def recover_vo_root_identity(root_vo, identity_key, id_type, email, issuer, default=False, password=None, vo='def'): """ Adds a membership association between identity and the root account for given VO. :param root_vo: The VO whose root needs recovery :param identity_key: The identity key name. For example x509 DN, or a username. :param id_type: The type of the authentication (x509, gss, userpass, ssh, saml). :param email: The Email address associated with the identity. :param issuer: The issuer account. :param default: If True, the account should be used by default with the provided identity. :param password: Password if id_type is userpass. :param vo: the VO to act on. """ kwargs = {} if not has_permission( issuer=issuer, vo=vo, action='recover_vo_root_identity', kwargs=kwargs): raise exception.AccessDenied( 'Account %s can not recover root identity' % (issuer)) account = InternalAccount('root', vo=root_vo) return identity.add_account_identity(identity=identity_key, type=IdentityType.from_sym(id_type), default=default, email=email, account=account, password=password)
def check_accounts(self, test_accounts): db_identities = list_identities() for account in test_accounts: # check existence db_account = get_account(account=account['account']) assert_equal(db_account['account'], account['account']) # check properties email = account.get('email') if email: assert_equal(db_account['email'], account['email']) # check identities identities = account.get('identities') if identities: for identity in identities: # check identity creation and identity-account association identity_type = IdentityType.from_sym(identity['type']) identity = identity['identity'] assert_in((identity, identity_type), db_identities) accounts_for_identity = list_accounts_for_identity( identity, identity_type) assert_in(account['account'], accounts_for_identity) # check removal of account account = get_account(self.old_account_1) assert_equal(account['status'], AccountStatus.DELETED) # check removal of identities accounts_for_identity = list_accounts_for_identity( self.identity_to_be_removed, IdentityType.X509) assert_true(account['account'] not in accounts_for_identity)
def add_account_identity(identity_key, id_type, account, email, issuer, default=False, password=None, vo='def'): """ Adds a membership association between identity and account. :param identity_key: The identity key name. For example x509 DN, or a username. :param id_type: The type of the authentication (x509, gss, userpass, ssh, saml). :param account: The account name. :param email: The Email address associated with the identity. :param issuer: The issuer account. :param default: If True, the account should be used by default with the provided identity. :param password: Password if id_type is userpass. :param vo: the VO to act on. """ kwargs = {'identity': identity_key, 'type': id_type, 'account': account} if not permission.has_permission( issuer=issuer, vo=vo, action='add_account_identity', kwargs=kwargs): raise exception.AccessDenied( 'Account %s can not add account identity' % (issuer)) account = InternalAccount(account, vo=vo) return identity.add_account_identity(identity=identity_key, type=IdentityType.from_sym(id_type), default=default, email=email, account=account, password=password)
def import_identities(identities, account_name, old_identities, old_identity_account, account_email, session=None): for identity in identities: identity['type'] = IdentityType.from_sym(identity['type']) missing_identities = [identity for identity in identities if (identity['identity'], identity['type']) not in old_identities] missing_identity_account = [identity for identity in identities if (identity['identity'], identity['type'], account_name) not in old_identity_account] to_be_removed_identity_account = [old_identity for old_identity in old_identity_account if (old_identity[0], old_identity[1], old_identity[2]) not in [(identity['identity'], identity['type'], account_name) for identity in identities] and old_identity[2] == account_name] # add missing identities for identity in missing_identities: identity_type = identity['type'] password = identity.get('password') identity = identity['identity'] if identity_type == IdentityType.USERPASS: identity_module.add_identity(identity=identity, password=password, email=account_email, type=identity_type, session=session) elif identity_type == IdentityType.GSS or identity_type == IdentityType.SSH or identity_type == IdentityType.X509: identity_module.add_identity(identity=identity, email=account_email, type=identity_type, session=session) # add missing identity-account association for identity in missing_identity_account: identity_module.add_account_identity(identity['identity'], identity['type'], account_name, email=account_email, session=session) # remove identities from account-identity association for identity in to_be_removed_identity_account: identity_module.del_account_identity(identity=identity[0], type=identity[1], account=identity[2], session=session)
def del_identity(identity_key, id_type): """ Deletes a user identity. :param identity_key: The identity key name. For example x509 DN, or a username. :param id_type: The type of the authentication (x509, gss, userpass). """ return identity.del_identity(identity_key, IdentityType.from_sym(id_type))
def get_default_account(identity_key, id_type): """ Returns the default account for this identity. :param identity_key: The identity key name. For example x509 DN, or a username. :param id_type: The type of the authentication (x509, gss, userpass, ssh). """ return identity.get_default_account(identity_key, IdentityType.from_sym(id_type))
