**** CubicPower OpenStack Study ****
# Copyright 2012 OpenStack Foundation
# Copyright 2013 IBM Corp.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
import copy
from glance.common import exception
import glance.domain.proxy
**** CubicPower OpenStack Study ****
def is_image_mutable(context, image):
"""Return True if the image is mutable in this context."""
if context.is_admin:
return True
if image.owner is None or context.owner is None:
return False
return image.owner == context.owner
**** CubicPower OpenStack Study ****
def proxy_image(context, image):
if is_image_mutable(context, image):
return ImageProxy(image, context)
else:
return ImmutableImageProxy(image, context)
**** CubicPower OpenStack Study ****
def is_member_mutable(context, member):
"""Return True if the image is mutable in this context."""
if context.is_admin:
return True
if context.owner is None:
return False
return member.member_id == context.owner
**** CubicPower OpenStack Study ****
def proxy_member(context, member):
if is_member_mutable(context, member):
return member
else:
return ImmutableMemberProxy(member)
**** CubicPower OpenStack Study ****
def is_task_mutable(context, task):
"""Return True if the task is mutable in this context."""
if context.is_admin:
return True
if context.owner is None:
return False
return task.owner == context.owner
**** CubicPower OpenStack Study ****
def proxy_task(context, task):
if is_task_mutable(context, task):
return task
else:
return ImmutableTaskProxy(task)
**** CubicPower OpenStack Study ****
def proxy_task_details(context, task, task_details):
if is_task_mutable(context, task):
return task_details
else:
return ImmutableTaskDetailsProxy(task_details)
**** CubicPower OpenStack Study ****
class ImageRepoProxy(glance.domain.proxy.Repo):
**** CubicPower OpenStack Study ****
def __init__(self, image_repo, context):
self.context = context
self.image_repo = image_repo
proxy_kwargs = {'context': self.context}
super(ImageRepoProxy, self).__init__(image_repo,
item_proxy_class=ImageProxy,
item_proxy_kwargs=proxy_kwargs)
**** CubicPower OpenStack Study ****
def get(self, image_id):
image = self.image_repo.get(image_id)
return proxy_image(self.context, image)
**** CubicPower OpenStack Study ****
def list(self, *args, **kwargs):
images = self.image_repo.list(*args, **kwargs)
return [proxy_image(self.context, i) for i in images]
**** CubicPower OpenStack Study ****
class ImageMemberRepoProxy(glance.domain.proxy.Repo):
**** CubicPower OpenStack Study ****
def __init__(self, member_repo, image, context):
self.member_repo = member_repo
self.image = image
self.context = context
super(ImageMemberRepoProxy, self).__init__(member_repo)
**** CubicPower OpenStack Study ****
def get(self, member_id):
if (self.context.is_admin or
self.context.owner == self.image.owner or
self.context.owner == member_id):
member = self.member_repo.get(member_id)
return proxy_member(self.context, member)
else:
message = _("You cannot get image member for %s")
raise exception.Forbidden(message % member_id)
**** CubicPower OpenStack Study ****
def list(self, *args, **kwargs):
members = self.member_repo.list(*args, **kwargs)
if (self.context.is_admin or
self.context.owner == self.image.owner):
return [proxy_member(self.context, m) for m in members]
for member in members:
if member.member_id == self.context.owner:
return [proxy_member(self.context, member)]
message = _("You cannot get image member for %s")
raise exception.Forbidden(message % self.image.image_id)
**** CubicPower OpenStack Study ****
def remove(self, image_member):
if (self.image.owner == self.context.owner or
self.context.is_admin):
self.member_repo.remove(image_member)
else:
message = _("You cannot delete image member for %s")
raise exception.Forbidden(message
% self.image.image_id)
**** CubicPower OpenStack Study ****
def add(self, image_member):
if (self.image.owner == self.context.owner or
self.context.is_admin):
self.member_repo.add(image_member)
else:
message = _("You cannot add image member for %s")
raise exception.Forbidden(message
% self.image.image_id)
**** CubicPower OpenStack Study ****
def save(self, image_member):
if (self.context.is_admin or
self.context.owner == image_member.member_id):
self.member_repo.save(image_member)
else:
message = _("You cannot update image member %s")
raise exception.Forbidden(message % image_member.member_id)
**** CubicPower OpenStack Study ****
class ImageFactoryProxy(glance.domain.proxy.ImageFactory):
**** CubicPower OpenStack Study ****
def __init__(self, image_factory, context):
self.image_factory = image_factory
self.context = context
kwargs = {'context': self.context}
super(ImageFactoryProxy, self).__init__(image_factory,
proxy_class=ImageProxy,
proxy_kwargs=kwargs)
**** CubicPower OpenStack Study ****
def new_image(self, **kwargs):
owner = kwargs.pop('owner', self.context.owner)
if not self.context.is_admin:
if owner is None or owner != self.context.owner:
message = _("You are not permitted to create images "
"owned by '%s'.")
