rucio 35.7.0__py3-none-any.whl → 37.0.0__py3-none-any.whl

rucio/db/sqla/session.py

@@ -16,6 +16,7 @@ import copy
 import logging
 import os
 import sys
+from contextlib import contextmanager
 from datetime import datetime, timedelta
 from functools import update_wrapper
 from inspect import getfullargspec, isgeneratorfunction
@@ -33,11 +34,12 @@ from rucio.common.config import config_get
 from rucio.common.exception import DatabaseException, InputValidationError, RucioException
 from rucio.common.extra import import_extras
 from rucio.common.utils import retrying
+from rucio.db.sqla.constants import DatabaseOperationType
 
 EXTRA_MODULES = import_extras(['MySQLdb', 'pymysql'])
 
 if TYPE_CHECKING:
-    from collections.abc import Callable
+    from collections.abc import Callable, Iterator
     from typing import Optional, ParamSpec, TypeVar
 
     from pymysql import Connection as MySQLConnection
@@ -49,7 +51,6 @@ if TYPE_CHECKING:
     R = TypeVar('R')
     CallableTypeVar = TypeVar('CallableTypeVar', bound='Callable[..., Any]')
 
-
 try:
     main_script = os.path.basename(sys.argv[0])
     CURRENT_COMPONENT = main_script.split('-')[1]
@@ -71,6 +72,13 @@ _METADATA = MetaData(schema=DEFAULT_SCHEMA_NAME)
 _MAKER, _ENGINE, _LOCK = None, None, Lock()
 
 
+SQLA_CONFIG_POOLCLASS_MAPPING = {
+    'queuepool': QueuePool,
+    'singletonthreadpool': SingletonThreadPool,
+    'nullpool': NullPool,
+}
+
+
 class BASE(DeclarativeBase):
     metadata = _METADATA
 
@@ -151,22 +159,20 @@ def mysql_convert_decimal_to_float(
 
 def psql_convert_decimal_to_float(dbapi_conn, connection_rec) -> None:
     """
-    The default datatype returned by psycopg2 for numerics is decimal.Decimal.
-    This type cannot be serialised to JSON, therefore we need to autoconvert to floats.
+    Configure the PostgreSQL connection to return numeric types as float instead of Decimal.
+    Psycopg3 provides this functionality through type adapters.
 
     :param dbapi_conn: DBAPI connection
     :param connection_rec: connection record
     """
-
     try:
-        import psycopg2.extensions  # pylint: disable=import-error
-    except:
-        raise RucioException('Trying to use PostgreSQL without psycopg2 or psycopg2-binary installed!')
-
-    DEC2FLOAT = psycopg2.extensions.new_type(psycopg2.extensions.DECIMAL.values,
-                                             'DEC2FLOAT',
-                                             lambda value, curs: float(value) if value is not None else None)
-    psycopg2.extensions.register_type(DEC2FLOAT)
+        import psycopg
+        # Register a global loader that converts numeric types to float
+        dbapi_conn.adapters.register_loader("numeric", psycopg.types.numeric.FloatLoader)
+    except ImportError:
+        raise RucioException('Trying to use PostgreSQL without psycopg installed!')
+    except Exception as error:
+        raise RucioException(f'Error setting up PostgreSQL Decimal to Float conversion: {str(error)}')
 
 
 def my_on_connect(dbapi_con, connection_record) -> None:
@@ -189,12 +195,6 @@ def _get_engine_poolclass(poolclass: str) -> Pool:
     :raises InputValidationError: if config value doesn't correspond to an SQLAlchemy Pool class.
     """
 
-    SQLA_CONFIG_POOLCLASS_MAPPING = {
-        'queuepool': QueuePool,
-        'singletonthreadpool': SingletonThreadPool,
-        'nullpool': NullPool,
-    }
-
     poolclass = poolclass.lower()
 
     if poolclass not in SQLA_CONFIG_POOLCLASS_MAPPING:
@@ -204,7 +204,7 @@ def _get_engine_poolclass(poolclass: str) -> Pool:
 
 
 def get_engine() -> 'Engine':
-    """ Creates a engine to a specific database.
+    """ Creates an engine to a specific database.
         :returns: engine
     """
     global _ENGINE
@@ -223,9 +223,7 @@ def get_engine() -> 'Engine':
                 params[param] = param_type(config_get(DATABASE_SECTION, param, check_config_table=False))
             except:
                 pass
-        # Using sqlAlchemy 2.0 with future=True.
-        # if backing up from 2.0, need to remove future=True .
-        _ENGINE = create_engine(sql_connection, future=True, **params)
+        _ENGINE = create_engine(sql_connection, **params)
         if 'mysql' in sql_connection:
             event.listen(_ENGINE, 'checkout', mysql_ping_listener)
         elif 'postgresql' in sql_connection:
@@ -261,6 +259,7 @@ def get_dump_engine(
             print(statement.replace(')', ');\n'))
         else:
             print(statement)
+
     sql_connection = config_get(DATABASE_SECTION, 'default', check_config_table=False)
 
     engine = create_engine(sql_connection, echo=echo, strategy='mock', executor=dump)
@@ -276,8 +275,7 @@ def get_maker() -> sessionmaker:
     if not _ENGINE:
         raise RuntimeError("Could not form database engine.")
     if not _MAKER:
-        # turn on sqlAlchemy 2.0 with future=True.
-        _MAKER = sessionmaker(bind=_ENGINE, autocommit=False, autoflush=True, expire_on_commit=True, future=True)
+        _MAKER = sessionmaker(bind=_ENGINE, autocommit=False, autoflush=True, expire_on_commit=True)
     return _MAKER
 
 
@@ -387,12 +385,14 @@ def read_session(function: "Callable[P, R]"):
     This is useful if only SELECTs and the like are being done; anything involving
     INSERTs, UPDATEs etc should use transactional_session.
     '''
+
     @retrying(retry_on_exception=retry_if_db_connection_error,
               wait_fixed=500,
               stop_max_attempt_number=2)
     def new_funct(*args: "P.args", session: "Optional[Session]" = None, **kwargs):  # pylint:disable=missing-kwoa
         if isgeneratorfunction(function):
-            raise RucioException('read_session decorator should not be used with generator. Use stream_session instead.')
+            raise RucioException(
+                'read_session decorator should not be used with generator. Use stream_session instead.')
 
         if not session:
             session_scoped = get_session()
@@ -415,6 +415,7 @@ def read_session(function: "Callable[P, R]"):
             return function(*args, session=session, **kwargs)
         except Exception:
             raise
+
     return _update_session_wrapper(new_funct, function)
 
 
@@ -427,13 +428,15 @@ def stream_session(function: "Callable[P, R]"):
     This is useful if only SELECTs and the like are being done; anything involving
     INSERTs, UPDATEs etc should use transactional_session.
     '''
+
     @retrying(retry_on_exception=retry_if_db_connection_error,
               wait_fixed=500,
               stop_max_attempt_number=2)
     def new_funct(*args: "P.args", session: "Optional[Session]" = None, **kwargs):  # pylint:disable=missing-kwoa
 
         if not isgeneratorfunction(function):
-            raise RucioException('stream_session decorator should be used only with generator. Use read_session instead.')
+            raise RucioException(
+                'stream_session decorator should be used only with generator. Use read_session instead.')
 
         if not session:
             session_scoped = get_session()
@@ -469,6 +472,7 @@ def transactional_session(function: "Callable[P, R]") -> 'Callable':
 
     session is a sqlalchemy session, and you can get one calling get_session().
     '''
+
     def new_funct(
             *args: "P.args",
             session: "Optional[Session]" = None,
@@ -495,4 +499,31 @@ def transactional_session(function: "Callable[P, R]") -> 'Callable':
         else:
             result = function(*args, session=session, **kwargs)
         return result
+
     return _update_session_wrapper(new_funct, function)
+
+
+@retrying(retry_on_exception=retry_if_db_connection_error,
+          wait_fixed=500,
+          stop_max_attempt_number=2)
+@contextmanager
+def db_session(operation: DatabaseOperationType) -> "Iterator[Session]":
+    session_scoped = get_session()
+    session = session_scoped()
+    session.begin()
+
+    try:
+        yield session
+        if operation is DatabaseOperationType.WRITE:
+            session.commit()
+    except TimeoutError as error:
+        session.rollback()
+        raise DatabaseException(str(error))
+    except DatabaseError as error:
+        session.rollback()
+        raise DatabaseException(str(error))
+    except Exception:
+        session.rollback()
+        raise
+    finally:
+        session_scoped.remove()

rucio/db/sqla/types.py

@@ -164,7 +164,7 @@ class InternalAccountString(TypeDecorator):
     def process_result_value(self, value, dialect):
         if value is None:
             return value
-        return InternalAccount(value, fromExternal=False)
+        return InternalAccount(value, from_external=False)
 
     def coerce_compared_value(self, op, value):
         if op in (operators.like_op, operators.notlike_op):
@@ -197,7 +197,7 @@ class InternalScopeString(TypeDecorator):
     def process_result_value(self, value, dialect):
         if value is None:
             return value
-        return InternalScope(value, fromExternal=False)
+        return InternalScope(value, from_external=False)
 
     def coerce_compared_value(self, op, value):
         if op in (operators.like_op, operators.notlike_op):

rucio/db/sqla/util.py

@@ -31,7 +31,7 @@ from sqlalchemy.sql.ddl import DropSchema
 from sqlalchemy.sql.expression import select, text
 
 from rucio import alembicrevision
-from rucio.common.cache import make_region_memcached
+from rucio.common.cache import MemcacheRegion
 from rucio.common.config import config_get, config_get_list
 from rucio.common.schema import get_schema_value
 from rucio.common.types import InternalAccount, LoggerFunction
@@ -50,7 +50,7 @@ if TYPE_CHECKING:
     # TypeVar representing the DeclarativeObj class defined inside _create_temp_table
     DeclarativeObj = TypeVar('DeclarativeObj')
 
-REGION = make_region_memcached(expiration_time=600, memcached_expire_time=3660)
+REGION = MemcacheRegion(expiration_time=600, memcached_expire_time=3660)
 
 
 def build_database() -> None:

rucio/gateway/account.py

@@ -12,7 +12,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-from collections.abc import Iterator
 from typing import TYPE_CHECKING, Any, Optional
 
 import rucio.common.exception
@@ -27,6 +26,8 @@ from rucio.db.sqla.constants import AccountType
 from rucio.db.sqla.session import read_session, stream_session, transactional_session
 
 if TYPE_CHECKING:
+    from collections.abc import Iterator
+
     from sqlalchemy.orm import Session
 
     from rucio.common.types import AccountAttributesDict, IdentityDict, UsageDict
@@ -59,8 +60,9 @@ def add_account(
     validate_schema(name='account', obj=account, vo=vo)
 
     kwargs = {'account': account, 'type': type_}
-    if not rucio.gateway.permission.has_permission(issuer=issuer, vo=vo, action='add_account', kwargs=kwargs, session=session):
-        raise rucio.common.exception.AccessDenied('Account %s can not add account' % (issuer))
+    auth_result = rucio.gateway.permission.has_permission(issuer=issuer, vo=vo, action='add_account', kwargs=kwargs, session=session)
+    if not auth_result.allowed:
+        raise rucio.common.exception.AccessDenied('Account %s can not add account. %s' % (issuer, auth_result.message))
 
     internal_account = InternalAccount(account, vo=vo)
 
@@ -85,8 +87,9 @@ def del_account(
 
     """
     kwargs = {'account': account}
-    if not rucio.gateway.permission.has_permission(issuer=issuer, vo=vo, action='del_account', kwargs=kwargs, session=session):
-        raise rucio.common.exception.AccessDenied('Account %s can not delete account' % (issuer))
+    auth_result = rucio.gateway.permission.has_permission(issuer=issuer, vo=vo, action='del_account', kwargs=kwargs, session=session)
+    if not auth_result.allowed:
+        raise rucio.common.exception.AccessDenied('Account %s can not delete account. %s' % (issuer, auth_result.message))
 
     internal_account = InternalAccount(account, vo=vo)
 
@@ -137,8 +140,9 @@ def update_account(
     """
     validate_schema(name='account', obj=account, vo=vo)
     kwargs = {}
-    if not rucio.gateway.permission.has_permission(issuer=issuer, vo=vo, action='update_account', kwargs=kwargs, session=session):
-        raise rucio.common.exception.AccessDenied('Account %s can not change %s  of the account' % (issuer, key))
+    auth_result = rucio.gateway.permission.has_permission(issuer=issuer, vo=vo, action='update_account', kwargs=kwargs, session=session)
+    if not auth_result.allowed:
+        raise rucio.common.exception.AccessDenied('Account %s can not change %s  of the account. %s' % (issuer, key, auth_result.message))
 
     internal_account = InternalAccount(account, vo=vo)
 
@@ -146,7 +150,7 @@ def update_account(
 
 
 @stream_session
-def list_accounts(filter_: Optional[dict[str, Any]] = None, vo: str = 'def', *, session: "Session") -> Iterator[dict[str, Any]]:
+def list_accounts(filter_: Optional[dict[str, Any]] = None, vo: str = 'def', *, session: "Session") -> 'Iterator[dict[str, Any]]':
     """
     Lists all the Rucio account names.
 
@@ -254,8 +258,9 @@ def add_account_attribute(
     validate_schema(name='account_attribute', obj=value, vo=vo)
 
     kwargs = {'account': account, 'key': key, 'value': value}
-    if not rucio.gateway.permission.has_permission(issuer=issuer, vo=vo, action='add_attribute', kwargs=kwargs, session=session):
-        raise rucio.common.exception.AccessDenied('Account %s can not add attributes' % (issuer))
+    auth_result = rucio.gateway.permission.has_permission(issuer=issuer, vo=vo, action='add_attribute', kwargs=kwargs, session=session)
+    if not auth_result.allowed:
+        raise rucio.common.exception.AccessDenied('Account %s can not add attributes. %s' % (issuer, auth_result.message))
 
     internal_account = InternalAccount(account, vo=vo)
 
@@ -281,8 +286,9 @@ def del_account_attribute(
     :param session: The database session in use.
     """
     kwargs = {'account': account, 'key': key}
-    if not rucio.gateway.permission.has_permission(issuer=issuer, vo=vo, action='del_attribute', kwargs=kwargs, session=session):
-        raise rucio.common.exception.AccessDenied('Account %s can not delete attribute' % (issuer))
+    auth_result = rucio.gateway.permission.has_permission(issuer=issuer, vo=vo, action='del_attribute', kwargs=kwargs, session=session)
+    if not auth_result.allowed:
+        raise rucio.common.exception.AccessDenied('Account %s can not delete attribute. %s' % (issuer, auth_result.message))
 
     internal_account = InternalAccount(account, vo=vo)
 

rucio/gateway/account_limit.py

@@ -12,11 +12,11 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-from typing import TYPE_CHECKING
+from typing import TYPE_CHECKING, Any, Union
 
 import rucio.common.exception
 import rucio.gateway.permission
-from rucio.common.types import InternalAccount
+from rucio.common.types import InternalAccount, RSEResolvedGlobalAccountLimitDict
 from rucio.common.utils import gateway_update_return_dict
 from rucio.core import account_limit as account_limit_core
 from rucio.core.account import account_exists
@@ -28,7 +28,12 @@ if TYPE_CHECKING:
 
 
 @read_session
-def get_rse_account_usage(rse, vo='def', *, session: "Session"):
+def get_rse_account_usage(
+    rse: str,
+    vo: str = 'def',
+    *,
+    session: "Session"
+) -> list[dict[str, Any]]:
     """
     Returns the account limit and usage for all for all accounts on a RSE.
 
@@ -43,7 +48,12 @@ def get_rse_account_usage(rse, vo='def', *, session: "Session"):
 
 
 @read_session
-def get_local_account_limits(account, vo='def', *, session: "Session"):
+def get_local_account_limits(
+    account: str,
+    vo: str = 'def',
+    *,
+    session: "Session"
+) -> dict[str, Any]:
     """
     Lists the limitation names/values for the specified account name.
 
@@ -56,16 +66,22 @@ def get_local_account_limits(account, vo='def', *, session: "Session"):
     :returns: The account limits.
     """
 
-    account = InternalAccount(account, vo=vo)
+    internal_account = InternalAccount(account, vo=vo)
 
     rse_instead_id = {}
-    for elem in account_limit_core.get_local_account_limits(account=account, session=session).items():
+    for elem in account_limit_core.get_local_account_limits(account=internal_account, session=session).items():
         rse_instead_id[get_rse_name(rse_id=elem[0], session=session)] = elem[1]
     return rse_instead_id
 
 
 @read_session
-def get_local_account_limit(account, rse, vo='def', *, session: "Session"):
+def get_local_account_limit(
+    account: str,
+    rse: str,
+    vo: str = 'def',
+    *,
+    session: "Session"
+) -> dict[str, Union[int, float, None]]:
     """
     Lists the limitation names/values for the specified account name and rse name.
 
@@ -79,14 +95,19 @@ def get_local_account_limit(account, rse, vo='def', *, session: "Session"):
     :returns: The account limit.
     """
 
-    account = InternalAccount(account, vo=vo)
+    internal_account = InternalAccount(account, vo=vo)
 
     rse_id = get_rse_id(rse=rse, vo=vo, session=session)
-    return {rse: account_limit_core.get_local_account_limit(account=account, rse_id=rse_id, session=session)}
+    return {rse: account_limit_core.get_local_account_limit(account=internal_account, rse_id=rse_id, session=session)}
 
 
 @read_session
-def get_global_account_limits(account, vo='def', *, session: "Session"):
+def get_global_account_limits(
+    account: str,
+    vo: str = 'def',
+    *,
+    session: "Session"
+) -> dict[str, RSEResolvedGlobalAccountLimitDict]:
     """
     Lists the limitation names/values for the specified account name.
 
@@ -99,15 +120,21 @@ def get_global_account_limits(account, vo='def', *, session: "Session"):
     :returns: The account limits.
     """
     if account:
-        account = InternalAccount(account, vo=vo)
+        internal_account = InternalAccount(account, vo=vo)
     else:
-        account = InternalAccount('*', vo=vo)
+        internal_account = InternalAccount('*', vo=vo)
 
-    return account_limit_core.get_global_account_limits(account=account, session=session)
+    return account_limit_core.get_global_account_limits(account=internal_account, session=session)
 
 
 @read_session
-def get_global_account_limit(account, rse_expression, vo='def', *, session: "Session"):
+def get_global_account_limit(
+    account: str,
+    rse_expression: str,
+    vo: str = 'def',
+    *,
+    session: "Session"
+) -> dict[str, dict[str, RSEResolvedGlobalAccountLimitDict]]:
     """
     Lists the limitation names/values for the specified account name and rse expression.
 
@@ -121,15 +148,23 @@ def get_global_account_limit(account, rse_expression, vo='def', *, session: "Ses
     :returns: The account limit.
     """
 
-    account = InternalAccount(account, vo=vo)
+    internal_account = InternalAccount(account, vo=vo)
 
-    return {rse_expression: account_limit_core.get_global_account_limit(account=account, rse_expression=rse_expression, session=session)}
+    return {rse_expression: account_limit_core.get_global_account_limit(account=internal_account, rse_expression=rse_expression, session=session)}
 
 
 @transactional_session
-def set_local_account_limit(account, rse, bytes_, issuer, vo='def', *, session: "Session"):
+def set_local_account_limit(
+    account: str,
+    rse: str,
+    bytes_: int,
+    issuer: str,
+    vo: str = 'def',
+    *,
+    session: "Session"
+) -> None:
     """
-    Set an account limit..
+    Set an account limit.
 
     :param account: The account name.
     :param rse:     The rse name.
@@ -141,19 +176,28 @@ def set_local_account_limit(account, rse, bytes_, issuer, vo='def', *, session:
     rse_id = get_rse_id(rse=rse, vo=vo, session=session)
 
     kwargs = {'account': account, 'rse': rse, 'rse_id': rse_id, 'bytes': bytes_}
-    if not rucio.gateway.permission.has_permission(issuer=issuer, vo=vo, action='set_local_account_limit', kwargs=kwargs, session=session):
-        raise rucio.common.exception.AccessDenied('Account %s can not set account limits.' % (issuer))
+    auth_result = rucio.gateway.permission.has_permission(issuer=issuer, vo=vo, action='set_local_account_limit', kwargs=kwargs, session=session)
+    if not auth_result.allowed:
+        raise rucio.common.exception.AccessDenied('Account %s can not set account limits. %s' % (issuer, auth_result.message))
 
-    account = InternalAccount(account, vo=vo)
+    internal_account = InternalAccount(account, vo=vo)
 
-    if not account_exists(account=account, session=session):
-        raise rucio.common.exception.AccountNotFound('Account %s does not exist' % (account))
+    if not account_exists(account=internal_account, session=session):
+        raise rucio.common.exception.AccountNotFound('Account %s does not exist' % (internal_account))
 
-    account_limit_core.set_local_account_limit(account=account, rse_id=rse_id, bytes_=bytes_, session=session)
+    account_limit_core.set_local_account_limit(account=internal_account, rse_id=rse_id, bytes_=bytes_, session=session)
 
 
 @transactional_session
-def set_global_account_limit(account, rse_expression, bytes_, issuer, vo='def', *, session: "Session"):
+def set_global_account_limit(
+    account: str,
+    rse_expression: str,
+    bytes_: int,
+    issuer: str,
+    vo: str = 'def',
+    *,
+    session: "Session"
+) -> None:
     """
     Set a global account limit.
 
@@ -166,21 +210,29 @@ def set_global_account_limit(account, rse_expression, bytes_, issuer, vo='def',
     """
 
     kwargs = {'account': account, 'rse_expression': rse_expression, 'bytes': bytes_}
-    if not rucio.gateway.permission.has_permission(issuer=issuer, vo=vo, action='set_global_account_limit', kwargs=kwargs, session=session):
-        raise rucio.common.exception.AccessDenied('Account %s can not set account limits.' % (issuer))
+    auth_result = rucio.gateway.permission.has_permission(issuer=issuer, vo=vo, action='set_global_account_limit', kwargs=kwargs, session=session)
+    if not auth_result.allowed:
+        raise rucio.common.exception.AccessDenied('Account %s can not set account limits. %s' % (issuer, auth_result.message))
 
-    account = InternalAccount(account, vo=vo)
+    internal_account = InternalAccount(account, vo=vo)
 
-    if not account_exists(account=account, session=session):
-        raise rucio.common.exception.AccountNotFound('Account %s does not exist' % (account))
+    if not account_exists(account=internal_account, session=session):
+        raise rucio.common.exception.AccountNotFound('Account %s does not exist' % (internal_account))
 