def add_identity(identity_key, id_type, email, password=None): """ Creates a user identity. :param identity_key: The identity key name. For example x509 DN, or a username. :param id_type: The type of the authentication (x509, gss, userpass, ssh, saml) :param email: The Email address associated with the identity. :param password: If type==userpass, this sets the password. """ return identity.add_identity(identity_key, IdentityType.from_sym(id_type), email, password=password)
def list_accounts_for_identity(identity_key, id_type): """ Returns a list of all accounts for an identity. :param identity: The identity key name. For example x509 DN, or a username. :param id_type: The type of the authentication (x509, gss, userpass, ssh). returns: A list of all accounts for the identity. """ return identity.list_accounts_for_identity(identity_key, IdentityType.from_sym(id_type))
def del_account_identity(identity_key, id_type, account): """ Removes a membership association between identity and account. :param identity_key: The identity key name. For example x509 DN, or a username. :param id_type: The type of the authentication (x509, gss, userpass). :param account: The account name. """ return identity.del_account_identity(identity_key, IdentityType.from_sym(id_type), account)
def select_account_name(identitystr, identity_type, vo=None): """ Looks for account (and VO if not known) corresponding to the provided identity. :param identitystr: identity string :param identity_type: identity_type e.g. x509, saml, oidc, userpass :returns: Tuple of None or account string, None or VO string or list of VO strings """ ui_account = None if not MULTI_VO: vo = 'def' if vo is not None: accounts = identity.list_accounts_for_identity(identitystr, identity_type) else: internal_accounts = identity_core.list_accounts_for_identity( identitystr, IdentityType.from_sym(identity_type)) accounts = [account.external for account in internal_accounts] vos = [account.vo for account in internal_accounts] if vos: vos = list(set(vos)) # If we only have 1 VO that matches the identity use that, otherwise return all possible VOs so the user can choose if len(vos) == 1: vo = vos[0] else: return None, vos if len(accounts) == 0: return None, vo # check if ui_account param is set if 'ui_account' in input(): ui_account = input()['ui_account'] # if yes check if the accounts provided for users identity include this account if not ui_account and 'account' in input(): ui_account = input()['account'] if ui_account: if ui_account not in accounts: return None, vo else: return ui_account, vo else: # try to set the default account to the user account, if not available take the first account. def_account = accounts[0] for account in accounts: account_info = get_account_info(account, vo=vo) if account_info.account_type == AccountType.USER: def_account = account break selected_account = cookies().get('rucio-selected-account') if (selected_account): def_account = selected_account ui_account = def_account return ui_account, vo
def del_identity(identity_key, id_type, issuer): """ Deletes a user identity. :param identity_key: The identity key name. For example x509 DN, or a username. :param id_type: The type of the authentication (x509, gss, userpass, ssh, saml). :param issuer: The issuer account. """ id_type = IdentityType.from_sym(id_type) kwargs = {'accounts': identity.list_accounts_for_identity(identity_key, id_type)} if not permission.has_permission(issuer=issuer, action='del_identity', kwargs=kwargs): raise exception.AccessDenied('Account %s can not delete identity' % (issuer)) return identity.del_identity(identity_key, id_type)
def del_account_identity(identity_key, id_type, account, issuer): """ Removes a membership association between identity and account. :param identity_key: The identity key name. For example x509 DN, or a username. :param id_type: The type of the authentication (x509, gss, userpass, ssh, saml). :param account: The account name. :param issuer: The issuer account. """ kwargs = {'account': account} if not permission.has_permission(issuer=issuer, action='del_account_identity', kwargs=kwargs): raise exception.AccessDenied('Account %s can not delete account identity' % (issuer)) account = InternalAccount(account) return identity.del_account_identity(identity_key, IdentityType.from_sym(id_type), account)
def add_vo(vo, description, password, email, session=None): """ Add a VO and setup a new root user. New root user will have account name 'root' and a userpass identity with username: '******' and password from the rootpass parameter :param vo: 3-letter unique tag for a VO. :param descrition: Descriptive string for the VO (e.g. Full name). :param email: Contact email for the VO. :param password: The password to set for the root user of the new VO :param session: The db session in use. """ if len(vo) != 3: raise exception.RucioException('Invalid VO tag, must be 3 chars.') new_vo = models.VO(vo=vo, description=description, email=email) try: new_vo.save(session=session) except IntegrityError: raise exception.Duplicate('VO {} already exists!'.format(vo)) except DatabaseError as error: raise exception.RucioException(error.args) from rucio.core.account import add_account, list_identities from rucio.core.identity import add_account_identity new_root = InternalAccount('root', vo=vo) add_account(account=new_root, type=AccountType.from_sym('SERVICE'), email=email, session=session) add_account_identity(identity='root@{}'.format(vo), type=IdentityType.from_sym('userpass'), account=new_root, email=email, default=False, password=password, session=session) for ident in list_identities(account=InternalAccount('super_root', vo='def'), session=session): add_account_identity(identity=ident['identity'], type=ident['type'], account=new_root, email='', session=session)