From 593aeb2abfb75d562a33a1c80bb414034687b030 Mon Sep 17 00:00:00 2001
From: Cyril Rohr <cyril.rohr@irisa.fr>
Date: Thu, 26 Feb 2009 12:00:25 +0100
Subject: [PATCH] Added preliminary descriptions of the authorization, jobsets,
statuses and oar services.
---
data/grid5000/services/authorization.json | 9 +++++
data/grid5000/services/jobsets.json | 30 ++++++++++++++++
data/grid5000/services/oar.json | 9 +++++
data/grid5000/services/statuses.json | 9 +++++
generators/input/services.rb | 42 ++++++++++++++++++++++-
generators/lib/g5k_generator.rb | 6 ++--
6 files changed, 102 insertions(+), 3 deletions(-)
create mode 100644 data/grid5000/services/authorization.json
create mode 100644 data/grid5000/services/jobsets.json
create mode 100644 data/grid5000/services/oar.json
create mode 100644 data/grid5000/services/statuses.json
diff --git a/data/grid5000/services/authorization.json b/data/grid5000/services/authorization.json
new file mode 100644
index 00000000000..15657f05003
--- /dev/null
+++ b/data/grid5000/services/authorization.json
@@ -0,0 +1,9 @@
+{
+ "contact": "cyril.rohr@irisa.fr",
+ "description": "Returns the access policy for a particular service accessed by a given user.",
+ "doc": "\/authorization\/doc",
+ "name": "Authorization",
+ "type": "service",
+ "uid": "authorization",
+ "uri": "\/authorization"
+}
\ No newline at end of file
diff --git a/data/grid5000/services/jobsets.json b/data/grid5000/services/jobsets.json
new file mode 100644
index 00000000000..11c9a7668df
--- /dev/null
+++ b/data/grid5000/services/jobsets.json
@@ -0,0 +1,30 @@
+{
+ "description": "Manages the creation\/deletion and update of job sets.",
+ "doc": "\/jobsets\/doc",
+ "name": "Jobsets",
+ "policies": {
+ "DELETE": {
+ "admin_groups": "CT",
+ "authorized_groups": "rennes,grenoble,bordeaux,toulouse,sophia,orsay,nancy,lille,lyon",
+ "user_must_be_owner": true
+ },
+ "GET": {
+ "admin_groups": "CT",
+ "authorized_groups": "rennes,grenoble,bordeaux,toulouse,sophia,orsay,nancy,lille,lyon",
+ "user_must_be_owner": true
+ },
+ "POST": {
+ "admin_groups": "CT",
+ "authorized_groups": "rennes,grenoble,bordeaux,toulouse,sophia,orsay,nancy,lille,lyon",
+ "user_must_be_owner": true
+ },
+ "PUT": {
+ "admin_groups": "CT",
+ "authorized_groups": "rennes,grenoble,bordeaux,toulouse,sophia,orsay,nancy,lille,lyon",
+ "user_must_be_owner": true
+ }
+ },
+ "type": "service",
+ "uid": "jobsets",
+ "uri": "\/jobsets"
+}
\ No newline at end of file
diff --git a/data/grid5000/services/oar.json b/data/grid5000/services/oar.json
new file mode 100644
index 00000000000..289807107cd
--- /dev/null
+++ b/data/grid5000/services/oar.json
@@ -0,0 +1,9 @@
+{
+ "contact": "bruno.bzeznik@imag.fr",
+ "description": null,
+ "doc": null,
+ "name": "OAR",
+ "type": "service",
+ "uid": "oar",
+ "uri": "\/oar-site"
+}
\ No newline at end of file
diff --git a/data/grid5000/services/statuses.json b/data/grid5000/services/statuses.json
new file mode 100644
index 00000000000..03c21bbba92
--- /dev/null
+++ b/data/grid5000/services/statuses.json
@@ -0,0 +1,9 @@
+{
+ "contact": "cyril.rohr@irisa.fr",
+ "description": "Returns the status of a given resource.",
+ "doc": "\/statuses\/doc",
+ "name": "Statuses",
+ "type": "service",
+ "uid": "statuses",
+ "uri": "\/statuses"
+}
\ No newline at end of file
diff --git a/generators/input/services.rb b/generators/input/services.rb
index 7dccb16f698..ba6a45f2226 100644
--- a/generators/input/services.rb
+++ b/generators/input/services.rb
@@ -1 +1,41 @@
-# TODO: services and their access policies
\ No newline at end of file
+# +policies+ is a hash describing the policies for authorizing or refusing access to a particular operation on a specific service:
+# * the key is the name of the operation (in the case of REST APIs, the operation should be one of the HTTP methods);
+# * the value is a hash that must contain:
+# - a comma separated list of +authorized_groups+ ("*" if no restriction),
+# - a +user_must_be_owner+ boolean indicating if the user requesting the resource must also own it and,
+# - a comma separated list of +admin_groups+, who will be able to access the resource even if they do not own it.
+# No +policies+ means that the authorization decision is delegated to the API receiving the request.
+service :authorization do
+ name "Authorization"
+ description "Returns the access policy for a particular service accessed by a given user."
+ doc "/authorization/doc"
+ uri "/authorization"
+ contact "cyril.rohr@irisa.fr"
+end
+
+service :jobsets do
+ name "Jobsets"
+ description "Manages the creation/deletion and update of job sets."
+ uri "/jobsets"
+ doc "/jobsets/doc"
+ policies( 'GET' => {:admin_groups => "CT", :authorized_groups => SITES.join(","), :user_must_be_owner => true},
+ 'POST' => {:admin_groups => "CT", :authorized_groups => SITES.join(","), :user_must_be_owner => true},
+ 'DELETE' => {:admin_groups => "CT", :authorized_groups => SITES.join(","), :user_must_be_owner => true},
+ 'PUT' => {:admin_groups => "CT", :authorized_groups => SITES.join(","), :user_must_be_owner => true} )
+end
+
+service :statuses do
+ name "Statuses"
+ uri "/statuses"
+ doc "/statuses/doc"
+ contact "cyril.rohr@irisa.fr"
+ description "Returns the status of a given resource."
+end
+
+service :oar do
+ name "OAR"
+ uri "/oar-site"
+ doc
+ contact "bruno.bzeznik@imag.fr"
+ description
+end
\ No newline at end of file
diff --git a/generators/lib/g5k_generator.rb b/generators/lib/g5k_generator.rb
index fea3fddd97c..53046e7024e 100755
--- a/generators/lib/g5k_generator.rb
+++ b/generators/lib/g5k_generator.rb
@@ -1,4 +1,6 @@
module G5K
+ SITES = %w{rennes grenoble bordeaux toulouse sophia orsay nancy lille lyon}
+
class Tree < Hash
attr_reader :contents, :path
def write(repository, &block)
@@ -48,14 +50,14 @@ module G5K
end
end
-class ReferenceGenerator
+class ReferenceGenerator
attr_reader :data
def method_missing(method, *args)
@context.recursive_merge!(method.to_sym => args.first)
end
- %w{site cluster environment node}.each do |method|
+ %w{site cluster environment node service}.each do |method|
define_method(method) do |uid, *options, &block|
key = method.pluralize.to_sym
uid = uid.to_s
--
GitLab