rucio 35.7.0__py3-none-any.whl → 37.0.0__py3-none-any.whl

rucio/gateway/exporter.py

@@ -35,8 +35,9 @@ def export_data(issuer: str, distance: bool = True, vo: str = 'def', *, session:
     :param session: The database session in use.
     """
     kwargs = {'issuer': issuer}
-    if not permission.has_permission(issuer=issuer, vo=vo, action='export', kwargs=kwargs, session=session):
-        raise exception.AccessDenied('Account %s can not export data' % issuer)
+    auth_result = permission.has_permission(issuer=issuer, vo=vo, action='export', kwargs=kwargs, session=session)
+    if not auth_result.allowed:
+        raise exception.AccessDenied('Account %s can not export data. %s' % (issuer, auth_result.message))
 
     data = exporter.export_data(distance=distance, vo=vo, session=session)
     rses = {}

rucio/gateway/heartbeat.py

@@ -37,8 +37,9 @@ def list_heartbeats(issuer: Optional[str] = None, vo: str = 'def', *, session: "
     """
 
     kwargs = {'issuer': issuer}
-    if not permission.has_permission(issuer=issuer, vo=vo, action='list_heartbeats', kwargs=kwargs, session=session):
-        raise exception.AccessDenied('%s cannot list heartbeats' % issuer)
+    auth_result = permission.has_permission(issuer=issuer, vo=vo, action='list_heartbeats', kwargs=kwargs, session=session)
+    if not auth_result.allowed:
+        raise exception.AccessDenied('%s cannot list heartbeats. %s' % (issuer, auth_result.message))
     return heartbeat.list_heartbeats(session=session)
 
 
@@ -69,6 +70,7 @@ def create_heartbeat(
 
     """
     kwargs = {'issuer': issuer}
-    if not permission.has_permission(issuer=issuer, vo=vo, action='send_heartbeats', kwargs=kwargs, session=session):
-        raise exception.AccessDenied('%s cannot send heartbeats' % issuer)
+    auth_result = permission.has_permission(issuer=issuer, vo=vo, action='send_heartbeats', kwargs=kwargs, session=session)
+    if not auth_result.allowed:
+        raise exception.AccessDenied('%s cannot send heartbeats. %s' % (issuer, auth_result.message))
     heartbeat.live(executable=executable, hostname=hostname, pid=pid, thread=thread, older_than=older_than, payload=payload, session=session)

rucio/gateway/identity.py

@@ -21,25 +21,21 @@ from typing import TYPE_CHECKING, Optional
 from rucio.common import exception
 from rucio.common.types import InternalAccount
 from rucio.core import identity
-from rucio.db.sqla.constants import IdentityType
-from rucio.db.sqla.session import read_session, transactional_session
+from rucio.db.sqla.constants import DatabaseOperationType, IdentityType
+from rucio.db.sqla.session import db_session
 from rucio.gateway import permission
 
 if TYPE_CHECKING:
     from collections.abc import Sequence
 
     from sqlalchemy import Row
-    from sqlalchemy.orm import Session
 
 
-@transactional_session
 def add_identity(
     identity_key: str,
     id_type: str,
     email: str,
     password: Optional[str] = None,
-    *,
-    session: "Session"
 ) -> None:
     """
     Creates a user identity.
@@ -48,19 +44,16 @@ def add_identity(
     :param id_type: The type of the authentication (x509, gss, userpass, ssh, saml)
     :param email: The Email address associated with the identity.
     :param password: If type==userpass, this sets the password.
-    :param session: The database session in use.
     """
-    return identity.add_identity(identity_key, IdentityType[id_type.upper()], email, password=password, session=session)
+    with db_session(DatabaseOperationType.WRITE) as session:
+        return identity.add_identity(identity_key, IdentityType[id_type.upper()], email, password=password, session=session)
 
 
-@transactional_session
 def del_identity(
     identity_key: str,
     id_type: str,
     issuer: str,
     vo: str = 'def',
-    *,
-    session: "Session"
 ) -> None:
     """
     Deletes a user identity.
@@ -68,17 +61,18 @@ def del_identity(
     :param id_type: The type of the authentication (x509, gss, userpass, ssh, saml).
     :param issuer: The issuer account.
     :param vo: the VO of the issuer.
-    :param session: The database session in use.
     """
     converted_id_type = IdentityType[id_type.upper()]
-    kwargs = {'accounts': identity.list_accounts_for_identity(identity_key, converted_id_type, session=session)}
-    if not permission.has_permission(issuer=issuer, vo=vo, action='del_identity', kwargs=kwargs, session=session):
-        raise exception.AccessDenied('Account %s can not delete identity' % (issuer))
 
