section))
return config.remove_section(section)
def has_section(section, issuer=None):
"""
Indicates whether the named section is present in the configuration.
:param section: The name of the section.
:param issuer: The issuer account.
:returns: True/False
"""
kwargs = {'issuer': issuer, 'section': section}
if not permission.has_permission(issuer=issuer, action='config_has_section', kwargs=kwargs):
raise exception.AccessDenied('%s cannot check existence of section %s' % (issuer, section))
return config.has_section(section)
def move_replication_rule(rule_id,
rse_expression,
override,
issuer,
vo='def',
session=None):
"""
Move a replication rule to another RSE and, once done, delete the original one.
:param rule_id: Rule to be moved.
:param rse_expression: RSE expression of the new rule.
:param override: Configurations to update for the new rule.
:param session: The DB Session.
:param vo: The VO to act on.
:raises: RuleNotFound, RuleReplaceFailed, InvalidRSEExpression, AccessDenied
"""
kwargs = {
'rule_id': rule_id,
'rse_expression': rse_expression,
'override': override,
}
if is_multi_vo(
session=session) and not has_permission(issuer=issuer,
vo=vo,
action='access_rule_vo',
kwargs=kwargs,
session=session):
raise AccessDenied('Account %s can not access rules at other VOs.' %
(issuer))
if not has_permission(issuer=issuer,
vo=vo,
action='move_rule',
kwargs=kwargs,
session=session):
raise AccessDenied('Account %s can not move this replication rule.' %
(issuer))
return rule.move_rule(**kwargs, session=session)
def add_protocol(rse, issuer, **data):
"""
Creates a new protocol entry for an existing RSE.
:param rse: The RSE name.
:param issuer: The issuer account.
:param data: Parameters (protocol identifier, port, hostname, ...) provided by the request.
"""
kwargs = {'rse': rse}
if not permission.has_permission(issuer=issuer, action='add_protocol', kwargs=kwargs):
raise exception.AccessDenied('Account %s can not add protocols to RSE %s' % (issuer, rse))
rse_module.add_protocol(rse, data['data'])
def update_replication_rule(rule_id, options, issuer):
"""
Update lock state of a replication rule.
:param rule_id: The rule_id to lock.
:param options: Options dictionary.
:param issuer: The issuing account of this operation
:raises: RuleNotFound if no Rule can be found.
"""
kwargs = {'rule_id': rule_id, 'options': options}
if not has_permission(issuer=issuer, action='update_rule', kwargs=kwargs):
raise AccessDenied('Account %s can not update this replication rule.' % (issuer))
rule.update_rule(rule_id=rule_id, options=options)
def sections(issuer=None):
"""
Return a list of the sections available.
:param issuer: The issuer account.
:returns: ['section_name', ...]
"""
kwargs = {'issuer': issuer}
if not permission.has_permission(
issuer=issuer, action='config_sections', kwargs=kwargs):
raise exception.AccessDenied('%s cannot retrieve sections' % issuer)
return config.sections()
def delete_replication_rule(rule_id, purge_replicas, issuer):
"""
Deletes a replication rule and all associated locks.
:param rule_id: The id of the rule to be deleted
:param issuer: The issuing account of this operation
:raises: RuleNotFound, AccessDenied
"""
kwargs = {'rule_id': rule_id, 'purge_replicas': purge_replicas}
if not has_permission(issuer=issuer, action='del_rule', kwargs=kwargs):
raise AccessDenied('Account %s can not remove this replication rule.' %
(issuer))
rule.delete_rule(rule_id=rule_id, purge_replicas=purge_replicas, soft=True)
def move_replication_rule(rule_id, rse_expression, issuer):
"""
Move a replication rule to another RSE and, once done, delete the original one.
:param rule_id: Rule to be moved.
:param rse_expression: RSE expression of the new rule.
:param session: The DB Session.
