node can change its own tag
protect for when caller does not have 'roles'
def slice_belongs_to_pi (api, slice, pi):
return slice['site_id'] in pi['site_ids']
def slice_belongs_to_pi (api, slice, pi):
return slice['site_id'] in pi['site_ids']
+ @staticmethod
+ def caller_is_node (api, caller, node):
+ return 'node_id' in caller and caller['node_id']==node['node_id']
+
# authorization methods - check if a given caller can set tag on this object
# called in {Add,Update,Delete}<Class>Tags methods, and in the accessors created in factory
# attach these as <Class>.caller_may_write_tag so accessors can find it
def caller_may_write_node_tag (node, api, caller, tag_type):
# authorization methods - check if a given caller can set tag on this object
# called in {Add,Update,Delete}<Class>Tags methods, and in the accessors created in factory
# attach these as <Class>.caller_may_write_tag so accessors can find it
def caller_may_write_node_tag (node, api, caller, tag_type):
- if 'admin' in caller['roles']:
+ if 'roles' in caller and 'admin' in caller['roles']:
pass
elif not AuthorizeHelpers.caller_may_access_tag_type (api, caller, tag_type):
raise PLCPermissionDenied, "Role mismatch for writing tag %s"%(tag_type['tagname'])
elif AuthorizeHelpers.node_belongs_to_person (api, node, caller):
pass
pass
elif not AuthorizeHelpers.caller_may_access_tag_type (api, caller, tag_type):
raise PLCPermissionDenied, "Role mismatch for writing tag %s"%(tag_type['tagname'])
elif AuthorizeHelpers.node_belongs_to_person (api, node, caller):
pass
+ elif AuthorizeHelpers.caller_is_node (api, caller, node):
+ pass
else:
raise PLCPermissionDenied, "Writing node tag: must belong in the same site as %s"%\
(node['hostname'])
else:
raise PLCPermissionDenied, "Writing node tag: must belong in the same site as %s"%\
(node['hostname'])
def caller_may_write_interface_tag (interface, api, caller, tag_type):
def caller_may_write_interface_tag (interface, api, caller, tag_type):
- if 'admin' in caller['roles']:
+ if 'roles' in caller and 'admin' in caller['roles']:
pass
elif not AuthorizeHelpers.caller_may_access_tag_type (api, caller, tag_type):
raise PLCPermissionDenied, "Role mismatch for writing tag %s"%(tag_type['tagname'])
pass
elif not AuthorizeHelpers.caller_may_access_tag_type (api, caller, tag_type):
raise PLCPermissionDenied, "Role mismatch for writing tag %s"%(tag_type['tagname'])
def caller_may_write_site_tag (site, api, caller, tag_type):
def caller_may_write_site_tag (site, api, caller, tag_type):
- if 'admin' in caller['roles']:
+ if 'roles' in caller and 'admin' in caller['roles']:
pass
elif not AuthorizeHelpers.caller_may_access_tag_type (api, caller, tag_type):
raise PLCPermissionDenied, "Role mismatch for writing tag %s"%(tag_type['tagname'])
pass
elif not AuthorizeHelpers.caller_may_access_tag_type (api, caller, tag_type):
raise PLCPermissionDenied, "Role mismatch for writing tag %s"%(tag_type['tagname'])
def caller_may_write_person_tag (person, api, caller, tag_type):
def caller_may_write_person_tag (person, api, caller, tag_type):
- if 'admin' in caller['roles']:
+ if 'roles' in caller and 'admin' in caller['roles']:
pass
# user can change tags on self
elif AuthorizeHelpers.person_may_access_person (api, caller, person):
pass
# user can change tags on self
elif AuthorizeHelpers.person_may_access_person (api, caller, person):
def caller_may_write_slice_tag (slice, api, caller, tag_type, node_id_or_hostname=None, nodegroup_id_or_name=None):
granted=False
def caller_may_write_slice_tag (slice, api, caller, tag_type, node_id_or_hostname=None, nodegroup_id_or_name=None):
granted=False
- if 'admin' in caller['roles']:
+ if 'roles' in caller and 'admin' in caller['roles']:
granted=True
# does caller have right role(s) ? this knows how to deal with caller being a node
elif not AuthorizeHelpers.caller_may_access_tag_type (api, caller, tag_type):
granted=True
# does caller have right role(s) ? this knows how to deal with caller being a node
elif not AuthorizeHelpers.caller_may_access_tag_type (api, caller, tag_type):
pldistro = GetNodePldistro (self.api,self.caller).call(auth, node_id)
if not pldistro:
pldistro = self.api.config.PLC_FLAVOUR_NODE_PLDISTRO
pldistro = GetNodePldistro (self.api,self.caller).call(auth, node_id)
if not pldistro:
pldistro = self.api.config.PLC_FLAVOUR_NODE_PLDISTRO
- SetNodePldistro(self.api).call(auth,node_id,pldistro)
+ SetNodePldistro(self.api,self.caller).call(auth,node_id,pldistro)
# xxx would make sense to check the corresponding bootstrapfs is available
return "%s-%s-%s"%(pldistro,fcdistro,arch)
# xxx would make sense to check the corresponding bootstrapfs is available
return "%s-%s-%s"%(pldistro,fcdistro,arch)
# if not set, use the global default and tag the node, in case the global default changes later on
if not arch:
arch = self.api.config.PLC_FLAVOUR_NODE_ARCH
# if not set, use the global default and tag the node, in case the global default changes later on
if not arch:
arch = self.api.config.PLC_FLAVOUR_NODE_ARCH
- SetNodeArch (self.api).call(auth,node_id,arch)
+ SetNodeArch (self.api,self.caller).call(auth,node_id,arch)
fcdistro = GetNodeFcdistro (self.api,self.caller).call(auth, node_id)
if not fcdistro:
fcdistro = self.api.config.PLC_FLAVOUR_NODE_FCDISTRO
fcdistro = GetNodeFcdistro (self.api,self.caller).call(auth, node_id)
if not fcdistro:
fcdistro = self.api.config.PLC_FLAVOUR_NODE_FCDISTRO
- SetNodeFcdistro (self.api).call (auth, node_id, fcdistro)
+ SetNodeFcdistro (self.api,self.caller).call (auth, node_id, fcdistro)
# xxx could use some sanity checking, and could provide fallbacks
return { 'nodefamily' : self.nodefamily(auth,node_id, fcdistro, arch),
# xxx could use some sanity checking, and could provide fallbacks
return { 'nodefamily' : self.nodefamily(auth,node_id, fcdistro, arch),