from PLC.NodeGroups import NodeGroup, NodeGroups
from PLC.InitScripts import InitScript, InitScripts
+# need to import so the core classes get decorated with caller_may_write_tag
from PLC.AuthorizeHelpers import AuthorizeHelpers
class AddSliceTag(Method):
Non-admins need to have at least one of the roles
attached to the tagtype. In addition:
(*) Users may only set tags of slices or slivers of which they are members.
- (*) PIs may only set tags of slices or slivers at their sites, or of which they
- are members.
- (*) techs may only set tags of slivers at their sites.
+ (*) PIs may only set tags of slices in their site
+ (*) techs cannot use this method
Returns the new slice_tag_id (> 0) if successful, faults
otherwise.
tag_type = tag_types[0]
# check authorizations
- if 'admin' not in self.caller['roles']:
- # this knows how to deal with self.caller being a node
- if not AuthorizeHelpers.caller_may_access_tag_type (self.api, self.caller, tag_type):
- raise PLCPermissionDenied, "%s, forbidden tag %s"%(self.name,tag_type['tagname'])
- # node callers: check the node is in the slice
- if isinstance(self.caller, Node):
- granted=AuthorizeHelpers.node_in_slice (self.api, self.caller, slice)
- else:
- if nodegroup_id_or_name:
- raise PLCPermissionDenied, "%s, cannot set slice tag on nodegroup"%self.name
- # try all roles to find a match
- granted=False
- for role in self.caller['roles']:
- if role=='pi':
- if AuthorizeHelpers.person_in_slice(self.api, self.caller, slice):
- granted=True ; break
- if node_id_or_hostname is not None and \
- AuthorizeHelpers.node_id_or_hostname_in_slice(self.api, node_id_or_hostname_in_slice, slice):
- granted=True ; break
- elif role=='user':
- if AuthorizeHelpers.person_in_slice(self.api, self.caller, slice):
- granted=True ; break
- elif role=='tech':
- if node_id_or_hostname is not None and \
- AuthorizeHelpers.node_id_or_hostname_in_slice(self.api, node_id_or_hostname_in_slice, slice):
- granted=True ; break
- if not granted:
- raise PLCPermissionDenied, "%s, forbidden tag %s"%(self.name,tag_type['tagname'])
+ slice.caller_may_write_tag (self.api,self.caller,tag_type,node_id_or_hostname,nodegroup_id_or_name)
# if initscript is specified, validate value
if tag_type['tagname'] in ['initscript']: