From ce98f4c49cdd4342b49f3d987b643020f250ab0a Mon Sep 17 00:00:00 2001 From: Rahul Chauhan Date: Fri, 1 Mar 2024 17:08:40 +0100 Subject: [PATCH] The restricted attribute list will prevent users (including admins and operators) from modfying unwanted attributes. --- src/policy/CMSRucioPolicy/permission.py | 32 ++++++++++++++++++++++++- 1 file changed, 31 insertions(+), 1 deletion(-) diff --git a/src/policy/CMSRucioPolicy/permission.py b/src/policy/CMSRucioPolicy/permission.py index 10b73685..135934b6 100644 --- a/src/policy/CMSRucioPolicy/permission.py +++ b/src/policy/CMSRucioPolicy/permission.py @@ -362,8 +362,15 @@ def perm_add_rse_attribute(issuer, kwargs, *, session: "Optional[Session]" = Non :param session: The DB session to use :returns: True if account is allowed, otherwise False """ - if _is_root(issuer) or has_account_attribute(account=issuer, key='admin', session=session): + if _is_root(issuer): return True + + if _restricted_rse_attribute(kwargs['rse'], kwargs['key'], kwargs['value']): + return False + + if has_account_attribute(account=issuer, key='admin', session=session): + return True + return False @@ -1353,3 +1360,26 @@ def _is_cms_site_admin(rse_id, issuer, session): if site_admins and issuer.external in site_admins.split(','): return True return False + + +def _restricted_rse_attribute(rse, key, value=None): + """ + Check if for the given RSE the given attribute is allowed + + :param rse: the RSE name. + :param key: the attribute key. + :param value: the attribute value. + :return: True if the attribute is restricted, False otherwise. + """ + + # Add restricted attributes to this list + # Use None as value to restrict the key regardless of the value + + restricted_attributes = [ + ('T2_US_MIT_Tape', 'archive_timeout', None) + ] + for rse_name, attribute_key, attribute_value in restricted_attributes: + if rse == rse_name and key == attribute_key and (attribute_value == value or attribute_value is None): + return True + + return False