2 # This Module implements rights and lists of rights for the Geni wrapper. Rights
3 # are implemented by two classes:
5 # Right - represents a single right
7 # RightList - represents a list of rights
9 # A right may allow several different operations. For example, the "info" right
10 # allows "listslices", "listcomponentresources", etc.
14 # privilege_table is a list of priviliges and what operations are allowed
17 privilege_table = {"authority": ["register", "remove", "update", "resolve", "list", "getcredential"],
18 "refresh": ["remove", "update"],
19 "resolve": ["resolve", "list", "getcredential"],
20 "sa": ["getticket", "redeemslice", "createslice", "deleteslice", "updateslice",
21 "getsliceresources", "getticket", "loanresources", "stopslice", "startslice",
22 "deleteslice", "resetslice", "listslices", "listnodes", "getpolicy"],
23 "embed": ["getticket", "redeemslice", "createslice", "deleteslice", "updateslice", "getsliceresources"],
24 "bind": ["getticket", "loanresources"],
25 "control": ["updateslice", "createslice", "stopslice", "startslice", "deleteslice", "resetslice", "getsliceresources"],
26 "info": ["listslices", "listnodes", "getpolicy"],
27 "ma": ["setbootstate", "getbootstate", "reboot"]}
31 # Determine tje rights that an object should have. The rights are entirely
32 # dependent on the type of the object. For example, users automatically
33 # get "refresh", "resolve", and "info".
35 # @param type the type of the object (user | sa | ma | slice | node)
36 # @param name human readable name of the object (not used at this time)
38 # @return RightList object containing rights
40 def determine_rights(type, name):
43 # rights seem to be somewhat redundant with the type of the credential.
44 # For example, a "sa" credential implies the authority right, because
45 # a sa credential cannot be issued to a user who is not an owner of
52 rl.add("authority,sa")
54 rl.add("authority,ma")
55 elif type == "authority":
56 rl.add("authority,sa,ma")
63 elif type == "component":
69 # The Right class represents a single privilege.
77 # @param kind is a string naming the right. For example "control"
79 def __init__(self, kind):
83 # Test to see if this right object is allowed to perform an operation.
84 # Returns True if the operation is allowed, False otherwise.
86 # @param op_name is a string naming the operation. For example "listslices".
88 def can_perform(self, op_name):
89 allowed_ops = privilege_table.get(self.kind.lower(), None)
93 # if "*" is specified, then all ops are permitted
94 if "*" in allowed_ops:
97 return (op_name.lower() in allowed_ops)
100 # Test to see if this right is a superset of a child right. A right is a
101 # superset if every operating that is allowed by the child is also allowed
104 # @param child is a Right object describing the child right
106 def is_superset(self, child):
107 my_allowed_ops = privilege_table.get(self.kind.lower(), None)
108 child_allowed_ops = privilege_table.get(child.kind.lower(), None)
110 if "*" in my_allowed_ops:
113 for right in child_allowed_ops:
114 if not right in my_allowed_ops:
120 # A RightList object represents a list of privileges.
124 # Create a new rightlist object, containing no rights.
126 # @param string if string!=None, load the rightlist from the string
128 def __init__(self, string=None):
131 self.load_from_string(string)
134 return self.rights == []
137 # Add a right to this list
139 # @param right is either a Right object or a string describing the right
141 def add(self, right):
142 if isinstance(right, str):
143 right = Right(kind = right)
144 self.rights.append(right)
147 # Load the rightlist object from a string
149 def load_from_string(self, string):
152 # none == no rights, so leave the list empty
156 parts = string.split(",")
158 self.rights.append(Right(part))
161 # Save the rightlist object to a string. It is saved in the format of a
162 # comma-separated list.
164 def save_to_string(self):
166 for right in self.rights:
167 right_names.append(right.kind)
169 return ",".join(right_names)
172 # Check to see if some right in this list allows an operation. This is
173 # done by evaluating the can_perform function of each operation in the
176 # @param op_name is an operation to check, for example "listslices"
178 def can_perform(self, op_name):
179 for right in self.rights:
180 if right.can_perform(op_name):
185 # Check to see if all of the rights in this rightlist are a superset
186 # of all the rights in a child rightlist. A rightlist is a superset
187 # if there is no operation in the child rightlist that cannot be
188 # performed in the parent rightlist.
190 # @param child is a rightlist object describing the child
192 def is_superset(self, child):
193 for child_right in child.rights:
195 for my_right in self.rights:
196 if my_right.is_superset(child_right):
204 # Determine tje rights that an object should have. The rights are entirely
205 # dependent on the type of the object. For example, users automatically
206 # get "refresh", "resolve", and "info".
208 # @param type the type of the object (user | sa | ma | slice | node)
209 # @param name human readable name of the object (not used at this time)
211 # @return RightList object containing rights
213 def determine_rights(self, type, name):
216 # rights seem to be somewhat redundant with the type of the credential.
217 # For example, a "sa" credential implies the authority right, because
218 # a sa credential cannot be issued to a user who is not an owner of
226 rl.add("authority,sa")
228 rl.add("authority,ma")
229 elif type == "authority":
230 rl.add("authority,sa,ma")
231 elif type == "slice":
237 elif type == "component":