:raises: RuleNotFound, RuleReplaceFailed
"""
kwargs = {'rule_id': rule_id, 'rse_expression': rse_expression}
if not has_permission(issuer=issuer, action='move_rule', kwargs=kwargs):
raise AccessDenied('Account %s can not move this replication rule.' % (issuer))
return rule.move_rule(rule_id=rule_id, rse_expression=rse_expression)
def remove_section(section, issuer=None):
"""
Remove the specified option from the specified section.
:param section: The name of the section.
:param issuer: The issuer account.
:returns: True/False.
"""
kwargs = {'issuer': issuer, 'section': section}
if not permission.has_permission(issuer=issuer, action='config_remove_section', kwargs=kwargs):
raise exception.AccessDenied('%s cannot remove section %s' % (issuer, section))
return config.remove_section(section)
def get_replication_rule(rule_id, issuer, estimate_ttc=None, vo='def'):
"""
Get replication rule by it's id.
:param rule_id: The rule_id to get.
:param issuer: The issuing account of this operation.
:param vo: The VO of the issuer.
"""
kwargs = {'rule_id': rule_id}
if not has_permission(issuer=issuer, vo=vo, action='access_rule_vo', kwargs=kwargs):
raise AccessDenied('Account %s can not access rules at other VOs.' % (issuer))
result = rule.get_rule(rule_id, estimate_ttc)
return api_update_return_dict(result)
def update_exception(exception_id, state, issuer, vo='def'):
"""
Update exceptions state to Lifetime Model.
:param id: The id of the exception.
:param state: The states to filter.
:param issuer: The issuer account.
:param vo: The VO to act on.
"""
kwargs = {'exception_id': exception_id, 'vo': vo}
if not permission.has_permission(issuer=issuer, vo=vo, action='update_lifetime_exceptions', kwargs=kwargs):
raise exception.AccessDenied('Account %s can not update lifetime exceptions' % (issuer))
return lifetime_exception.update_exception(exception_id=exception_id, state=state)
def del_identity(identity_key, id_type, issuer):
"""
Deletes a user identity.
:param identity_key: The identity key name. For example x509 DN, or a username.
:param id_type: The type of the authentication (x509, gss, userpass, ssh, saml).
:param issuer: The issuer account.
"""
id_type = IdentityType.from_sym(id_type)
kwargs = {'accounts': identity.list_accounts_for_identity(identity_key, id_type)}
if not permission.has_permission(issuer=issuer, action='del_identity', kwargs=kwargs):
raise exception.AccessDenied('Account %s can not delete identity' % (issuer))
return identity.del_identity(identity_key, id_type)
def options(section, issuer=None):
"""
Returns a list of options available in the specified section.
:param section: The name of the section.
:param issuer: The issuer account.
:returns: ['option', ...]
"""
kwargs = {'issuer': issuer, 'section': section}
if not permission.has_permission(issuer=issuer, action='config_options', kwargs=kwargs):
raise exception.AccessDenied('%s cannot retrieve options from section %s' % (issuer, section))
return config.options(section)
def options(section, issuer=None):
"""
Returns a list of options available in the specified section.
:param section: The name of the section.
:param issuer: The issuer account.
:returns: ['option', ...]
"""
kwargs = {'issuer': issuer, 'section': section}
if not permission.has_permission(issuer=issuer, action='config_options', kwargs=kwargs):
raise exception.AccessDenied('%s cannot retrieve options from section %s' % (issuer, section))
return config.options(section)
def del_rse(rse, issuer):
"""
Disables a RSE with the provided RSE name.
:param rse: The RSE name.
:param issuer: The issuer account.
"""
kwargs = {'rse': rse}
if not permission.has_permission(issuer=issuer, action='del_rse', kwargs=kwargs):
raise exception.AccessDenied('Account %s can not delete RSE' % (issuer))
return rse_module.del_rse(rse)
def list_heartbeats(issuer=None, vo='def'):
"""
Return a list of tuples of all heartbeats.
:param issuer: The issuer account.
:param vo: the VO for the issuer.
:returns: List of tuples [('Executable', 'Hostname', ...), ...]
