+#----------------------------------------------------------------------
+# Copyright (c) 2008 Board of Trustees, Princeton University
+#
+# Permission is hereby granted, free of charge, to any person obtaining
+# a copy of this software and/or hardware specification (the "Work") to
+# deal in the Work without restriction, including without limitation the
+# rights to use, copy, modify, merge, publish, distribute, sublicense,
+# and/or sell copies of the Work, and to permit persons to whom the Work
+# is furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be
+# included in all copies or substantial portions of the Work.
+#
+# THE WORK IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
+# HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+# WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE WORK OR THE USE OR OTHER DEALINGS
+# IN THE WORK.
+#----------------------------------------------------------------------
##
# This Module implements rights and lists of rights for the SFA. Rights
# are implemented by two classes:
##
-
##
# privilege_table is a list of priviliges and what operations are allowed
# per privilege.
"sa": ["getticket", "redeemslice", "redeemticket", "createslice", "createsliver", "deleteslice", "deletesliver", "updateslice",
"getsliceresources", "getticket", "loanresources", "stopslice", "startslice", "renewsliver",
"deleteslice", "deletesliver", "resetslice", "listslices", "listnodes", "getpolicy", "sliverstatus"],
- "embed": ["getticket", "redeemslice", "redeemticket", "createslice", "createsliver", "renewsliver", "deleteslice", "deletesliver", "updateslice", "sliverstatus", "getsliceresources", "shutdown"],
+ "embed": ["getticket", "redeemslice", "redeemticket", "createslice", "createsliver", "renewsliver", "deleteslice",
+ "deletesliver", "updateslice", "sliverstatus", "getsliceresources", "shutdown"],
"bind": ["getticket", "loanresources", "redeemticket"],
- "control": ["updateslice", "createslice", "createsliver", "renewsliver", "sliverstatus", "stopslice", "startslice", "deleteslice", "deletesliver", "resetslice", "getsliceresources", "getgids"],
+ "control": ["updateslice", "createslice", "createsliver", "renewsliver", "sliverstatus", "stopslice", "startslice",
+ "deleteslice", "deletesliver", "resetslice", "getsliceresources", "getgids"],
"info": ["listslices", "listnodes", "getpolicy"],
"ma": ["setbootstate", "getbootstate", "reboot", "getgids", "gettrustedcerts"],
- "operator": ["gettrustedcerts", "getgids"],
- "*": ["createsliver", "deletesliver", "sliverstatus", "renewsliver", "shutdown"]}
-
+ "operator": ["gettrustedcerts", "getgids"],
+ "*": ["createsliver", "deletesliver", "sliverstatus", "renewsliver", "shutdown"]}
##
-# Determine tje rights that an object should have. The rights are entirely
+# Determine the rights that an object should have. The rights are entirely
# dependent on the type of the object. For example, users automatically
# get "refresh", "resolve", and "info".
#
rl.add("refresh")
rl.add("resolve")
rl.add("info")
- elif type == "sa":
+ elif type in ["sa", "authority+sa"]:
rl.add("authority")
rl.add("sa")
- elif type == "ma":
+ elif type in ["ma", "authority+ma", "cm", "authority+cm", "sm", "authority+sm"]:
rl.add("authority")
rl.add("ma")
elif type == "authority":
rl.add("bind")
rl.add("control")
rl.add("info")
+# wouldn't that be authority+cm instead ?
elif type == "component":
rl.add("operator")
return rl
# The Right class represents a single privilege.
-
class Right:
##
# Create a new right.
self.kind = kind
self.delegate = delegate
+ def __repr__(self): return "<Rgt:%s>" % self.kind
+
##
# Test to see if this right object is allowed to perform an operation.
# Returns True if the operation is allowed, False otherwise.
##
# A Rights object represents a list of privileges.
+
class Rights:
##
# Create a new rightlist object, containing no rights.
if string:
self.load_from_string(string)
+ def __repr__(self): return "[" + \
+ " ".join(["%s" % r for r in self.rights]) + "]"
+
def is_empty(self):
return self.rights == []
# @param op_name is an operation to check, for example "listslices"
def can_perform(self, op_name):
+
for right in self.rights:
if right.can_perform(op_name):
return True
for my_right in self.rights:
if my_right.is_superset(child_right):
allowed = True
+ break
if not allowed:
return False
return True
-
##
# set the delegate bit to 'delegate' on
# all privileges
return False
return True
-
-
- ##
- # Determine the rights that an object should have. The rights are entirely
- # dependent on the type of the object. For example, users automatically
- # get "refresh", "resolve", and "info".
- #
- # @param type the type of the object (user | sa | ma | slice | node)
- # @param name human readable name of the object (not used at this time)
- #
- # @return Rights object containing rights
-
- def determine_rights(self, type, name):
- rl = Rights()
-
- # rights seem to be somewhat redundant with the type of the credential.
- # For example, a "sa" credential implies the authority right, because
- # a sa credential cannot be issued to a user who is not an owner of
- # the authority
-
- if type == "user":
- rl.add("refresh")
- rl.add("resolve")
- rl.add("info")
- elif type == "sa":
- rl.add("authority")
- rl.add("sa")
- elif type == "ma":
- rl.add("authority")
- rl.add("ma")
- elif type == "authority":
- rl.add("authority")
- rl.add("sa")
- rl.add("ma")
- elif type == "slice":
- rl.add("refresh")
- rl.add("embed")
- rl.add("bind")
- rl.add("control")
- rl.add("info")
- elif type == "component":
- rl.add("operator")
-
- return rl
+ def pretty_rights(self):
+ return "<Rights{}>".format(";".join(["{}".format(r) for r in self.rights]))
git://git.onelab.eu / sfa.git / blobdiff