Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(729)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: appengine/config_service/acl.py

Issue 2932473005: config_service: implement admin group (Closed)
Patch Set: self review Created 3 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « appengine/components/components/config/proto/service_config_pb2.py ('k') | appengine/config_service/acl_test.py » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 # Copyright 2015 The LUCI Authors. All rights reserved. 1 # Copyright 2015 The LUCI Authors. All rights reserved.
2 # Use of this source code is governed under the Apache License, Version 2.0 2 # Use of this source code is governed under the Apache License, Version 2.0
3 # that can be found in the LICENSE file. 3 # that can be found in the LICENSE file.
4 4
5 import re
6
7 from components import auth 5 from components import auth
8 from components import config 6 from components import config
9 from components import utils 7 from components import utils
10 from components.config.proto import service_config_pb2 8 from components.config.proto import service_config_pb2
11 9
12 import common 10 import common
13 import projects 11 import projects
14 import services 12 import services
15 import storage 13 import storage
16 14
17 15
18 def read_acl_cfg(): 16 # Cache acl.cfg for 10min. It never changes.
17 @utils.cache_with_expiration(10 * 60)
18 def get_acl_cfg():
19 return storage.get_self_config_async( 19 return storage.get_self_config_async(
20 common.ACL_FILENAME, service_config_pb2.AclCfg).get_result() 20 common.ACL_FILENAME, service_config_pb2.AclCfg).get_result()
21 21
22 22
23 def can_read_config_sets(config_sets): 23 def can_read_config_sets(config_sets):
24 """Returns a mapping {config_set: has_access}. 24 """Returns a mapping {config_set: has_access}.
25 25
26 has_access is True if current requester has access to the config set. 26 has_access is True if current requester has access to the config set.
27 27
28 Raise: 28 Raise:
(...skipping 27 matching lines...) Expand all
56 access_map['projects/' + pid] = access 56 access_map['projects/' + pid] = access
57 for sid, access in has_services_access(service_ids).iteritems(): 57 for sid, access in has_services_access(service_ids).iteritems():
58 access_map['services/' + sid] = access 58 access_map['services/' + sid] = access
59 59
60 return { 60 return {
61 cs: access_map[check_via[cs]] 61 cs: access_map[check_via[cs]]
62 for cs in config_sets 62 for cs in config_sets
63 } 63 }
64 64
65 65
66 def is_admin():
67 acl_cfg = get_acl_cfg()
68 return auth.is_group_member(
69 acl_cfg and acl_cfg.admin_group or auth.ADMIN_GROUP)
70
71
66 def has_services_access(service_ids): 72 def has_services_access(service_ids):
67 """Returns a mapping {service_id: has_access}. 73 """Returns a mapping {service_id: has_access}.
68 74
69 has_access is True if current requester can read service configs. 75 has_access is True if current requester can read service configs.
70 """ 76 """
71 if not service_ids: 77 if not service_ids:
72 return {} 78 return {}
73 for sid in service_ids: 79 for sid in service_ids:
74 assert isinstance(sid, basestring) 80 assert isinstance(sid, basestring)
75 assert sid 81 assert sid
76 82
77 if auth.is_admin(): 83 if is_admin():
78 return {sid: True for sid in service_ids} 84 return {sid: True for sid in service_ids}
79 85
80 cfgs = { 86 cfgs = {
81 s.id: s 87 s.id: s
82 for s in services.get_services_async().get_result() 88 for s in services.get_services_async().get_result()
83 } 89 }
84 return { 90 return {
85 sid: cfgs.get(sid) and config.api._has_access(cfgs.get(sid).access) 91 sid: cfgs.get(sid) and config.api._has_access(cfgs.get(sid).access)
86 for sid in service_ids 92 for sid in service_ids
87 } 93 }
88 94
89 95
90 def has_projects_access(project_ids): 96 def has_projects_access(project_ids):
91 if not project_ids: 97 if not project_ids:
92 return {} 98 return {}
93 super_group = read_acl_cfg().project_access_group 99 super_group = get_acl_cfg().project_access_group
94 if auth.is_admin() or super_group and auth.is_group_member(super_group): 100 if is_admin() or super_group and auth.is_group_member(super_group):
95 return {pid: True for pid in project_ids} 101 return {pid: True for pid in project_ids}
96 return { 102 return {
97 pid: meta and config.api._has_access(meta.access) 103 pid: meta and config.api._has_access(meta.access)
98 for pid, meta in projects.get_metadata(project_ids).iteritems() 104 for pid, meta in projects.get_metadata(project_ids).iteritems()
99 } 105 }
OLDNEW
« no previous file with comments | « appengine/components/components/config/proto/service_config_pb2.py ('k') | appengine/config_service/acl_test.py » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698