from PLC.Parameter import Parameter, Mixed
from PLC.Auth import Auth
-from PLC.SliceTags import SliceTag, SliceTags
+from PLC.TagTypes import TagTypes, TagType
from PLC.Nodes import Node
from PLC.Slices import Slice, Slices
+from PLC.SliceTags import SliceTag, SliceTags
from PLC.InitScripts import InitScript, InitScripts
from PLC.AuthorizeHelpers import AuthorizeHelpers
+# need to import so the core classes get decorated with caller_may_write_tag
+from PLC.AuthorizeHelpers import AuthorizeHelpers
+
class UpdateSliceTag(Method):
"""
Updates the value of an existing slice or sliver attribute.
raise PLCInvalidArgument, "No such slice attribute"
slice_tag = slice_tags[0]
+ tag_type_id = slice_tag['tag_type_id']
+ tag_type = TagTypes (self.api,[tag_type_id])[0]
+
slices = Slices(self.api, [slice_tag['slice_id']])
if not slices:
- raise PLCInvalidArgument, "No such slice"
+ raise PLCInvalidArgument, "No such slice %d"%slice_tag['slice_id']
slice = slices[0]
assert slice_tag['slice_tag_id'] in slice['slice_tag_ids']
# check authorizations
node_id_or_hostname=slice_tag['node_id']
nodegroup_id_or_name=slice_tag['nodegroup_id']
- granted=False
- if 'admin' in self.caller['roles']:
- granted=True
- # does caller have right role(s) ? this knows how to deal with self.caller being a node
- elif not AuthorizeHelpers.caller_may_access_tag_type (self.api, self.caller, tag_type):
- granted=False
- # node callers: check the node is in the slice
- elif isinstance(self.caller, Node):
- # nodes can only set their own sliver tags
- if node_id_or_hostname is None:
- granted=False
- elif not AuthorizeHelpers.node_match_id (self.api, self.caller, node_id_or_hostname):
- granted=False
- elif not AuthorizeHelpers.node_in_slice (self.api, self.caller, slice):
- granted=False
- # caller is a non-admin person
- else:
- # only admins can handle slice tags on a nodegroup
- if nodegroup_id_or_name:
- raise PLCPermissionDenied, "%s, cannot set slice tag %s on nodegroup - restricted to admins"%\
- (self.name,tag_type['tagname'])
- # if a node is specified it is expected to be in the slice
- if node_id_or_hostname:
- if not AuthorizeHelpers.node_id_in_slice (self.api, node_id_or_hostname, slice):
- raise PLCPermissionDenied, "%s, node must be in slice when setting sliver tag"
- # try all roles to find a match - tech are ignored b/c not in AddSliceTag.roles anyways
- for role in AuthorizeHelpers.person_tag_type_common_roles(self.api,self.caller,tag_type):
- # regular users need to be in the slice
- if role=='user':
- if AuthorizeHelpers.person_in_slice(self.api, self.caller, slice):
- granted=True ; break
- # for convenience, pi's can tweak all the slices in their site
- elif role=='pi':
- if AuthorizeHelpers.slice_belongs_to_pi (self.api, slice, self.caller):
- granted=True ; break
- if not granted:
- raise PLCPermissionDenied, "%s, forbidden tag %s"%(self.name,tag_type['tagname'])
+ slice.caller_may_write_tag(self.api,self.caller,tag_type,node_id_or_hostname,nodegroup_id_or_name)
if slice_tag['tagname'] in ['initscript']:
initscripts = InitScripts(self.api, {'enabled': True, 'name': value})
git://git.onelab.eu / plcapi.git / blobdiff