Chromium Code Reviews Chromium Code Reviews
Issue 2984843002:
swarming: switch to a 'capability focused' ACL system (Closed)
| OLD | NEW |
|---|---|
| 1 # Copyright 2014 The LUCI Authors. All rights reserved. | 1 # Copyright 2014 The LUCI Authors. All rights reserved. |
| 2 # Use of this source code is governed under the Apache License, Version 2.0 | 2 # Use of this source code is governed under the Apache License, Version 2.0 |
| 3 # that can be found in the LICENSE file. | 3 # that can be found in the LICENSE file. |
| 4 | 4 |
| 5 """High level tasks execution scheduling API. | 5 """High level tasks execution scheduling API. |
| 6 | 6 |
| 7 This is the interface closest to the HTTP handlers. | 7 This is the interface closest to the HTTP handlers. |
| 8 """ | 8 """ |
| 9 | 9 |
| 10 import datetime | 10 import datetime |
| (...skipping 385 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 396 | 396 |
| 397 ident = request.authenticated | 397 ident = request.authenticated |
| 398 dims = request.properties.dimensions | 398 dims = request.properties.dimensions |
| 399 assert 'id' in dims or 'pool' in dims, dims # see _validate_dimensions | 399 assert 'id' in dims or 'pool' in dims, dims # see _validate_dimensions |
| 400 assert ident is not None # see task_request.init_new_request | 400 assert ident is not None # see task_request.init_new_request |
| 401 | 401 |
| 402 # Forbid targeting individual bots for non-admins, but allow using 'id' if | 402 # Forbid targeting individual bots for non-admins, but allow using 'id' if |
| 403 # 'pool' is used as well (so whoever can posts tasks to 'pool', can target an | 403 # 'pool' is used as well (so whoever can posts tasks to 'pool', can target an |
| 404 # individual bot in that pool). | 404 # individual bot in that pool). |
| 405 if 'id' in dims and 'pool' not in dims: | 405 if 'id' in dims and 'pool' not in dims: |
| 406 if not acl.is_admin(): | 406 # Only super-users can create a task without 'id' nor 'pool'. |
| 407 if not acl.can_edit_config(): | |
|
M-A Ruel
2017/07/24 15:42:51
This one is a bit awkward, not sure how to change.
Vadim Sh.
2017/07/24 19:16:47
Let's remove this clause. I think we have never us
M-A Ruel
2017/07/25 13:46:38
All removed.
| |
| 407 raise auth.AuthorizationError( | 408 raise auth.AuthorizationError( |
| 408 'Only Swarming administrators can post tasks with "id" dimension ' | 409 'Only Swarming administrators can post tasks with "id" dimension ' |
| 409 'without specifying a "pool" dimension.') | 410 'without specifying a "pool" dimension.') |
| 410 | 411 |
| 411 for k, v in sorted(dims.iteritems()): | 412 for k, v in sorted(dims.iteritems()): |
| 412 if not _can_use_dimension(dim_acls, ident, k, v): | 413 if not _can_use_dimension(dim_acls, ident, k, v): |
| 413 raise auth.AuthorizationError( | 414 raise auth.AuthorizationError( |
| 414 'User %s is not allowed to schedule tasks with dimension "%s:%s"' % | 415 'User %s is not allowed to schedule tasks with dimension "%s:%s"' % |
| 415 (ident.to_bytes(), k, v)) | 416 (ident.to_bytes(), k, v)) |
| 416 | 417 |
| (...skipping 568 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 985 ## Task queue tasks. | 986 ## Task queue tasks. |
| 986 | 987 |
| 987 | 988 |
| 988 def task_handle_pubsub_task(payload): | 989 def task_handle_pubsub_task(payload): |
| 989 """Handles task enqueued by _maybe_pubsub_notify_via_tq.""" | 990 """Handles task enqueued by _maybe_pubsub_notify_via_tq.""" |
| 990 # Do not catch errors to trigger task queue task retry. Errors should not | 991 # Do not catch errors to trigger task queue task retry. Errors should not |
| 991 # happen in normal case. | 992 # happen in normal case. |
| 992 _pubsub_notify( | 993 _pubsub_notify( |
| 993 payload['task_id'], payload['topic'], | 994 payload['task_id'], payload['topic'], |
| 994 payload['auth_token'], payload['userdata']) | 995 payload['auth_token'], payload['userdata']) |
| OLD | NEW |
