X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=sfa%2Ftrust%2Frights.py;h=eb0bb74720b4b48bbc0c95d21f43c4a92857e634;hb=862dfa7f7b8cce8c17e80c42aedd8d500ea86cb6;hp=59324e8d6e3bc28fc7ca3eb538545dd855243e39;hpb=952322d76247f8991f3c2688ed7e1f5a22ca4572;p=sfa.git diff --git a/sfa/trust/rights.py b/sfa/trust/rights.py index 59324e8d..eb0bb747 100644 --- a/sfa/trust/rights.py +++ b/sfa/trust/rights.py @@ -4,7 +4,7 @@ # # Right - represents a single right # -# RightList - represents a list of rights +# Rights - represents a list of rights # # A right may allow several different operations. For example, the "info" right # allows "listslices", "listcomponentresources", etc. @@ -24,9 +24,11 @@ privilege_table = {"authority": ["register", "remove", "update", "resolve", "lis "sa": ["getticket", "redeemslice", "redeemticket", "createslice", "createsliver", "deleteslice", "deletesliver", "updateslice", "getsliceresources", "getticket", "loanresources", "stopslice", "startslice", "renewsliver", "deleteslice", "deletesliver", "resetslice", "listslices", "listnodes", "getpolicy", "sliverstatus"], - "embed": ["getticket", "redeemslice", "redeemticket", "createslice", "createsliver", "renewsliver", "deleteslice", "deletesliver", "updateslice", "sliverstatus", "getsliceresources", "shutdown"], + "embed": ["getticket", "redeemslice", "redeemticket", "createslice", "createsliver", "renewsliver", "deleteslice", + "deletesliver", "updateslice", "sliverstatus", "getsliceresources", "shutdown"], "bind": ["getticket", "loanresources", "redeemticket"], - "control": ["updateslice", "createslice", "createsliver", "renewsliver", "sliverstatus", "stopslice", "startslice", "deleteslice", "deletesliver", "resetslice", "getsliceresources", "getgids"], + "control": ["updateslice", "createslice", "createsliver", "renewsliver", "sliverstatus", "stopslice", "startslice", + "deleteslice", "deletesliver", "resetslice", "getsliceresources", "getgids"], "info": ["listslices", "listnodes", "getpolicy"], "ma": ["setbootstate", "getbootstate", "reboot", "getgids", "gettrustedcerts"], "operator": ["gettrustedcerts", "getgids"], @@ -35,17 +37,17 @@ privilege_table = {"authority": ["register", "remove", "update", "resolve", "lis ## -# Determine tje rights that an object should have. The rights are entirely +# Determine the rights that an object should have. The rights are entirely # dependent on the type of the object. For example, users automatically # get "refresh", "resolve", and "info". # # @param type the type of the object (user | sa | ma | slice | node) # @param name human readable name of the object (not used at this time) # -# @return RightList object containing rights +# @return Rights object containing rights def determine_rights(type, name): - rl = RightList() + rl = Rights() # rights seem to be somewhat redundant with the type of the credential. # For example, a "sa" credential implies the authority right, because @@ -55,10 +57,10 @@ def determine_rights(type, name): rl.add("refresh") rl.add("resolve") rl.add("info") - elif type == "sa": + elif type in ["sa", "authority+sa"]: rl.add("authority") rl.add("sa") - elif type == "ma": + elif type in ["ma", "authority+ma", "cm", "authority+cm", "sm", "authority+sm"]: rl.add("authority") rl.add("ma") elif type == "authority": @@ -71,6 +73,7 @@ def determine_rights(type, name): rl.add("bind") rl.add("control") rl.add("info") +# wouldn't that be authority+cm instead ? elif type == "component": rl.add("operator") return rl @@ -132,9 +135,9 @@ class Right: return True ## -# A RightList object represents a list of privileges. +# A Rights object represents a list of privileges. -class RightList: +class Rights: ## # Create a new rightlist object, containing no rights. # @@ -198,6 +201,7 @@ class RightList: # @param op_name is an operation to check, for example "listslices" def can_perform(self, op_name): + for right in self.rights: if right.can_perform(op_name): return True @@ -217,6 +221,7 @@ class RightList: for my_right in self.rights: if my_right.is_superset(child_right): allowed = True + break if not allowed: return False return True @@ -242,47 +247,3 @@ class RightList: return False return True - - - ## - # Determine the rights that an object should have. The rights are entirely - # dependent on the type of the object. For example, users automatically - # get "refresh", "resolve", and "info". - # - # @param type the type of the object (user | sa | ma | slice | node) - # @param name human readable name of the object (not used at this time) - # - # @return RightList object containing rights - - def determine_rights(self, type, name): - rl = RightList() - - # rights seem to be somewhat redundant with the type of the credential. - # For example, a "sa" credential implies the authority right, because - # a sa credential cannot be issued to a user who is not an owner of - # the authority - - if type == "user": - rl.add("refresh") - rl.add("resolve") - rl.add("info") - elif type == "sa": - rl.add("authority") - rl.add("sa") - elif type == "ma": - rl.add("authority") - rl.add("ma") - elif type == "authority": - rl.add("authority") - rl.add("sa") - rl.add("ma") - elif type == "slice": - rl.add("refresh") - rl.add("embed") - rl.add("bind") - rl.add("control") - rl.add("info") - elif type == "component": - rl.add("operator") - - return rl