"""
kwargs = {'issuer': issuer}
if not permission.has_permission(issuer=issuer, vo=vo, action='list_heartbeats', kwargs=kwargs):
raise exception.AccessDenied('%s cannot list heartbeats' % issuer)
return heartbeat.list_heartbeats()
def add_protocol(rse, issuer, **data):
"""
Creates a new protocol entry for an existing RSE.
:param rse: The RSE name.
:param issuer: The issuer account.
:param data: Parameters (protocol identifier, port, hostname, ...) provided by the request.
"""
kwargs = {'rse': rse}
if not permission.has_permission(issuer=issuer, action='add_protocol', kwargs=kwargs):
raise exception.AccessDenied('Account %s can not add protocols to RSE %s' % (issuer, rse))
rse_module.add_protocol(rse, data['data'])
def add_files(lfns, issuer, ignore_availability):
"""
Bulk add files :
- Create the file and replica.
- If doesn't exist create the dataset containing the file as well as a rule on the dataset on ANY sites.
- Create all the ascendants of the dataset if they do not exist
:param lfns: List of lfn (dictionary {'lfn': <lfn>, 'rse': <rse>, 'bytes': <bytes>, 'adler32': <adler32>, 'guid': <guid>, 'pfn': <pfn>}
:param issuer: The issuer account.
:param ignore_availability: A boolean to ignore blacklisted sites.
"""
scopes = list_scopes()
dids = []
rses = {}
for lfn in lfns:
scope, name = extract_scope(lfn['lfn'], scopes)
dids.append({'scope': scope, 'name': name})
rse = lfn['rse']
if rse not in rses:
rse_id = get_rse_id(rse=rse)
rses[rse] = rse_id
lfn['rse_id'] = rses[rse]
# Check if the issuer can add dids and use skip_availabitlity
for rse in rses:
rse_id = rses[rse]
kwargs = {'rse': rse, 'rse_id': rse_id}
if not has_permission(issuer=issuer, action='add_replicas', kwargs=kwargs):
raise AccessDenied('Account %s can not add file replicas on %s' % (issuer, rse))
if not has_permission(issuer=issuer, action='skip_availability_check', kwargs=kwargs):
ignore_availability = False
# Check if the issuer can add the files
kwargs = {'issuer': issuer, 'dids': dids}
if not has_permission(issuer=issuer, action='add_dids', kwargs=kwargs):
raise AccessDenied('Account %s can not bulk add data identifier' % (issuer))
dirac.add_files(lfns=lfns, account=issuer, ignore_availability=ignore_availability, session=None)
def add_replicas(rse, files, issuer, ignore_availability=False):
"""
Bulk add file replicas.
:param rse: The RSE name.
:param files: The list of files.
:param issuer: The issuer account.
:param ignore_availability: Ignore the RSE blacklisting.
:returns: True is successful, False otherwise
"""
for v_file in files:
v_file.update(
{"type":
"FILE"}) # Make sure DIDs are identified as files for checking
validate_schema(name='dids', obj=files)
rse_id = get_rse_id(rse=rse)
kwargs = {'rse': rse, 'rse_id': rse_id}
if not permission.has_permission(
issuer=issuer, action='add_replicas', kwargs=kwargs):
raise exception.AccessDenied(
'Account %s can not add file replicas on %s' % (issuer, rse))
if not permission.has_permission(
issuer=issuer, action='skip_availability_check', kwargs=kwargs):
ignore_availability = False
issuer = InternalAccount(issuer)
for f in files:
f['scope'] = InternalScope(f['scope'])
if 'account' in f:
f['account'] = InternalAccount(f['account'])
replica.add_replicas(rse_id=rse_id,
files=files,
account=issuer,
ignore_availability=ignore_availability)
def set(section, option, value, issuer=None):
"""
Set the given option to the specified value.
:param section: The name of the section.
:param option: The name of the option.
:param value: The content of the value.
:param issuer: The issuer account.
"""
kwargs = {'issuer': issuer, 'section': section, 'option': option, 'value': value}
if not permission.has_permission(issuer=issuer, action='config_set', kwargs=kwargs):
raise exception.AccessDenied('%s cannot set option %s to %s in section %s' % (issuer, option, value, section))
return config.set(section, option, value)
def queue_requests(requests, issuer):
"""
Submit transfer or deletion requests on destination RSEs for data identifiers.