-    return identity.del_identity(identity_key, converted_id_type, session=session)
+    with db_session(DatabaseOperationType.WRITE) as session:
+        kwargs = {'accounts': identity.list_accounts_for_identity(identity_key, converted_id_type, session=session)}
+        auth_result = permission.has_permission(issuer=issuer, vo=vo, action='del_identity', kwargs=kwargs, session=session)
+        if not auth_result.allowed:
+            raise exception.AccessDenied('Account %s can not delete identity. %s' % (issuer, auth_result.message))
+
+        return identity.del_identity(identity_key, converted_id_type, session=session)
 
 
-@transactional_session
 def add_account_identity(
     identity_key: str,
     id_type: str,
@@ -88,8 +82,6 @@ def add_account_identity(
     default: bool = False,
     password: Optional[str] = None,
     vo: str = 'def',
-    *,
-    session: "Session"
 ) -> None:
     """
     Adds a membership association between identity and account.
@@ -102,39 +94,37 @@ def add_account_identity(
     :param default: If True, the account should be used by default with the provided identity.
     :param password: Password if id_type is userpass.
     :param vo: the VO to act on.
-    :param session: The database session in use.
     """
     kwargs = {'identity': identity_key, 'type': id_type, 'account': account}
-    if not permission.has_permission(issuer=issuer, vo=vo, action='add_account_identity', kwargs=kwargs, session=session):
-        raise exception.AccessDenied('Account %s can not add account identity' % (issuer))
 
-    internal_account = InternalAccount(account, vo=vo)
+    with db_session(DatabaseOperationType.WRITE) as session:
+        auth_result = permission.has_permission(issuer=issuer, vo=vo, action='add_account_identity', kwargs=kwargs, session=session)
+        if not auth_result.allowed:
+            raise exception.AccessDenied('Account %s can not add account identity. %s' % (issuer, auth_result.message))
+
+        internal_account = InternalAccount(account, vo=vo)
 
-    return identity.add_account_identity(identity=identity_key, type_=IdentityType[id_type.upper()], default=default,
-                                         email=email, account=internal_account, password=password, session=session)
+        return identity.add_account_identity(identity=identity_key, type_=IdentityType[id_type.upper()], default=default,
+                                             email=email, account=internal_account, password=password, session=session)
 
 
-@read_session
-def verify_identity(identity_key: str, id_type: str, password: Optional[str] = None, *, session: "Session") -> bool:
+def verify_identity(identity_key: str, id_type: str, password: Optional[str] = None) -> bool:
     """
     Verifies a user identity.
     :param identity_key: The identity key name. For example x509 DN, or a username.
     :param id_type: The type of the authentication (x509, gss, userpass, ssh, saml)
     :param password: If type==userpass, verifies the identity_key, .
-    :param session: The database session in use.
     """
-    return identity.verify_identity(identity_key, IdentityType[id_type.upper()], password=password, session=session)
+    with db_session(DatabaseOperationType.READ) as session:
+        return identity.verify_identity(identity_key, IdentityType[id_type.upper()], password=password, session=session)
 
 
-@transactional_session
 def del_account_identity(
     identity_key: str,
     id_type: str,
     account: str,
     issuer: str,
     vo: str = 'def',
-    *,
-    session: "Session"
 ) -> None:
     """
     Removes a membership association between identity and account.
@@ -144,61 +134,56 @@ def del_account_identity(
     :param account: The account name.
     :param issuer: The issuer account.
     :param vo: the VO to act on.
-    :param session: The database session in use.
     """
     kwargs = {'account': account}
-    if not permission.has_permission(issuer=issuer, vo=vo, action='del_account_identity', kwargs=kwargs, session=session):
-        raise exception.AccessDenied('Account %s can not delete account identity' % (issuer))
 
-    internal_account = InternalAccount(account, vo=vo)
+    with db_session(DatabaseOperationType.WRITE) as session:
+        auth_result = permission.has_permission(issuer=issuer, vo=vo, action='del_account_identity', kwargs=kwargs, session=session)
+        if not auth_result.allowed:
+            raise exception.AccessDenied('Account %s can not delete account identity. %s' % (issuer, auth_result.message))
+
+        internal_account = InternalAccount(account, vo=vo)
 
-    return identity.del_account_identity(identity_key, IdentityType[id_type.upper()], internal_account, session=session)
+        return identity.del_account_identity(identity_key, IdentityType[id_type.upper()], internal_account, session=session)
 
 
-@read_session
-def list_identities(*, session: "Session", **kwargs) -> "Sequence[Row[tuple[str, IdentityType]]]":
+def list_identities(**kwargs) -> "Sequence[Row[tuple[str, IdentityType]]]":
     """
     Returns a list of all enabled identities.
 
-    :param session: The database session in use.
     returns: A list of all enabled identities.
     """
-    return identity.list_identities(session=session, **kwargs)
+    with db_session(DatabaseOperationType.READ) as session:
+        return identity.list_identities(session=session, **kwargs)
 
 
-@read_session
 def get_default_account(
     identity_key: str,
     id_type: str,
-    *,
-    session: "Session"
 ) -> str:
     """
     Returns the default account for this identity.
 
     :param identity_key: The identity key name. For example x509 DN, or a username.
     :param id_type: The type of the authentication (x509, gss, userpass, ssh, saml).
-    :param session: The database session in use.
     """
-    account = identity.get_default_account(identity_key, IdentityType[id_type.upper()], session=session)
+    with db_session(DatabaseOperationType.READ) as session:
+        account = identity.get_default_account(identity_key, IdentityType[id_type.upper()], session=session)
     return account.external
 
 
-@read_session
 def list_accounts_for_identity(
     identity_key: str,
     id_type: str,
-    *,
-    session: "Session"
 ) -> list[str]:
     """
     Returns a list of all accounts for an identity.
 
     :param identity: The identity key name. For example x509 DN, or a username.
     :param id_type: The type of the authentication (x509, gss, userpass, ssh, saml).
-    :param session: The database session in use.
 
     returns: A list of all accounts for the identity.
     """
-    accounts = identity.list_accounts_for_identity(identity_key, IdentityType[id_type.upper()], session=session)
+    with db_session(DatabaseOperationType.READ) as session:
+        accounts = identity.list_accounts_for_identity(identity_key, IdentityType[id_type.upper()], session=session)
     return [account.external for account in accounts]

rucio/gateway/importer.py

@@ -37,8 +37,9 @@ def import_data(data: dict[str, Any], issuer: str, vo: str = 'def', *, session:
     """
     kwargs = {'issuer': issuer}
     validate_schema(name='import', obj=data, vo=vo)
-    if not permission.has_permission(issuer=issuer, vo=vo, action='import', kwargs=kwargs, session=session):
-        raise exception.AccessDenied('Account %s can not import data' % issuer)
+    auth_result = permission.has_permission(issuer=issuer, vo=vo, action='import', kwargs=kwargs, session=session)
+    if not auth_result.allowed:
+        raise exception.AccessDenied('Account %s can not import data. %s' % (issuer, auth_result.message))
 
     for account in data.get('accounts', []):
         account['account'] = InternalAccount(account['account'], vo=vo)

rucio/gateway/lifetime_exception.py

@@ -115,6 +115,7 @@ def update_exception(
     :param session:    The database session in use.
     """
     kwargs = {'exception_id': exception_id, 'vo': vo}
-    if not permission.has_permission(issuer=issuer, vo=vo, action='update_lifetime_exceptions', kwargs=kwargs, session=session):
-        raise exception.AccessDenied('Account %s can not update lifetime exceptions' % (issuer))
+    auth_result = permission.has_permission(issuer=issuer, vo=vo, action='update_lifetime_exceptions', kwargs=kwargs, session=session)
+    if not auth_result.allowed:
+        raise exception.AccessDenied('Account %s can not update lifetime exceptions. %s' % (issuer, auth_result.message))
     return lifetime_exception.update_exception(exception_id=exception_id, state=state, session=session)

rucio/gateway/meta_conventions.py

@@ -16,7 +16,6 @@ from typing import TYPE_CHECKING, Optional, Union
 
 from rucio.common.exception import AccessDenied
 from rucio.core import meta_conventions
-from rucio.db.sqla.constants import KeyType
 from rucio.db.sqla.session import read_session, transactional_session
 from rucio.gateway.permission import has_permission
 
@@ -24,6 +23,7 @@ if TYPE_CHECKING:
     from sqlalchemy.orm import Session
 
     from rucio.common.types import InternalAccount
+    from rucio.db.sqla.constants import KeyType
 
 
 @read_session
@@ -53,7 +53,16 @@ def list_values(key: str, *, session: "Session") -> list[str]:
 
 
 @transactional_session
-def add_key(key: str, key_type: Union[KeyType, str], issuer: "InternalAccount", value_type: Optional[str] = None, value_regexp: Optional[str] = None, vo: str = 'def', *, session: "Session") -> None:
+def add_key(
+    key: str,
+    key_type: Union["KeyType", str],
+    issuer: "InternalAccount",
+    value_type: Optional[str] = None,
+    value_regexp: Optional[str] = None,
+    vo: str = 'def',
+    *,
+    session: "Session"
+) -> None:
     """
     Add an allowed key for DID metadata (update the DID Metadata Conventions table with a new key).
 
@@ -66,8 +75,9 @@ def add_key(key: str, key_type: Union[KeyType, str], issuer: "InternalAccount",
     :param session: The database session in use.
     """
     kwargs = {'key': key, 'key_type': key_type, 'value_type': value_type, 'value_regexp': value_regexp}
-    if not has_permission(issuer=issuer, vo=vo, action='add_key', kwargs=kwargs, session=session):
-        raise AccessDenied('Account %s can not add key' % (issuer))
+    auth_result = has_permission(issuer=issuer, vo=vo, action='add_key', kwargs=kwargs, session=session)
+    if not auth_result.allowed:
+        raise AccessDenied('Account %s can not add key. %s' % (issuer, auth_result.message))
     return meta_conventions.add_key(key=key, key_type=key_type, value_type=value_type, value_regexp=value_regexp, session=session)
 
 
@@ -82,6 +92,7 @@ def add_value(key: str, value: str, issuer: "InternalAccount", vo: str = 'def',
     :param session: The database session in use.
     """
     kwargs = {'key': key, 'value': value}
-    if not has_permission(issuer=issuer, vo=vo, action='add_value', kwargs=kwargs, session=session):
-        raise AccessDenied('Account %s can not add value %s to key %s' % (issuer, value, key))
+    auth_result = has_permission(issuer=issuer, vo=vo, action='add_value', kwargs=kwargs, session=session)
+    if not auth_result.allowed:
+        raise AccessDenied('Account %s can not add value %s to key %s. %s' % (issuer, value, key, auth_result.message))
     return meta_conventions.add_value(key=key, value=value, session=session)

rucio/gateway/permission.py

@@ -24,9 +24,11 @@ from rucio.db.sqla.session import read_session
 if TYPE_CHECKING:
     from sqlalchemy.orm import Session
 
+    from rucio.core.permission import PermissionResult
+
 
 @read_session
-def has_permission(issuer: str, action: str, kwargs: dict[str, Any], vo: str = 'def', *, session: "Session") -> bool:
+def has_permission(issuer: str, action: str, kwargs: dict[str, Any], vo: str = 'def', *, session: "Session") -> 'PermissionResult':
     """
     Checks if an account has the specified permission to
     execute an action with parameters.
@@ -62,6 +64,7 @@ def has_permission(issuer: str, action: str, kwargs: dict[str, Any], vo: str = '
             r['account'] = InternalAccount(r['account'], vo=vo)
     if 'dids' in kwargs:
         for d in kwargs['dids']:
+            d['scope'] = InternalScope(d['scope'], vo=vo)
             if 'rules' in d:
                 for r in d['rules']:
                     r['account'] = InternalAccount(r['account'], vo=vo)

rucio/gateway/quarantined_replica.py

@@ -57,8 +57,9 @@ def quarantine_file_replicas(
     if rse_id is None:
         rse_id = get_rse_id(rse, vo=vo, session=session)
 
-    if not permission.has_permission(issuer, 'quarantine_file_replicas', {}, vo=vo, session=session):
-        raise exception.AccessDenied('Account %s can not quarantine replicas' % (issuer))
+    auth_result = permission.has_permission(issuer, 'quarantine_file_replicas', {}, vo=vo, session=session)
+    if not auth_result.allowed:
+        raise exception.AccessDenied('Account %s can not quarantine replicas. %s' % (issuer, auth_result.message))
 
     replica_infos = []
     for r in replicas:

rucio/gateway/replica.py

@@ -13,7 +13,6 @@
 # limitations under the License.
 
 import datetime
-from collections.abc import Iterator
 from typing import TYPE_CHECKING, Any, Optional
 
 from rucio.common import exception
@@ -28,6 +27,8 @@ from rucio.db.sqla.session import read_session, stream_session, transactional_se
 from rucio.gateway import permission
 
 if TYPE_CHECKING:
+    from collections.abc import Iterator
+
     from sqlalchemy.orm import Session
 
 
@@ -119,11 +120,12 @@ def declare_bad_file_replicas(replicas, reason, issuer, vo='def', force=False, *
     rse_id_to_name = invert_dict(rse_map)   # RSE id -> RSE name
 
     for rse_id in rse_ids_to_check:
-        if not permission.has_permission(issuer=issuer, vo=vo, action='declare_bad_file_replicas',
-                                         kwargs={"rse_id": rse_id},
-                                         session=session):
-            raise exception.AccessDenied('Account %s can not declare bad replicas in RSE %s' %
-                                         (issuer, rse_id_to_name.get(rse_id, rse_id)))
+        auth_result = permission.has_permission(issuer=issuer, vo=vo, action='declare_bad_file_replicas',
+                                                kwargs={"rse_id": rse_id},
+                                                session=session)
+        if not auth_result.allowed:
+            raise exception.AccessDenied('Account %s can not declare bad replicas in RSE %s. %s' %
+                                         (issuer, rse_id_to_name.get(rse_id, rse_id), auth_result.message))
 
     undeclared = replica.declare_bad_file_replicas(replicas_lst, reason=reason,
                                                    issuer=InternalAccount(issuer, vo=vo),
@@ -159,8 +161,9 @@ def declare_suspicious_file_replicas(pfns, reason, issuer, vo='def', *, session:
     :param session: The database session in use.
     """
     kwargs = {}
-    if not permission.has_permission(issuer=issuer, vo=vo, action='declare_suspicious_file_replicas', kwargs=kwargs, session=session):
-        raise exception.AccessDenied('Account %s can not declare suspicious replicas' % (issuer))
+    auth_result = permission.has_permission(issuer=issuer, vo=vo, action='declare_suspicious_file_replicas', kwargs=kwargs, session=session)
+    if not auth_result.allowed:
+        raise exception.AccessDenied('Account %s can not declare suspicious replicas. %s' % (issuer, auth_result.message))
 
     issuer = InternalAccount(issuer, vo=vo)
 
@@ -248,7 +251,7 @@ def list_replicas(dids, schemes=None, unavailable=False, request_id=None,
             new_parents = []
             for p in rep['parents']:
                 scope, name = p.split(':')
-                scope = InternalScope(scope, fromExternal=False).external
+                scope = InternalScope(scope, from_external=False).external
                 new_parents.append('{}:{}'.format(scope, name))
             rep['parents'] = new_parents
 
@@ -276,8 +279,9 @@ def add_replicas(rse, files, issuer, ignore_availability=False, vo='def', *, ses
     rse_id = get_rse_id(rse=rse, vo=vo, session=session)
 
     kwargs = {'rse': rse, 'rse_id': rse_id}
-    if not permission.has_permission(issuer=issuer, vo=vo, action='add_replicas', kwargs=kwargs, session=session):
-        raise exception.AccessDenied('Account %s can not add file replicas on %s' % (issuer, rse))
+    auth_result = permission.has_permission(issuer=issuer, vo=vo, action='add_replicas', kwargs=kwargs, session=session)
+    if not auth_result.allowed:
+        raise exception.AccessDenied('Account %s can not add file replicas on %s. %s' % (issuer, rse, auth_result.message))
     if not permission.has_permission(issuer=issuer, vo=vo, action='skip_availability_check', kwargs=kwargs, session=session):
         ignore_availability = False
 
@@ -309,8 +313,9 @@ def delete_replicas(rse, files, issuer, ignore_availability=False, vo='def', *,
     rse_id = get_rse_id(rse=rse, vo=vo, session=session)
 
     kwargs = {'rse': rse, 'rse_id': rse_id}
-    if not permission.has_permission(issuer=issuer, vo=vo, action='delete_replicas', kwargs=kwargs, session=session):
-        raise exception.AccessDenied('Account %s can not delete file replicas on %s' % (issuer, rse))
+    auth_result = permission.has_permission(issuer=issuer, vo=vo, action='delete_replicas', kwargs=kwargs, session=session)
+    if not auth_result.allowed:
+        raise exception.AccessDenied('Account %s can not delete file replicas on %s. %s' % (issuer, rse, auth_result.message))
     if not permission.has_permission(issuer=issuer, vo=vo, action='skip_availability_check', kwargs=kwargs, session=session):
         ignore_availability = False
 
@@ -338,8 +343,9 @@ def update_replicas_states(rse, files, issuer, vo='def', *, session: "Session"):
     rse_id = get_rse_id(rse=rse, vo=vo, session=session)
 
     kwargs = {'rse': rse, 'rse_id': rse_id}
-    if not permission.has_permission(issuer=issuer, vo=vo, action='update_replicas_states', kwargs=kwargs, session=session):
-        raise exception.AccessDenied('Account %s can not update file replicas state on %s' % (issuer, rse))
+    auth_result = permission.has_permission(issuer=issuer, vo=vo, action='update_replicas_states', kwargs=kwargs, session=session)
+    if not auth_result.allowed:
+        raise exception.AccessDenied('Account %s can not update file replicas state on %s. %s' % (issuer, rse, auth_result.message))
     replicas = []
     for file in files:
         rep = file
@@ -419,7 +425,7 @@ def list_dataset_replicas_vp(scope, name, deep=False, vo='def', *, session: "Ses
 
 
 @stream_session
-def list_datasets_per_rse(rse: str, filters: Optional[dict[str, Any]] = None, limit: Optional[int] = None, vo: str = 'def', *, session: "Session") -> Iterator[dict[str, Any]]:
+def list_datasets_per_rse(rse: str, filters: Optional[dict[str, Any]] = None, limit: Optional[int] = None, vo: str = 'def', *, session: "Session") -> 'Iterator[dict[str, Any]]':
     """
     :param scope: The scope of the dataset.
     :param name: The name of the dataset.
@@ -455,8 +461,9 @@ def add_bad_pfns(pfns, issuer, state, reason=None, expires_at=None, vo='def', *,
     :returns: True is successful.
     """
     kwargs = {'state': state}
-    if not permission.has_permission(issuer=issuer, vo=vo, action='add_bad_pfns', kwargs=kwargs, session=session):
-        raise exception.AccessDenied('Account %s can not declare bad PFNs' % (issuer))
+    auth_result = permission.has_permission(issuer=issuer, vo=vo, action='add_bad_pfns', kwargs=kwargs, session=session)
+    if not auth_result.allowed:
+        raise exception.AccessDenied('Account %s can not declare bad PFNs. %s' % (issuer, auth_result.message))
 
     if expires_at and datetime.datetime.utcnow() <= expires_at and expires_at > datetime.datetime.utcnow() + datetime.timedelta(days=30):
         raise exception.InputValidationError('The given duration of %s days exceeds the maximum duration of 30 days.' % (expires_at - datetime.datetime.utcnow()).days)
@@ -483,8 +490,9 @@ def add_bad_dids(dids, rse, issuer, state, reason=None, expires_at=None, vo='def
     :returns: The list of replicas not declared bad
     """
     kwargs = {'state': state}
-    if not permission.has_permission(issuer=issuer, vo=vo, action='add_bad_pfns', kwargs=kwargs, session=session):
-        raise exception.AccessDenied('Account %s can not declare bad PFN or DIDs' % issuer)
+    auth_result = permission.has_permission(issuer=issuer, vo=vo, action='add_bad_pfns', kwargs=kwargs, session=session)
+    if not auth_result.allowed:
+        raise exception.AccessDenied('Account %s can not declare bad PFN or DIDs. %s' % (issuer, auth_result.message))
 
     issuer = InternalAccount(issuer, vo=vo)
     rse_id = get_rse_id(rse=rse, session=session)
@@ -522,8 +530,9 @@ def set_tombstone(rse, scope, name, issuer, vo='def', *, session: "Session"):
 
     rse_id = get_rse_id(rse, vo=vo, session=session)
 
