2 # This Module implements rights and lists of rights for the SFA. Rights
3 # are implemented by two classes:
5 # Right - represents a single right
7 # RightList - represents a list of rights
9 # A right may allow several different operations. For example, the "info" right
10 # allows "listslices", "listcomponentresources", etc.
15 # privilege_table is a list of priviliges and what operations are allowed
18 privilege_table = {"authority": ["register", "remove", "update", "resolve", "list", "getcredential", "*"],
19 "refresh": ["remove", "update"],
20 "resolve": ["resolve", "list", "getcredential", "listresources", "getversion"],
21 "sa": ["getticket", "redeemslice", "redeemticket", "createslice", "deleteslice", "updateslice",
22 "getsliceresources", "getticket", "loanresources", "stopslice", "startslice",
23 "deleteslice", "resetslice", "listslices", "listnodes", "getpolicy", "createsliver"],
24 "embed": ["getticket", "redeemslice", "redeemticket", "createslice", "createsliver", "deleteslice", "updateslice", "getsliceresources"],
25 "bind": ["getticket", "loanresources", "redeemticket"],
26 "control": ["updateslice", "createslice", "createsliver", "stopslice", "startslice", "deleteslice", "resetslice", "getsliceresources", "getgids"],
27 "info": ["listslices", "listnodes", "getpolicy"],
28 "ma": ["setbootstate", "getbootstate", "reboot", "getgids", "gettrustedcerts"],
29 "operator": ["gettrustedcerts", "getgids"]}
33 # Determine tje rights that an object should have. The rights are entirely
34 # dependent on the type of the object. For example, users automatically
35 # get "refresh", "resolve", and "info".
37 # @param type the type of the object (user | sa | ma | slice | node)
38 # @param name human readable name of the object (not used at this time)
40 # @return RightList object containing rights
42 def determine_rights(type, name):
45 # rights seem to be somewhat redundant with the type of the credential.
46 # For example, a "sa" credential implies the authority right, because
47 # a sa credential cannot be issued to a user who is not an owner of
54 rl.add("authority,sa")
56 rl.add("authority,ma")
57 elif type == "authority":
58 rl.add("authority,sa,ma")
65 elif type == "component":
71 # The Right class represents a single privilege.
79 # @param kind is a string naming the right. For example "control"
81 def __init__(self, kind, delegate=False):
83 self.delegate = delegate
86 # Test to see if this right object is allowed to perform an operation.
87 # Returns True if the operation is allowed, False otherwise.
89 # @param op_name is a string naming the operation. For example "listslices".
91 def can_perform(self, op_name):
92 allowed_ops = privilege_table.get(self.kind.lower(), None)
96 # if "*" is specified, then all ops are permitted
97 if "*" in allowed_ops:
100 return (op_name.lower() in allowed_ops)
103 # Test to see if this right is a superset of a child right. A right is a
104 # superset if every operating that is allowed by the child is also allowed
107 # @param child is a Right object describing the child right
109 def is_superset(self, child):
110 my_allowed_ops = privilege_table.get(self.kind.lower(), None)
111 child_allowed_ops = privilege_table.get(child.kind.lower(), None)
113 if not self.delegate:
116 if "*" in my_allowed_ops:
119 for right in child_allowed_ops:
120 if not right in my_allowed_ops:
126 # A RightList object represents a list of privileges.
130 # Create a new rightlist object, containing no rights.
132 # @param string if string!=None, load the rightlist from the string
134 def __init__(self, string=None):
137 self.load_from_string(string)
140 return self.rights == []
143 # Add a right to this list
145 # @param right is either a Right object or a string describing the right
147 def add(self, right, delegate=False):
148 if isinstance(right, str):
149 right = Right(kind = right, delegate=delegate)
150 self.rights.append(right)
153 # Load the rightlist object from a string
155 def load_from_string(self, string):
158 # none == no rights, so leave the list empty
162 parts = string.split(",")
165 spl = part.split(':')
167 delegate = int(spl[1])
171 self.rights.append(Right(kind, bool(delegate)))
174 # Save the rightlist object to a string. It is saved in the format of a
175 # comma-separated list.
177 def save_to_string(self):
179 for right in self.rights:
180 right_names.append('%s:%d' % (right.kind, right.delegate))
182 return ",".join(right_names)
185 # Check to see if some right in this list allows an operation. This is
186 # done by evaluating the can_perform function of each operation in the
189 # @param op_name is an operation to check, for example "listslices"
191 def can_perform(self, op_name):
192 for right in self.rights:
193 if right.can_perform(op_name):
198 # Check to see if all of the rights in this rightlist are a superset
199 # of all the rights in a child rightlist. A rightlist is a superset
200 # if there is no operation in the child rightlist that cannot be
201 # performed in the parent rightlist.
203 # @param child is a rightlist object describing the child
205 def is_superset(self, child):
206 for child_right in child.rights:
208 for my_right in self.rights:
209 if my_right.is_superset(child_right):
217 # set the delegate bit to 'delegate' on
220 # @param delegate boolean (True or False)
222 def delegate_all_privileges(self, delegate):
223 for right in self.rights:
224 right.delegate = delegate
227 # true if all privileges have delegate bit set true
230 def get_all_delegate(self):
231 for right in self.rights:
232 if not right.delegate:
239 # Determine the rights that an object should have. The rights are entirely
240 # dependent on the type of the object. For example, users automatically
241 # get "refresh", "resolve", and "info".
243 # @param type the type of the object (user | sa | ma | slice | node)
244 # @param name human readable name of the object (not used at this time)
246 # @return RightList object containing rights
248 def determine_rights(self, type, name):
251 # rights seem to be somewhat redundant with the type of the credential.
252 # For example, a "sa" credential implies the authority right, because
253 # a sa credential cannot be issued to a user who is not an owner of
261 rl.add("authority,sa")
263 rl.add("authority,ma")
264 elif type == "authority":
265 rl.add("authority,sa,ma")
266 elif type == "slice":
272 elif type == "component":