From f0000eca19ca3ec26fdc6d7d207bcd48c189d07d Mon Sep 17 00:00:00 2001 From: Thierry Parmentelat Date: Fri, 19 Nov 2010 17:05:23 +0100 Subject: [PATCH] accessors and db-config.d tags roughly OK --- Makefile | 2 +- PLC/Accessor.py | 13 ++++-- PLC/Accessors/Factory.py | 13 ++++-- PLC/Methods/AddNodeTag.py | 2 +- PLC/Methods/AddSliceTag.py | 2 +- PLC/Methods/GetTagTypes.py | 6 +-- PLC/Nodes.py | 3 -- db-config.d/000-functions | 3 ++ db-config.d/010-node_tags | 4 +- db-config.d/010-slice_tags | 86 +++++++++++++------------------------- 10 files changed, 58 insertions(+), 76 deletions(-) diff --git a/Makefile b/Makefile index 30d76e23..c459e85c 100644 --- a/Makefile +++ b/Makefile @@ -49,7 +49,7 @@ force: #################### devel tools tags: - find . '(' -name '*.py' -o -name '*.sql' -o -name '*.php' -o -name Makefile ')' | xargs etags + find . '(' -name '*.py' -o -name '*.sql' -o -name '*.php' -o -name Makefile -o -name '[0-9][0-9][0-9]*' ')' | xargs etags .PHONY: tags diff --git a/PLC/Accessor.py b/PLC/Accessor.py index 0a499b58..39e7872d 100644 --- a/PLC/Accessor.py +++ b/PLC/Accessor.py @@ -10,6 +10,7 @@ # as the cached information then becomes wrong from PLC.TagTypes import TagTypes, TagType +from PLC.Roles import Roles, Role # implementation class Accessor (object) : @@ -29,7 +30,7 @@ This is implemented as a singleton, so we can cache results over time""" def get_cache (self,tagname): return self.cache[tagname] def set_cache (self,tagname,tag_id): self.cache[tagname]=tag_id - def locate_or_create_tag (self,tagname,category, description, min_role_id): + def locate_or_create_tag (self, tagname, category, description, roles): "search tag type from tagname & create if needed" # cached ? @@ -43,10 +44,16 @@ This is implemented as a singleton, so we can cache results over time""" # not found: create it tag_type_fields = {'tagname':tagname, 'category' : category, - 'description' : description, - 'min_role_id': min_role_id} + 'description' : description} tag_type = TagType (self.api, tag_type_fields) tag_type.sync() + for role in roles: + try: + role_obj=Roles (self.api, role)[0] + tag_type.add_role(role_obj) + except: + # xxx todo find a more appropriate way of notifying this + print "Accessor.locate_or_create_tag: Could not add role %r to tag_type %s"%(role,tagname) tag_type_id = tag_type['tag_type_id'] self.set_cache(tagname,tag_type_id) return tag_type_id diff --git a/PLC/Accessors/Factory.py b/PLC/Accessors/Factory.py index 1c6d03e1..ad79a997 100644 --- a/PLC/Accessors/Factory.py +++ b/PLC/Accessors/Factory.py @@ -58,17 +58,22 @@ tech_roles = [ 'admin', 'pi', 'tech' ] # The expose_in_api flag tells whether this tag may be handled # through the Add/Get/Update methods as a native field # -# note: tag_min_role_id gets attached to the tagtype instance, +# note: roles get attached to the tagtype instance, # while get_roles and set_roles get attached to the created methods # this might need a cleanup # # in addition a convenience method like e.g. LocateNodeArch is defined # in the Accessor class; its purpose is to retrieve the tag, or to create it if needed +# +# Legacy NOTE: +# prior to plcapi-5.0-19, this used to accept an additional argument +# named min_role_id; this was redundant and confusing, it has been +# removed, we now use set_roles to restrict access on the corresponding tag def define_accessors (module, objclass, methodsuffix, tagname, category, description, - get_roles=['admin'], set_roles=['admin'], - tag_min_role_id=10, expose_in_api = False): + get_roles=['admin'], set_roles=['admin'], + expose_in_api = False): if objclass not in taggable_classes: try: @@ -126,7 +131,7 @@ def define_accessors (module, objclass, methodsuffix, tagname, return self.locate_or_create_tag (tagname=tagname, category=category, description=description, - min_role_id=tag_min_role_id) + roles=set_roles) # attach it to the Accessor class setattr(Accessor,locator_name,locate_or_create_tag) diff --git a/PLC/Methods/AddNodeTag.py b/PLC/Methods/AddNodeTag.py index fc64d1e5..ffe1ca7c 100644 --- a/PLC/Methods/AddNodeTag.py +++ b/PLC/Methods/AddNodeTag.py @@ -65,7 +65,7 @@ class AddNodeTag(Method): if 'admin' in self.caller['roles']: pass elif not AuthorizeHelpers.caller_may_access_tag_type (self.api, self.caller, tag_type): - raise PLCPermissionDenied, "%s, forbidden tag %s"%(self.name,tag_type['tagname']) + raise PLCPermissionDenied, "%s, forbidden tag %s (%s)"%(self.name,tag_type['tagname'],self.caller['email']) elif AuthorizeHelpers.node_belongs_to_person (self.api, node, self.caller): pass else: diff --git a/PLC/Methods/AddSliceTag.py b/PLC/Methods/AddSliceTag.py index 34195f6a..46381164 100644 --- a/PLC/Methods/AddSliceTag.py +++ b/PLC/Methods/AddSliceTag.py @@ -90,7 +90,7 @@ class AddSliceTag(Method): elif role=='tech': if node_id_or_hostname is not None and \ AuthorizeHelpers.node_id_or_hostname_in_slice(self.api, node_id_or_hostname_in_slice, slice): - granted=True ; break + granted=True ; break if not granted: raise PLCPermissionDenied, "%s, forbidden tag %s"%(self.name,tag_type['tagname']) diff --git a/PLC/Methods/GetTagTypes.py b/PLC/Methods/GetTagTypes.py index 90086997..a1173956 100644 --- a/PLC/Methods/GetTagTypes.py +++ b/PLC/Methods/GetTagTypes.py @@ -1,10 +1,6 @@ -# $Id$ -# $URL$ # # Thierry Parmentelat - INRIA # -# $Revision: 9423 $ -# from PLC.Method import Method from PLC.Parameter import Parameter, Mixed from PLC.Filter import Filter @@ -25,6 +21,8 @@ class GetTagTypes(Method): Auth(), Mixed([Mixed(TagType.fields['tag_type_id'], TagType.fields['tagname'])], + Mixed(TagType.fields['tag_type_id'], + TagType.fields['tagname']), Filter(TagType.fields)), Parameter([str], "List of fields to return", nullok = True) ] diff --git a/PLC/Nodes.py b/PLC/Nodes.py index 66c90394..ce2cbad4 100644 --- a/PLC/Nodes.py +++ b/PLC/Nodes.py @@ -4,9 +4,6 @@ # Mark Huang # Copyright (C) 2006 The Trustees of Princeton University # -# $Id$ -# $URL$ -# from types import StringTypes import re diff --git a/db-config.d/000-functions b/db-config.d/000-functions index 70fa0789..5c1ed245 100644 --- a/db-config.d/000-functions +++ b/db-config.d/000-functions @@ -35,6 +35,9 @@ def SetTagType(tag_type): g_known_tag_types.sort() else: UpdateTagType(tag_type['tagname'], tag_type) + if 'roles' in tag_type: + for role in tag_type['roles']: + AddRoleToTagType(role,tag_type['tagname']) # Get list of existing (enabled, global) files g_conf_files = GetConfFiles() diff --git a/db-config.d/010-node_tags b/db-config.d/010-node_tags index b0062fc6..8e406c8e 100644 --- a/db-config.d/010-node_tags +++ b/db-config.d/010-node_tags @@ -1,6 +1,4 @@ # -*-python-*- -# $Id: 010-node_tags -# $URL: #################### node tag types # Setup default node tag types @@ -10,7 +8,7 @@ nodetag_types = \ {'tagname': 'hrn', 'description': 'SFA human readable name', 'category' : 'node/sfa', - 'min_role_id': 40}, + 'roles' : ['admin','pi','user','tech']}, ] for nodetag_type in nodetag_types: diff --git a/db-config.d/010-slice_tags b/db-config.d/010-slice_tags index 8827a749..91ffa333 100644 --- a/db-config.d/010-slice_tags +++ b/db-config.d/010-slice_tags @@ -1,6 +1,4 @@ # -*-python-*- -# $Id$ -# $URL$ #################### slice tag types # xxx this should move to PLC/Accessors @@ -11,159 +9,136 @@ slicetag_types = \ {'tagname': "type", 'description': "Type of slice (e.g. vserver)", 'category' : 'slice/general', - 'min_role_id': 20}, + 'roles': ['admin','pi']}, # System slice {'tagname': "system", 'description': "Is a default system slice (1) or not (0 or unset)", - 'category' : 'slice/general', - 'min_role_id': 10}, + 'category' : 'slice/general'}, # Slice enabled (1) or suspended (0) {'tagname': "enabled", 'description': "Slice enabled (1 or unset) or suspended (0)", - 'category' : 'slice/general', - 'min_role_id': 10}, + 'category' : 'slice/general'}, # Slice reference image {'tagname': "vref", 'description': "Reference image", 'category' : 'slice/config', - 'min_role_id': 30}, + 'roles' : ['admin','pi','user']}, # Slice initialization script {'tagname': "initscript", 'description': "Slice initialization script", 'category' : 'slice/usertools', - 'min_role_id': 30}, + 'roles' : ['admin','pi','user']}, # IP Addresses for a Slice {'tagname': "ip_addresses", 'description': "Add an ip address to a slice/sliver.", - 'category' : 'slice/rspec', - 'min_role_id': 10}, + 'category' : 'slice/rspec'}, # CPU share {'tagname': "cpu_pct", 'description': "Reserved CPU percent", - 'category' : 'slice/rspec', - 'min_role_id': 10}, + 'category' : 'slice/rspec'}, {'tagname': "cpu_share", 'description': "Number of CPU shares", - 'category' : 'slice/rspec', - 'min_role_id': 10}, + 'category' : 'slice/rspec'}, # Bandwidth limits {'tagname': "net_min_rate", 'description': "Minimum bandwidth (kbps)", - 'category' : 'slice/rspec', - 'min_role_id': 10}, + 'category' : 'slice/rspec'}, {'tagname': "net_max_rate", 'description': "Maximum bandwidth (kbps)", - 'category' : 'slice/rspec', - 'min_role_id': 10}, + 'category' : 'slice/rspec'}, {'tagname': "net_i2_min_rate", 'description': "Minimum bandwidth over I2 routes (kbps)", - 'category' : 'slice/rspec', - 'min_role_id': 10}, + 'category' : 'slice/rspec'}, {'tagname': "net_i2_max_rate", 'description': "Maximum bandwidth over I2 routes (kbps)", - 'category' : 'slice/rspec', - 'min_role_id': 10}, + 'category' : 'slice/rspec'}, {'tagname': "net_max_kbyte", 'description': "Maximum daily network Tx KByte limit.", - 'category' : 'slice/rspec', - 'min_role_id': 10}, + 'category' : 'slice/rspec'}, {'tagname': "net_thresh_kbyte", 'description': "KByte limit before warning and throttling.", - 'category' : 'slice/rspec', - 'min_role_id': 10}, + 'category' : 'slice/rspec'}, {'tagname': "net_i2_max_kbyte", 'description': "Maximum daily network Tx KByte limit to I2 hosts.", - 'category' : 'slice/rspec', - 'min_role_id': 10}, + 'category' : 'slice/rspec'}, {'tagname': "net_i2_thresh_kbyte", 'description': "KByte limit to I2 hosts before warning and throttling.", - 'category' : 'slice/rspec', - 'min_role_id': 10}, + 'category' : 'slice/rspec'}, {'tagname': "net_share", 'description': "Number of bandwidth shares", - 'category' : 'slice/rspec', - 'min_role_id': 10}, + 'category' : 'slice/rspec'}, {'tagname': "net_i2_share", 'description': "Number of bandwidth shares over I2 routes", - 'category' : 'slice/rspec', - 'min_role_id': 10}, + 'category' : 'slice/rspec'}, # Disk quota {'tagname': "disk_max", 'description': "Disk quota (1k disk blocks)", - 'category' : 'slice/rspec', - 'min_role_id': 10}, + 'category' : 'slice/rspec'}, # Proper operations {'tagname': "proper_op", 'description': "Proper operation (e.g. bind_socket)", - 'category' : 'slice/rspec', - 'min_role_id': 10}, + 'category' : 'slice/rspec'}, # VServer capabilities {'tagname': "capabilities", 'description': "VServer bcapabilities (separate by commas)", - 'category' : 'slice/rspec', - 'min_role_id': 10}, + 'category' : 'slice/rspec'}, # Vsys {'tagname': "vsys", 'description': "Bind vsys script fd's to a slice's vsys directory.", - 'category' : 'slice/rspec', - 'min_role_id': 10}, + 'category' : 'slice/rspec'}, # CoDemux {'tagname': "codemux", 'description': "Demux HTTP between slices using localhost ports. Value in the form 'host, localhost port'.", - 'category' : 'slice/rspec', - 'min_role_id': 10}, + 'category' : 'slice/rspec'}, # Delegation {'tagname': "delegations", 'description': "Coma seperated list of slices to give delegation authority to.", 'category' : 'slice/rspec', - 'min_role_id': 30}, + 'roles' : ['admin','pi','user']}, # Security capability to empower a slice to make an authenticated API call, set by silverauth NM plugin. {'tagname': "hmac", 'description': "Sliver authorization key.", 'category' : 'slice/auth', - 'min_role_id': 20}, + 'roles': ['admin','pi']}, {'tagname': "ssh_key", 'description': "Sliver public ssh key.", 'category' : 'slice/auth', - 'min_role_id': 20}, + 'roles': ['admin','pi']}, # Capability to give a sliver access to unused raw disk {'tagname': "rawdisk", 'description': "map unused raw disk devices into the slice", 'category' : 'slice/access', # we should get rid of this category thing - 'min_role_id': 20}, + 'roles': ['admin','pi']}, { 'tagname' : 'exempt_slice_until', 'description' : 'Exclude this slice from MyOps until given date (YYYYMMDD)', - 'category' : 'slice/myops', - 'min_role_id' : 10} , + 'category' : 'slice/myops'}, # DistributedRateLimiting slice {'tagname': "drl", 'description': "Is a default Distributed Rate Limiting slice (1) or not (0 or unset)", - 'category' : 'slice/general', - 'min_role_id': 10}, + 'category' : 'slice/general'}, # OMF controlled slice {'tagname': "omf_control", 'description': "Pre-install and configure OMF Resource Controller in slice if set", - 'category' : 'slice/usertools', - 'min_role_id': 10}, + 'category' : 'slice/usertools'}, ] # add in the platform supported rlimits to the default_attribute_types @@ -176,7 +151,6 @@ for entry in resource.__dict__.keys() + ["VLIMIT_OPENFD"]: 'tagname': "%s_%s"%(rlim,ty), 'description': "Per sliver RLIMIT %s_%s."%(rlim,ty), 'category': 'slice/limit', - 'min_role_id': 10 #admin } slicetag_types.append(attribute) -- 2.47.0