:param requests: List of dictionaries containing 'scope', 'name', 'dest_rse_id', 'request_type', 'attributes'
:param issuer: Issuing account as a string.
:returns: List of Request-IDs as 32 character hex strings
"""
kwargs = {'requests': requests, 'issuer': issuer}
if not permission.has_permission(issuer=issuer, action='queue_requests', kwargs=kwargs):
raise exception.AccessDenied('%(issuer)s can not queue request' % locals())
return request.queue_requests(requests)
def items(section, issuer=None):
"""
Return a list of (option, value) pairs for each option in the given section. Values are auto-coerced as in get().
:param section: The name of the section.
:param value: The content of the value.
:param issuer: The issuer account.
:returns: [('option', auto-coerced value), ...]
"""
kwargs = {'issuer': issuer, 'section': section}
if not permission.has_permission(issuer=issuer, action='config_items', kwargs=kwargs):
raise exception.AccessDenied('%s cannot retrieve options and values from section %s' % (issuer, section))
return config.items(section)
def reduce_replication_rule(rule_id, copies, exclude_expression, issuer):
"""
Reduce the number of copies for a rule by atomically replacing the rule.
:param rule_id: Rule to be reduced.
:param copies: Number of copies of the new rule.
:param exclude_expression: RSE Expression of RSEs to exclude.
:param issuer: The issuing account of this operation
:raises: RuleReplaceFailed, RuleNotFound
"""
kwargs = {'rule_id': rule_id, 'copies': copies, 'exclude_expression': exclude_expression}
if not has_permission(issuer=issuer, action='reduce_rule', kwargs=kwargs):
raise AccessDenied('Account %s can not reduce this replication rule.' % (issuer))
return rule.reduce_rule(rule_id=rule_id, copies=copies, exclude_expression=exclude_expression)
def update_replication_rule(rule_id, options, issuer):
"""
Update lock state of a replication rule.
:param rule_id: The rule_id to lock.
:param options: Options dictionary.
:param issuer: The issuing account of this operation
:raises: RuleNotFound if no Rule can be found.
"""
kwargs = {'rule_id': rule_id, 'options': options}
if 'approve' in options:
if not has_permission(issuer=issuer, action='approve_rule', kwargs=kwargs):
raise AccessDenied('Account %s can not approve/deny this replication rule.' % (issuer))
issuer = InternalAccount(issuer)
if options['approve']:
rule.approve_rule(rule_id=rule_id, approver=issuer)
else:
rule.deny_rule(rule_id=rule_id, approver=issuer, reason=options.get('comment', None))
else:
if not has_permission(issuer=issuer, action='update_rule', kwargs=kwargs):
raise AccessDenied('Account %s can not update this replication rule.' % (issuer))
rule.update_rule(rule_id=rule_id, options=options)
def cancel_request(request_id, issuer, account):
"""
Cancel a request.
:param request_id: Request Identifier as a 32 character hex string.
:param issuer: Issuing account as a string.
:param account: Account identifier as a string.
"""
kwargs = {'account': account, 'issuer': issuer, 'request_id': request_id}
if not permission.has_permission(issuer=issuer, action='cancel_request_', kwargs=kwargs):
raise exception.AccessDenied('%s cannot cancel request %s' % (account, request_id))
raise NotImplementedError
def set(section, option, value, issuer=None):
"""
Set the given option to the specified value.
:param section: The name of the section.
:param option: The name of the option.
:param value: The content of the value.
:param issuer: The issuer account.
"""
kwargs = {'issuer': issuer, 'section': section, 'option': option, 'value': value}
if not permission.has_permission(issuer=issuer, action='config_set', kwargs=kwargs):
raise exception.AccessDenied('%s cannot set option %s to %s in section %s' % (issuer, option, value, section))
return config.set(section, option, value)
def update_vo(updated_vo, parameters, issuer, vo='def'):
"""
Update VO properties (email, description).