raise exception.Forbidden(message % owner)
return super(ImageFactoryProxy, self).new_image(owner=owner, **kwargs)
**** CubicPower OpenStack Study ****
class ImageMemberFactoryProxy(object):
**** CubicPower OpenStack Study ****
def __init__(self, image_member_factory, context):
self.image_member_factory = image_member_factory
self.context = context
**** CubicPower OpenStack Study ****
def new_image_member(self, image, member_id):
owner = image.owner
if not self.context.is_admin:
if owner is None or owner != self.context.owner:
message = _("You are not permitted to create image members "
"for the image.")
raise exception.Forbidden(message)
if image.visibility == 'public':
message = _("Public images do not have members.")
raise exception.Forbidden(message)
return self.image_member_factory.new_image_member(image, member_id)
def _immutable_attr(target, attr, proxy=None):
**** CubicPower OpenStack Study ****
def _immutable_attr(target, attr, proxy=None):
**** CubicPower OpenStack Study ****
def get_attr(self):
value = getattr(getattr(self, target), attr)
if proxy is not None:
value = proxy(value)
return value
**** CubicPower OpenStack Study ****
def forbidden(self, *args, **kwargs):
resource = getattr(self, 'resource_name', 'resource')
message = _("You are not permitted to modify '%(attr)s' on this "
"%(resource)s.")
raise exception.Forbidden(message % {'attr': attr,
'resource': resource})
return property(get_attr, forbidden, forbidden)
**** CubicPower OpenStack Study ****
class ImmutableLocations(list):
**** CubicPower OpenStack Study ****
def forbidden(self, *args, **kwargs):
message = _("You are not permitted to modify locations "
"for this image.")
raise exception.Forbidden(message)
**** CubicPower OpenStack Study ****
def __deepcopy__(self, memo):
return ImmutableLocations(copy.deepcopy(list(self), memo))
append = forbidden
extend = forbidden
insert = forbidden
pop = forbidden
remove = forbidden
reverse = forbidden
sort = forbidden
__delitem__ = forbidden
__delslice__ = forbidden
__iadd__ = forbidden
__imul__ = forbidden
__setitem__ = forbidden
__setslice__ = forbidden
**** CubicPower OpenStack Study ****
class ImmutableProperties(dict):
**** CubicPower OpenStack Study ****
def forbidden_key(self, key, *args, **kwargs):
message = _("You are not permitted to modify '%s' on this image.")
raise exception.Forbidden(message % key)
**** CubicPower OpenStack Study ****
def forbidden(self, *args, **kwargs):
message = _("You are not permitted to modify this image.")
raise exception.Forbidden(message)
__delitem__ = forbidden_key
__setitem__ = forbidden_key
pop = forbidden
popitem = forbidden
setdefault = forbidden
update = forbidden
**** CubicPower OpenStack Study ****
class ImmutableTags(set):
**** CubicPower OpenStack Study ****
def forbidden(self, *args, **kwargs):
message = _("You are not permitted to modify tags on this image.")
raise exception.Forbidden(message)
add = forbidden
clear = forbidden
difference_update = forbidden
intersection_update = forbidden
pop = forbidden
remove = forbidden
symmetric_difference_update = forbidden
update = forbidden
**** CubicPower OpenStack Study ****
class ImmutableImageProxy(object):
**** CubicPower OpenStack Study ****
def __init__(self, base, context):
self.base = base
self.context = context
self.resource_name = 'image'
name = _immutable_attr('base', 'name')
image_id = _immutable_attr('base', 'image_id')
name = _immutable_attr('base', 'name')
status = _immutable_attr('base', 'status')
created_at = _immutable_attr('base', 'created_at')
updated_at = _immutable_attr('base', 'updated_at')
visibility = _immutable_attr('base', 'visibility')
min_disk = _immutable_attr('base', 'min_disk')
min_ram = _immutable_attr('base', 'min_ram')
protected = _immutable_attr('base', 'protected')
locations = _immutable_attr('base', 'locations', proxy=ImmutableLocations)
checksum = _immutable_attr('base', 'checksum')
owner = _immutable_attr('base', 'owner')
disk_format = _immutable_attr('base', 'disk_format')
container_format = _immutable_attr('base', 'container_format')
size = _immutable_attr('base', 'size')
virtual_size = _immutable_attr('base', 'virtual_size')
extra_properties = _immutable_attr('base', 'extra_properties',
proxy=ImmutableProperties)
tags = _immutable_attr('base', 'tags', proxy=ImmutableTags)
**** CubicPower OpenStack Study ****
def delete(self):
message = _("You are not permitted to delete this image.")
raise exception.Forbidden(message)
**** CubicPower OpenStack Study ****
def get_member_repo(self):
member_repo = self.base.get_member_repo()
return ImageMemberRepoProxy(member_repo, self, self.context)
**** CubicPower OpenStack Study ****
def get_data(self):
return self.base.get_data()
**** CubicPower OpenStack Study ****
def set_data(self, *args, **kwargs):
message = _("You are not permitted to upload data for this image.")
raise exception.Forbidden(message)
**** CubicPower OpenStack Study ****
class ImmutableMemberProxy(object):
**** CubicPower OpenStack Study ****
def __init__(self, base):
self.base = base
self.resource_name = 'image member'
id = _immutable_attr('base', 'id')
image_id = _immutable_attr('base', 'image_id')
member_id = _immutable_attr('base', 'member_id')
status = _immutable_attr('base', 'status')
created_at = _immutable_attr('base', 'created_at')
updated_at = _immutable_attr('base', 'updated_at')
**** CubicPower OpenStack Study ****
class ImmutableTaskProxy(object):
**** CubicPower OpenStack Study ****
def __init__(self, base):
self.base = base
self.resource_name = 'task'
task_id = _immutable_attr('base', 'task_id')
type = _immutable_attr('base', 'type')
status = _immutable_attr('base', 'status')
owner = _immutable_attr('base', 'owner')
expires_at = _immutable_attr('base', 'expires_at')
created_at = _immutable_attr('base', 'created_at')
updated_at = _immutable_attr('base', 'updated_at')
**** CubicPower OpenStack Study ****
def run(self, executor):
self.base.run(executor)
**** CubicPower OpenStack Study ****
def begin_processing(self):
message = _("You are not permitted to set status on this task.")
raise exception.Forbidden(message)
**** CubicPower OpenStack Study ****
def succeed(self, result):
message = _("You are not permitted to set status on this task.")
raise exception.Forbidden(message)
**** CubicPower OpenStack Study ****
def fail(self, message):
message = _("You are not permitted to set status on this task.")
raise exception.Forbidden(message)
**** CubicPower OpenStack Study ****
class ImmutableTaskDetailsProxy(object):
**** CubicPower OpenStack Study ****
def __init__(self, base):
self.base = base
input = _immutable_attr('base', 'input')
message = _immutable_attr('base', 'message')
result = _immutable_attr('base', 'result')
**** CubicPower OpenStack Study ****
class ImageProxy(glance.domain.proxy.Image):
**** CubicPower OpenStack Study ****
def __init__(self, image, context):
self.image = image
self.context = context
super(ImageProxy, self).__init__(image)
**** CubicPower OpenStack Study ****
def get_member_repo(self, **kwargs):
if self.image.visibility == 'public':
message = _("Public images do not have members.")
raise exception.Forbidden(message)
else:
member_repo = self.image.get_member_repo(**kwargs)
return ImageMemberRepoProxy(member_repo, self, self.context)
**** CubicPower OpenStack Study ****
class TaskProxy(glance.domain.proxy.Task):
**** CubicPower OpenStack Study ****
def __init__(self, task):
self.task = task
super(TaskProxy, self).__init__(task)
**** CubicPower OpenStack Study ****
class TaskDetailsProxy(glance.domain.proxy.TaskDetails):
**** CubicPower OpenStack Study ****
def __init__(self, task_details):
self.task_details = task_details
super(TaskDetailsProxy, self).__init__(task_details)
**** CubicPower OpenStack Study ****
class TaskFactoryProxy(glance.domain.proxy.TaskFactory):
**** CubicPower OpenStack Study ****
def __init__(self, task_factory, context):
self.task_factory = task_factory
self.context = context
super(TaskFactoryProxy, self).__init__(
task_factory,
task_proxy_class=TaskProxy,
task_details_proxy_class=TaskDetailsProxy)
**** CubicPower OpenStack Study ****
def new_task(self, **kwargs):
owner = kwargs.get('owner', self.context.owner)
#NOTE(nikhil): Unlike Images, Tasks are expected to have owner.
# We currently do not allow even admins to set the owner to None.
if owner is not None and (owner == self.context.owner
or self.context.is_admin):
return super(TaskFactoryProxy, self).new_task(**kwargs)
else:
message = _("You are not permitted to create this task with "
"owner as: %s")
raise exception.Forbidden(message % owner)
**** CubicPower OpenStack Study ****
class TaskRepoProxy(glance.domain.proxy.TaskRepo):
**** CubicPower OpenStack Study ****
def __init__(self, task_repo, context):
self.task_repo = task_repo
self.context = context
super(TaskRepoProxy, self).__init__(task_repo)
**** CubicPower OpenStack Study ****
def get_task_and_details(self, task_id):
task, task_details = self.task_repo.get_task_and_details(task_id)
return proxy_task(self.context, task), proxy_task_details(self.context,
task,
task_details)
**** CubicPower OpenStack Study ****
def list_tasks(self, *args, **kwargs):
tasks = self.task_repo.list_tasks(*args, **kwargs)
return [proxy_task(self.context, t) for t in tasks]