-    account_limit_core.set_global_account_limit(account=account, rse_expression=rse_expression, bytes_=bytes_, session=session)
+    account_limit_core.set_global_account_limit(account=internal_account, rse_expression=rse_expression, bytes_=bytes_, session=session)
 
 
 @transactional_session
-def delete_local_account_limit(account, rse, issuer, vo='def', *, session: "Session"):
+def delete_local_account_limit(
+    account: str,
+    rse: str,
+    issuer: str,
+    vo: str = 'def',
+    *,
+    session: "Session"
+) -> bool:
     """
-    Delete an account limit..
+    Delete an account limit.
 
     :param account: The account name.
     :param rse:     The rse name.
@@ -193,19 +245,27 @@ def delete_local_account_limit(account, rse, issuer, vo='def', *, session: "Sess
 
     rse_id = get_rse_id(rse=rse, vo=vo, session=session)
     kwargs = {'account': account, 'rse': rse, 'rse_id': rse_id}
-    if not rucio.gateway.permission.has_permission(issuer=issuer, vo=vo, action='delete_local_account_limit', kwargs=kwargs, session=session):
-        raise rucio.common.exception.AccessDenied('Account %s can not delete account limits.' % (issuer))
+    auth_result = rucio.gateway.permission.has_permission(issuer=issuer, vo=vo, action='delete_local_account_limit', kwargs=kwargs, session=session)
+    if not auth_result.allowed:
+        raise rucio.common.exception.AccessDenied('Account %s can not delete account limits. %s' % (issuer, auth_result.message))
 
-    account = InternalAccount(account, vo=vo)
+    internal_account = InternalAccount(account, vo=vo)
 
-    if not account_exists(account=account, session=session):
-        raise rucio.common.exception.AccountNotFound('Account %s does not exist' % (account))
+    if not account_exists(account=internal_account, session=session):
+        raise rucio.common.exception.AccountNotFound('Account %s does not exist' % (internal_account))
 
-    return account_limit_core.delete_local_account_limit(account=account, rse_id=rse_id, session=session)
+    return account_limit_core.delete_local_account_limit(account=internal_account, rse_id=rse_id, session=session)
 
 
 @transactional_session
-def delete_global_account_limit(account, rse_expression, issuer, vo='def', *, session: "Session"):
+def delete_global_account_limit(
+    account: str,
+    rse_expression: str,
+    issuer: str,
+    vo: str = 'def',
+    *,
+    session: "Session"
+) -> bool:
     """
     Delete a global account limit..
 
@@ -219,19 +279,27 @@ def delete_global_account_limit(account, rse_expression, issuer, vo='def', *, se
     """
 
     kwargs = {'account': account, 'rse_expression': rse_expression}
-    if not rucio.gateway.permission.has_permission(issuer=issuer, vo=vo, action='delete_global_account_limit', kwargs=kwargs, session=session):
-        raise rucio.common.exception.AccessDenied('Account %s can not delete global account limits.' % (issuer))
+    auth_result = rucio.gateway.permission.has_permission(issuer=issuer, vo=vo, action='delete_global_account_limit', kwargs=kwargs, session=session)
+    if not auth_result.allowed:
+        raise rucio.common.exception.AccessDenied('Account %s can not delete global account limits. %s' % (issuer, auth_result.message))
 
-    account = InternalAccount(account, vo=vo)
+    internal_account = InternalAccount(account, vo=vo)
 
-    if not account_exists(account=account, session=session):
-        raise rucio.common.exception.AccountNotFound('Account %s does not exist' % (account))
+    if not account_exists(account=internal_account, session=session):
+        raise rucio.common.exception.AccountNotFound('Account %s does not exist' % (internal_account))
 
-    return account_limit_core.delete_global_account_limit(account=account, rse_expression=rse_expression, session=session)
+    return account_limit_core.delete_global_account_limit(account=internal_account, rse_expression=rse_expression, session=session)
 
 
 @read_session
-def get_local_account_usage(account, rse, issuer, vo='def', *, session: "Session"):
+def get_local_account_usage(
+    account: str,
+    rse: str,
+    issuer: str,
+    vo: str = 'def',
+    *,
+    session: "Session"
+) -> list[dict[str, Any]]:
     """
     Get the account usage and connect it with (if available) the account limits of the account.
 
