Enhance Agent policy support

ooici · Oct 8, 2012 · 4da802d · 4da802d
1 parent fc5f104
commit 4da802d
Show file tree

Hide file tree

Showing 6 changed files with 71 additions and 11 deletions.
diff --git a/extern/ion-definitions b/extern/ion-definitions
diff --git a/pyon/agent/agent.py b/pyon/agent/agent.py
@@ -16,6 +16,7 @@
 from pyon.event.event import EventPublisher
 from pyon.util.log import log
 from pyon.util.containers import get_ion_ts
+from pyon.ion.resource import RT, PRED, OT, LCS
 
 # Pyon exceptions.
 from pyon.core.exception import IonException
@@ -171,9 +172,28 @@ def _on_quit(self):
         pass
 
     ##############################################################
-    # Governance interface.
+    # Governance interfaces and helpers
     ##############################################################
 
+    def _is_policy_enabled(self):
+        #TODO - may have to figure out another way to do this.
+
+        if self.CFG.get_safe("system.load_policy", False):
+            return True
+
+        return False
+
+    def _get_resource_commitments(self, user_id):
+
+        log.debug("Checking for commitments for user_id: " + user_id)
+
+        commitments,_ = self.clients.resource_registry.find_objects(self.resource_id, PRED.hasCommitment, RT.Commitment)
+        for com in commitments:
+            if com.consumer == user_id and com.lcstate != LCS.RETIRED:
+                return com
+
+        return None
+
     def negotiate(self, resource_id="", sap_in=None):
         """
         TBD.

diff --git a/pyon/agent/simple_agent.py b/pyon/agent/simple_agent.py
@@ -12,7 +12,7 @@
 from pyon.core.bootstrap import IonObject
 from pyon.core import exception as iex
 from pyon.event.event import EventPublisher
-from pyon.ion.resource import RT
+from pyon.ion.resource import RT, PRED, LCS
 from pyon.util.log import log
 from pyon.util.containers import get_ion_ts
 
@@ -52,6 +52,32 @@ def _on_init(self):
     def _on_quit(self):
         pass
 
+
+    ##############################################################
+    # Governance interfaces and helpers
+    ##############################################################
+
+    def _is_policy_enabled(self):
+        #TODO - may have to figure out another way to do this.
+
+        if self.CFG.get_safe("system.load_policy", False):
+            return True
+
+        return False
+
+    def _get_resource_commitments(self, user_id):
+
+        log.debug("Checking for commitments for user_id: " + user_id)
+        #TODO - why isn't the resource registry defined in this agent?
+
+        #commitments,_ = self.clients.resource_registry.find_objects(self.resource_id, PRED.hasCommitment, RT.Commitment)
+        #for com in commitments:
+        #    if com.consumer == user_id and com.lcstate != LCS.RETIRED:
+        #        return com
+
+        return None
+
+
     def negotiate(self, resource_id="", sap_in=None):
         pass
 

diff --git a/pyon/core/governance/governance_controller.py b/pyon/core/governance/governance_controller.py
@@ -59,8 +59,9 @@ def start(self):
         self._is_container_org_boundary = CFG.get_safe('container.org_boundary',False)
         self._container_org_name = CFG.get_safe('container.org_name', CFG.get_safe('system.root_org', 'ION'))
         self._container_org_id = None
+        self._system_root_org_name = CFG.get_safe('system.root_org', 'ION')
 
-        self._is_root_org_container = (self._container_org_name == CFG.get_safe('system.root_org', 'ION'))
+        self._is_root_org_container = (self._container_org_name == self._system_root_org_name)
 
         if self.enabled:
             self.initialize_from_config(config)

diff --git a/pyon/core/governance/negotiation.py b/pyon/core/governance/negotiation.py
@@ -23,7 +23,7 @@ class Negotiation(object):
     def create_counter_proposal(self,negotiation=None, proposal_status=ProposalStatusEnum.COUNTER,
                                 originator=ProposalOriginatorEnum.CONSUMER):
 
-        if negotiation is None or negotiation.type_ != OT.Negotiation:
+        if negotiation is None or negotiation.type_ != RT.Negotiation:
             raise BadRequest('The negotiation parameter must be a valid Negotiation object')
 
         counter_sap = copy.deepcopy(negotiation.proposals[-1])

diff --git a/pyon/core/governance/policy/policy_decision.py b/pyon/core/governance/policy/policy_decision.py
@@ -184,25 +184,36 @@ def _create_request_from_message(self, invocation, receiver, receiver_type='serv
         ion_actor_id = invocation.get_header_value('ion-actor-id', 'anonymous')
         actor_roles = invocation.get_header_value('ion-actor-roles', {})
 
-        log.debug("XACML Request: sender: %s, receiver:%s, op:%s,  ion_actor_id:%s, ion_actor_roles:%s" % (sender, receiver, op, ion_actor_id, str(actor_roles)))
+        log.debug("Using XACML Request: sender: %s, receiver:%s, op:%s,  ion_actor_id:%s, ion_actor_roles:%s" % (sender, receiver, op, ion_actor_id, str(actor_roles)))
 
         request = Request()
         subject = Subject()
         subject.attributes.append(self.create_string_attribute(SENDER_ID, sender))
         subject.attributes.append(self.create_string_attribute(Identifiers.Subject.SUBJECT_ID, ion_actor_id))
 
-        #Get the Org Id of this container that is running the endpoint process
-        org_name = self.governance_controller.get_container_org_boundary_name()
+        #Get the Org name associated with the endpoint process
+        endpoint_process = invocation.get_arg_value('process', invocation)
+        if hasattr(endpoint_process,'org_name'):
+            org_name = endpoint_process.org_name
+        else:
+            org_name = self.governance_controller._system_root_org_name
 
-        #If this is not a root Org container, then iterate over the roles associated with the user only for
-        #the Org that this container is associated with otherwise include all roles and create attributes for each
-        if self.governance_controller.is_root_org_container():
+        #If this process is not associated wiht the root Org, then iterate over the roles associated with the user only for
+        #the Org that this process is associated with otherwise include all roles and create attributes for each
+        if org_name == self.governance_controller._system_root_org_name:
+            #If the process Org name is the same for the System Root Org, then include all of them to be safe
             for org in actor_roles:
                 self.create_org_role_attribute(actor_roles[org],subject)
         else:
             if actor_roles.has_key(org_name):
                 self.create_org_role_attribute(actor_roles[org_name],subject)
 
+            #Handle the special case for the ION system actor
+            if actor_roles.has_key(self.governance_controller._system_root_org_name):
+                if 'ION_MANAGER' in actor_roles[self.governance_controller._system_root_org_name]:
+                    self.create_org_role_attribute(['ION_MANAGER'],subject)
+
+
         request.subjects.append(subject)
 
         resource = Resource()
@@ -212,6 +223,8 @@ def _create_request_from_message(self, invocation, receiver, receiver_type='serv
 
         request.action = Action()
         request.action.attributes.append(self.create_string_attribute(Identifiers.Action.ACTION_ID, op))
+
+
         return request
 
     def check_agent_request_policies(self, invocation):