:param updated_vo: The VO to update.
:param parameters: A dictionary with the new properties.
:param issuer: The user issuing the command.
:param vo: The VO of the user issusing the command.
"""
kwargs = {}
if not has_permission(issuer=issuer, action='update_vo', kwargs=kwargs, vo=vo):
raise exception.AccessDenied('Account {} cannot update VO'.format(issuer))
return vo_core.update_vo(vo=updated_vo, parameters=parameters)
def has_option(section, option, issuer=None):
"""
Check if the given section exists and contains the given option.
:param section: The name of the section.
:param option: The name of the option.
:param issuer: The issuer account.
:returns: True/False
"""
kwargs = {'issuer': issuer, 'section': section, 'option': option}
if not permission.has_permission(issuer=issuer, action='config_has_option', kwargs=kwargs):
raise exception.AccessDenied('%s cannot check existence of option %s from section %s' % (issuer, option, section))
return config.has_option(section, option)
def cancel_request(request_id, issuer, account):
"""
Cancel a request.
:param request_id: Request Identifier as a 32 character hex string.
:param issuer: Issuing account as a string.
:param account: Account identifier as a string.
"""
kwargs = {'account': account, 'issuer': issuer, 'request_id': request_id}
if not permission.has_permission(issuer=issuer, action='cancel_request_', kwargs=kwargs):
raise exception.AccessDenied('%(account)s cannot cancel request %s(request_id)s' % locals())
return request.cancel_request(request_id)
def add_value(key, value, issuer, vo='def'):
"""
Add a new value to a key.
:param key: the name for the key.
:param value: the value.
:param vo: the vo to act on.
"""
kwargs = {'key': key, 'value': value}
if not has_permission(
issuer=issuer, vo=vo, action='add_value', kwargs=kwargs):
raise AccessDenied('Account %s can not add value %s to key %s' %
(issuer, value, key))
return meta.add_value(key=key, value=value)
def import_data(data, issuer, vo='def'):
"""
Import data to add/update/delete records in Rucio.
:param data: data to be imported.
:param issuer: the issuer.
:param vo: the VO of the issuer.
"""
kwargs = {'issuer': issuer}
validate_schema(name='import', obj=data)
if not permission.has_permission(issuer=issuer, vo=vo, action='import', kwargs=kwargs):
raise exception.AccessDenied('Account %s can not import data' % issuer)
return importer.import_data(data, vo=vo)
def list_replication_rule_history(rule_id, issuer, vo='def'):
"""
Lists replication rule history..
:param rule_id: The rule_id to list.
:param issuer: The issuing account of this operation.
:param vo: The VO of the issuer.
"""
kwargs = {'rule_id': rule_id}
if is_multi_vo() and not has_permission(
issuer=issuer, vo=vo, action='access_rule_vo', kwargs=kwargs):
raise AccessDenied('Account %s can not access rules at other VOs.' %
(issuer))
return rule.list_rule_history(rule_id)
def set_tombstone(rse, scope, name, issuer):
"""
Sets a tombstone on one replica.
:param rse: name of the RSE.
:param scope: scope of the replica DID.
:param name: name of the replica DID.
:param issuer: The issuer account
"""
if not permission.has_permission(
issuer=issuer, action='set_tombstone', kwargs={}):
raise exception.AccessDenied('Account %s can not set tombstones' %
(issuer))
replica.set_tombstone(rse, scope, name)
def items(section, issuer=None):
"""
Return a list of (option, value) pairs for each option in the given section. Values are auto-coerced as in get().
:param section: The name of the section.
:param value: The content of the value.
:param issuer: The issuer account.
:returns: [('option', auto-coerced value), ...]
"""
kwargs = {'issuer': issuer, 'section': section}
if not permission.has_permission(issuer=issuer, action='config_items', kwargs=kwargs):
raise exception.AccessDenied('%s cannot retrieve options and values from section %s' % (issuer, section))
return config.items(section)
def list_vos(issuer, vo='def'):
'''
List the VOs.