-    if not permission.has_permission(issuer=issuer, vo=vo, action='set_tombstone', kwargs={}, session=session):
-        raise exception.AccessDenied('Account %s can not set tombstones' % (issuer))
+    auth_result = permission.has_permission(issuer=issuer, vo=vo, action='set_tombstone', kwargs={}, session=session)
+    if not auth_result.allowed:
+        raise exception.AccessDenied('Account %s can not set tombstones. %s' % (issuer, auth_result.message))
 
     scope = InternalScope(scope, vo=vo)
     replica.set_tombstone(rse_id, scope, name, session=session)

rucio/gateway/request.py

@@ -53,8 +53,9 @@ def queue_requests(
     """
 
     kwargs = {'requests': requests, 'issuer': issuer}
-    if not permission.has_permission(issuer=issuer, vo=vo, action='queue_requests', kwargs=kwargs, session=session):
-        raise exception.AccessDenied(f'{issuer} can not queue request')
+    auth_result = permission.has_permission(issuer=issuer, vo=vo, action='queue_requests', kwargs=kwargs, session=session)
+    if not auth_result.allowed:
+        raise exception.AccessDenied(f'{issuer} can not queue request. {auth_result.message}')
 
     for req in requests:
         req['scope'] = InternalScope(req['scope'], vo=vo)  # type: ignore (type reassignment)
@@ -85,8 +86,9 @@ def cancel_request(
     """
 
     kwargs = {'account': account, 'issuer': issuer, 'request_id': request_id}
-    if not permission.has_permission(issuer=issuer, vo=vo, action='cancel_request_', kwargs=kwargs, session=session):
-        raise exception.AccessDenied('%s cannot cancel request %s' % (account, request_id))
+    auth_result = permission.has_permission(issuer=issuer, vo=vo, action='cancel_request_', kwargs=kwargs, session=session)
+    if not auth_result.allowed:
+        raise exception.AccessDenied('%s cannot cancel request %s. %s' % (account, request_id, auth_result.message))
 
     raise NotImplementedError
 
@@ -119,8 +121,9 @@ def cancel_request_did(
     dest_rse_id = get_rse_id(rse=dest_rse, vo=vo, session=session)
 
     kwargs = {'account': account, 'issuer': issuer}
-    if not permission.has_permission(issuer=issuer, vo=vo, action='cancel_request_did', kwargs=kwargs, session=session):
-        raise exception.AccessDenied(f'{account} cannot cancel {request_type} request for {scope}:{name}')
+    auth_result = permission.has_permission(issuer=issuer, vo=vo, action='cancel_request_did', kwargs=kwargs, session=session)
+    if not auth_result.allowed:
+        raise exception.AccessDenied(f'{account} cannot cancel {request_type} request for {scope}:{name}. {auth_result.message}')
 
     internal_scope = InternalScope(scope, vo=vo)
     return request.cancel_request_did(internal_scope, name, dest_rse_id, request_type, session=session)
@@ -149,8 +152,9 @@ def get_next(
     """
 
     kwargs = {'account': account, 'issuer': issuer, 'request_type': request_type, 'state': state}
-    if not permission.has_permission(issuer=issuer, vo=vo, action='get_next', kwargs=kwargs, session=session):
-        raise exception.AccessDenied(f'{account} cannot get the next request of type {request_type} in state {state}')
+    auth_result = permission.has_permission(issuer=issuer, vo=vo, action='get_next', kwargs=kwargs, session=session)
+    if not auth_result.allowed:
+        raise exception.AccessDenied(f'{account} cannot get the next request of type {request_type} in state {state}. {auth_result.message}')
 
     reqs = request.get_and_mark_next(request_type, state, session=session)
     return [gateway_update_return_dict(r, session=session) for r in reqs]
@@ -180,8 +184,9 @@ def get_request_by_did(
     rse_id = get_rse_id(rse=rse, vo=vo, session=session)
 
     kwargs = {'scope': scope, 'name': name, 'rse': rse, 'rse_id': rse_id, 'issuer': issuer}
-    if not permission.has_permission(issuer=issuer, vo=vo, action='get_request_by_did', kwargs=kwargs, session=session):
-        raise exception.AccessDenied(f'{issuer} cannot retrieve the request DID {scope}:{name} to RSE {rse}')
+    auth_result = permission.has_permission(issuer=issuer, vo=vo, action='get_request_by_did', kwargs=kwargs, session=session)
+    if not auth_result.allowed:
+        raise exception.AccessDenied(f'{issuer} cannot retrieve the request DID {scope}:{name} to RSE {rse}. {auth_result.message}')
 