@@ -249,19 +317,27 @@ def get_local_account_usage(account, rse, issuer, vo='def', *, session: "Session
     if rse:
         rse_id = get_rse_id(rse=rse, vo=vo, session=session)
     kwargs = {'account': account, 'rse': rse, 'rse_id': rse_id}
-    if not rucio.gateway.permission.has_permission(issuer=issuer, vo=vo, action='get_local_account_usage', kwargs=kwargs, session=session):
-        raise rucio.common.exception.AccessDenied('Account %s can not list account usage.' % (issuer))
+    auth_result = rucio.gateway.permission.has_permission(issuer=issuer, vo=vo, action='get_local_account_usage', kwargs=kwargs, session=session)
+    if not auth_result.allowed:
+        raise rucio.common.exception.AccessDenied('Account %s can not list account usage. %s' % (issuer, auth_result.message))
 
-    account = InternalAccount(account, vo=vo)
+    internal_account = InternalAccount(account, vo=vo)
 
-    if not account_exists(account=account, session=session):
-        raise rucio.common.exception.AccountNotFound('Account %s does not exist' % (account))
+    if not account_exists(account=internal_account, session=session):
+        raise rucio.common.exception.AccountNotFound('Account %s does not exist' % (internal_account))
 
-    return [gateway_update_return_dict(d, session=session) for d in account_limit_core.get_local_account_usage(account=account, rse_id=rse_id, session=session)]
+    return [gateway_update_return_dict(d, session=session) for d in account_limit_core.get_local_account_usage(account=internal_account, rse_id=rse_id, session=session)]
 
 
 @read_session
-def get_global_account_usage(account, rse_expression, issuer, vo='def', *, session: "Session"):
+def get_global_account_usage(
+    account: str,
+    rse_expression: str,
+    issuer: str,
+    vo: str = 'def',
+    *,
+    session: "Session"
+) -> list[dict[str, Any]]:
     """
     Get the account usage and connect it with (if available) the account limits of the account.
 
@@ -275,12 +351,13 @@ def get_global_account_usage(account, rse_expression, issuer, vo='def', *, sessi
     """
 
     kwargs = {'account': account, 'rse_expression': rse_expression}
-    if not rucio.gateway.permission.has_permission(issuer=issuer, vo=vo, action='get_global_account_usage', kwargs=kwargs, session=session):
-        raise rucio.common.exception.AccessDenied('Account %s can not list global account usage.' % (issuer))
+    auth_result = rucio.gateway.permission.has_permission(issuer=issuer, vo=vo, action='get_global_account_usage', kwargs=kwargs, session=session)
+    if not auth_result.allowed:
+        raise rucio.common.exception.AccessDenied('Account %s can not list global account usage. %s' % (issuer, auth_result.message))
 
-    account = InternalAccount(account, vo=vo)
+    internal_account = InternalAccount(account, vo=vo)
 
-    if not account_exists(account=account, session=session):
-        raise rucio.common.exception.AccountNotFound('Account %s does not exist' % (account))
+    if not account_exists(account=internal_account, session=session):
+        raise rucio.common.exception.AccountNotFound('Account %s does not exist' % (internal_account))
 
-    return [gateway_update_return_dict(d, session=session) for d in account_limit_core.get_global_account_usage(account=account, rse_expression=rse_expression, session=session)]
+    return [gateway_update_return_dict(d, session=session) for d in account_limit_core.get_global_account_usage(account=internal_account, rse_expression=rse_expression, session=session)]