:param issuer: The user issuing the command.
:param vo: The vo of the user issuing the command.
'''
kwargs = {}
if not has_permission(
issuer=issuer, action='list_vos', kwargs=kwargs, vo=vo):
raise exception.AccessDenied(
'Account {} cannot list VOs'.format(issuer))
return vo_core.list_vos()
def queue_requests(requests, issuer):
"""
Submit transfer or deletion requests on destination RSEs for data identifiers.
:param requests: List of dictionaries containing 'scope', 'name', 'dest_rse_id', 'request_type', 'attributes'
:param issuer: Issuing account as a string.
:returns: List of Request-IDs as 32 character hex strings
"""
kwargs = {'requests': requests, 'issuer': issuer}
if not permission.has_permission(issuer=issuer, action='queue_requests', kwargs=kwargs):
raise exception.AccessDenied('%(issuer)s can not queue request' % locals())
return request.queue_requests(requests)
def has_option(section, option, issuer=None):
"""
Check if the given section exists and contains the given option.
:param section: The name of the section.
:param option: The name of the option.
:param issuer: The issuer account.
:returns: True/False
"""
kwargs = {'issuer': issuer, 'section': section, 'option': option}
if not permission.has_permission(issuer=issuer, action='config_has_option', kwargs=kwargs):
raise exception.AccessDenied('%s cannot check existence of option %s from section %s' % (issuer, option, section))
return config.has_option(section, option)
def update_rse(rse, parameters, issuer):
"""
Update RSE properties like availability or name.
:param rse: the name of the new rse.
:param parameters: A dictionnary with property (name, read, write, delete as keys).
:param issuer: The issuer account.
:raises RSENotFound: If RSE is not found.
"""
kwargs = {'rse': rse}
if not permission.has_permission(issuer=issuer, action='update_rse', kwargs=kwargs):
raise exception.AccessDenied('Account %s can not update RSE' % (issuer))
return rse_module.update_rse(rse=rse, parameters=parameters)
def add_replication_rule(dids, copies, rse_expression, weight, lifetime, grouping, account, locked, subscription_id, source_replica_expression, activity, notify, purge_replicas, ignore_availability, issuer):
"""
Adds a replication rule.
:param dids: The data identifier set.
:param copies: The number of replicas.
:param rse_expression: Boolean string expression to give the list of RSEs.
:param weight: If the weighting option of the replication rule is used, the choice of RSEs takes their weight into account.
:param lifetime: The lifetime of the replication rules (in seconds).
:param grouping: ALL - All files will be replicated to the same RSE.
DATASET - All files in the same dataset will be replicated to the same RSE.
NONE - Files will be completely spread over all allowed RSEs without any grouping considerations at all.
:param account: The account owning the rule.
:param locked: If the rule is locked, it cannot be deleted.
:param subscription_id: The subscription_id, if the rule is created by a subscription.
:param source_replica_expression: Only use replicas from this RSE as sources.
:param activity: Activity to be passed on to the conveyor.
:param notify: Notification setting of the rule.
:purge purge_replicas: The purge setting to delete replicas immediately after rule deletion.
:param ignore_availability: Option to ignore the availability of RSEs.
:param issuer: The issuing account of this operation.
:returns: List of created replication rules.
"""
if account is None:
account = issuer
kwargs = {'dids': dids, 'copies': copies, 'rse_expression': rse_expression, 'weight': weight, 'lifetime': lifetime,
'grouping': grouping, 'account': account, 'locked': locked, 'subscription_id': subscription_id,
'source_replica_expression': source_replica_expression, 'notify': notify, 'activity': activity,
'purge_replicas': purge_replicas, 'ignore_availability': ignore_availability}
validate_schema(name='activity', obj=kwargs['activity'])
if not has_permission(issuer=issuer, action='add_rule', kwargs=kwargs):
raise AccessDenied('Account %s can not add replication rule' % (issuer))
return rule.add_rule(account=account,
dids=dids,
copies=copies,
rse_expression=rse_expression,
grouping=grouping,
weight=weight,
lifetime=lifetime,
locked=locked,
subscription_id=subscription_id,
source_replica_expression=source_replica_expression,
activity=activity,
notify=notify,
purge_replicas=purge_replicas,
ignore_availability=ignore_availability)
def submit_deletion(url, issuer, account):
"""
Submit a deletion request to a deletiontool.