     internal_scope = InternalScope(scope, vo=vo)
     req = request.get_request_by_did(internal_scope, name, rse_id, session=session)
@@ -213,8 +218,9 @@ def get_request_history_by_did(
     rse_id = get_rse_id(rse=rse, vo=vo, session=session)
 
     kwargs = {'scope': scope, 'name': name, 'rse': rse, 'rse_id': rse_id, 'issuer': issuer}
-    if not permission.has_permission(issuer=issuer, vo=vo, action='get_request_history_by_did', kwargs=kwargs, session=session):
-        raise exception.AccessDenied(f'{issuer} cannot retrieve the request DID {scope}:{name} to RSE {rse}')
+    auth_result = permission.has_permission(issuer=issuer, vo=vo, action='get_request_history_by_did', kwargs=kwargs, session=session)
+    if not auth_result.allowed:
+        raise exception.AccessDenied(f'{issuer} cannot retrieve the request DID {scope}:{name} to RSE {rse}. {auth_result.message}')
 
     internal_scope = InternalScope(scope, vo=vo)
     req = request.get_request_history_by_did(internal_scope, name, rse_id, session=session)
@@ -245,8 +251,9 @@ def list_requests(
     dst_rse_ids = [get_rse_id(rse=rse, vo=vo, session=session) for rse in dst_rses]
 
     kwargs = {'src_rse_id': src_rse_ids, 'dst_rse_id': dst_rse_ids, 'issuer': issuer}
-    if not permission.has_permission(issuer=issuer, vo=vo, action='list_requests', kwargs=kwargs, session=session):
-        raise exception.AccessDenied(f'{issuer} cannot list requests from RSEs {src_rses} to RSEs {dst_rses}')
+    auth_result = permission.has_permission(issuer=issuer, vo=vo, action='list_requests', kwargs=kwargs, session=session)
+    if not auth_result.allowed:
+        raise exception.AccessDenied(f'{issuer} cannot list requests from RSEs {src_rses} to RSEs {dst_rses}. {auth_result.message}')
 
     for req in request.list_requests(src_rse_ids, dst_rse_ids, states, session=session):
         req = req.to_dict()
@@ -279,8 +286,9 @@ def list_requests_history(
     dst_rse_ids = [get_rse_id(rse=rse, vo=vo, session=session) for rse in dst_rses]
 
     kwargs = {'src_rse_id': src_rse_ids, 'dst_rse_id': dst_rse_ids, 'issuer': issuer}
-    if not permission.has_permission(issuer=issuer, vo=vo, action='list_requests_history', kwargs=kwargs, session=session):
-        raise exception.AccessDenied(f'{issuer} cannot list requests from RSEs {src_rses} to RSEs {dst_rses}')
+    auth_result = permission.has_permission(issuer=issuer, vo=vo, action='list_requests_history', kwargs=kwargs, session=session)
+    if not auth_result.allowed:
+        raise exception.AccessDenied(f'{issuer} cannot list requests from RSEs {src_rses} to RSEs {dst_rses}. {auth_result.message}')
 
     for req in request.list_requests_history(src_rse_ids, dst_rse_ids, states, offset, limit, session=session):
         req = req.to_dict()
@@ -315,7 +323,8 @@ def get_request_metrics(
     if dst_rse:
         dst_rse_id = get_rse_id(rse=dst_rse, vo=vo, session=session)
     kwargs = {'issuer': issuer}
-    if not permission.has_permission(issuer=issuer, vo=vo, action='get_request_metrics', kwargs=kwargs, session=session):
-        raise exception.AccessDenied(f'{issuer} cannot get request statistics')
+    auth_result = permission.has_permission(issuer=issuer, vo=vo, action='get_request_metrics', kwargs=kwargs, session=session)
+    if not auth_result.allowed:
+        raise exception.AccessDenied(f'{issuer} cannot get request statistics. {auth_result.message}')
 
     return request.get_request_metrics(dest_rse_id=dst_rse_id, src_rse_id=src_rse_id, activity=activity, group_by_rse_attribute=group_by_rse_attribute, session=session)