:param url: URL acceptable to deletiontool as a string.
:param issuer: Issuing account as a string.
:param account: Account identifier as a string.
:returns: Deletiontool external ID.
"""
kwargs = {'account': account, 'issuer': issuer, 'url': url}
if not permission.has_permission(issuer=issuer, action='submit_deletion', kwargs=kwargs):
raise exception.AccessDenied('%(account)s can not delete' % locals())
return request.submit_deletion(url)
def update_protocols(rse, scheme, data, issuer, hostname=None, port=None):
"""
Updates all provided attributes for all matching protocol entries of the given RSE..
:param rse: The RSE name.
:param issuer: The issuer account.
:param scheme: The protocol identifier.
:param data: A dict including the attributes of the protocol to be updated. Keys must match the column names in the database.
:param hostname: The hostname (to be used if more then one protocol using the same identifier are present)
:param port: The port (to be used if more than one protocol using the same identifier and hostname are present)
"""
kwargs = {'rse': rse}
if not permission.has_permission(issuer=issuer, action='update_protocol', kwargs=kwargs):
raise exception.AccessDenied('Account %s can not update protocols from RSE %s' % (issuer, rse))
rse_module.update_protocols(rse, scheme=scheme, hostname=hostname, port=port, data=data)
def del_rse_attribute(rse, key, issuer):
"""
Delete a RSE attribute.
:param rse: the name of the rse_module.
:param key: the attribute key.
:return: True if RSE attribute was deleted successfully, False otherwise.
"""
kwargs = {'rse': rse, 'key': key}
if not permission.has_permission(issuer=issuer, action='del_rse_attribute', kwargs=kwargs):
raise exception.AccessDenied('Account %s can not delete RSE attributes' % (issuer))
return rse_module.del_rse_attribute(rse=rse, key=key)
def query_request(request_id, issuer, account):
"""
Query the status of a request.
:param request_id: Request-ID as a 32 character hex string.
:param issuer: Issuing account as a string.
:param account: Account identifier as a string.
:returns: Request status information as a dictionary.
"""
kwargs = {'account': account, 'issuer': issuer, 'request_id': request_id}
if not permission.has_permission(issuer=issuer, action='query_request', kwargs=kwargs):
raise exception.AccessDenied('%(account)s cannot query request %s(request_id)s' % locals())
return request.query_request(request_id)
def set_rse_limits(rse, name, value, issuer):
"""
Set RSE limits.
:param rse: The RSE name.
:param name: The name of the limit.
:param value: The feature value. Set to -1 to remove the limit.
:param issuer: The issuer account.
:returns: True if successful, otherwise false.
"""
kwargs = {'rse': rse}
if not permission.has_permission(issuer=issuer, action='set_rse_limits', kwargs=kwargs):
raise exception.AccessDenied('Account %s can not update RSE limits for RSE %s' % (issuer, rse))
return rse_module.set_rse_limits(rse=rse, name=name, value=value)
def add_account_identity(identity_key, type, account, email, issuer, default=False):
"""
Adds a membership association between identity and account.
:param identity_key: The identity key name. For example x509 DN, or a username.
:param type: The type of the authentication (x509, gss, userpass).
:param account: The account name.
:param email: The Email address associated with the identity.
:param issuer: The issuer account.
:param default: If True, the account should be used by default with the provided identity.
"""
kwargs = {'identity': identity_key, 'type': type, 'account': account}
if not permission.has_permission(issuer=issuer, action='add_account_identity', kwargs=kwargs):
raise exception.AccessDenied('Account %s can not add account identity' % (issuer))
return identity.add_account_identity(identity=identity_key, type=IdentityType.from_sym(type), default=default, email=email, account=account)
def del_protocols(rse, scheme, issuer, hostname=None, port=None):
"""
Deletes all matching protocol entries for the given RSE..
:param rse: The RSE name.
:param issuer: The issuer account.
:param scheme: The protocol identifier.
:param hostname: The hostname (to be used if more then one protocol using the
same identifier are present)
:param port: The port (to be used if more than one protocol using the same
identifier and hostname are present)
"""
kwargs = {'rse': rse}
if not permission.has_permission(issuer=issuer, action='del_protocol', kwargs=kwargs):
raise exception.AccessDenied('Account %s can not delete protocols from RSE %s' % (issuer, rse))
rse_module.del_protocols(rse, scheme=scheme, hostname=hostname, port=port)
def add_rse_attribute(rse, key, value, issuer):
""" Adds a RSE attribute.
:param rse: the rse name.
:param key: the key name.
:param value: the value name.
:param issuer: The issuer account.
returns: True if successful, False otherwise.
"""
kwargs = {'rse': rse, 'key': key, 'value': value}
if not permission.has_permission(issuer=issuer, action='add_rse_attribute', kwargs=kwargs):
raise exception.AccessDenied('Account %s can not add RSE attributes' % (issuer))
return rse_module.add_rse_attribute(rse=rse, key=key, value=value)
def get_request_by_did(scope, name, rse, issuer):
"""
Retrieve a request by its DID for a destination RSE.
:param scope: The scope of the data identifier as a string.
:param name: The name of the data identifier as a string.
:param rse: The destination RSE of the request as a string.
:param issuer: Issuing account as a string.
:returns: Request as a dictionary.
"""
kwargs = {'scope': scope, 'name': name, 'rse': rse, 'issuer': issuer}
if not permission.has_permission(issuer=issuer, action='get_request_by_did', kwargs=kwargs):
raise exception.AccessDenied('%(issuer)s cannot retrieve the request DID %(scope)s:%(name)s to RSE %(rse)s' % locals())
return request.get_request_by_did(scope, name, rse)
def get_next(request_type, state, issuer, account):
"""
Retrieve the next request matching the request type and state.
:param request_type: Type of the request as a string.
:param state: State of the request as a string.
:param issuer: Issuing account as a string.
:param account: Account identifier as a string.
:returns: Request as a dictionary.
"""
kwargs = {'account': account, 'issuer': issuer, 'request_type': request_type, 'state': state}
if not permission.has_permission(issuer=issuer, action='get_next', kwargs=kwargs):
raise exception.AccessDenied('%(account)s cannot get the next request of type %(request_type)s in state %(state)s' % locals())
return request.get_next(request_type, state)
def cancel_request_did(scope, name, dest_rse, request_type, issuer, account):
"""
Cancel a request based on a DID and request type.
:param scope: Data identifier scope as a string.
:param name: Data identifier name as a string.
:param dest_rse: RSE name as a string.
:param request_type: Type of the request as a string.
:param issuer: Issuing account as a string.
:param account: Account identifier as a string.
"""
kwargs = {'account': account, 'issuer': issuer}
if not permission.has_permission(issuer=issuer, action='cancel_request_did', kwargs=kwargs):
raise exception.AccessDenied('%(account)s cannot cancel %(request_type)s request for %(scope)s:%(name)s' % locals())
return request.cancel_request_did(scope, name, dest_rse, request_type)
def get(section, option, issuer=None):
"""
Get an option value for the named section. Value can be auto-coerced to int, float, and bool; string otherwise.
Caveat emptor: Strings, regardless the case, matching 'on'/off', 'true'/'false', 'yes'/'no' are converted to bool.
0/1 are converted to int, and not to bool.
:param section: The name of the section.
:param option: The name of the option.
:param issuer: The issuer account.
:returns: The auto-coerced value.
"""
kwargs = {'issuer': issuer, 'section': section, 'option': option}
if not permission.has_permission(issuer=issuer, action='config_get', kwargs=kwargs):
raise exception.AccessDenied('%s cannot retrieve option %s from section %s' % (issuer, option, section))
return config.get(section, option)
