rucio 35.7.0__py3-none-any.whl → 37.0.0__py3-none-any.whl

rucio/gateway/rse.py

@@ -30,11 +30,27 @@ if TYPE_CHECKING:
 
 
 @transactional_session
-def add_rse(rse, issuer, vo='def', deterministic=True, volatile=False, city=None, region_code=None,
-            country_name=None, continent=None, time_zone=None, ISP=None,
-            staging_area=False, rse_type=None, latitude=None, longitude=None, ASN=None,
-            availability_read: "Optional[bool]" = None, availability_write: "Optional[bool]" = None,
-            availability_delete: "Optional[bool]" = None, *, session: "Session"):
+def add_rse(
+    rse,
+    issuer,
+    vo='def',
+    deterministic=True,
+    volatile=False,
+    city=None,
+    region_code=None,
+    country_name=None,
+    continent=None,
+    time_zone=None,
+    ISP=None,  # noqa: N803
+    staging_area=False,
+    rse_type=None,
+    latitude=None,
+    longitude=None,
+    ASN=None,  # noqa: N803
+    availability_read: "Optional[bool]" = None,
+    availability_write: "Optional[bool]" = None,
+    availability_delete: "Optional[bool]" = None, *, session: "Session"
+):
     """
     Creates a new Rucio Storage Element(RSE).
 
@@ -61,8 +77,9 @@ def add_rse(rse, issuer, vo='def', deterministic=True, volatile=False, city=None
     """
     validate_schema(name='rse', obj=rse, vo=vo)
     kwargs = {'rse': rse}
-    if not permission.has_permission(issuer=issuer, vo=vo, action='add_rse', kwargs=kwargs, session=session):
-        raise exception.AccessDenied('Account %s can not add RSE' % (issuer))
+    auth_result = permission.has_permission(issuer=issuer, vo=vo, action='add_rse', kwargs=kwargs, session=session)
+    if not auth_result.allowed:
+        raise exception.AccessDenied('Account %s can not add RSE. %s' % (issuer, auth_result.message))
 
     return rse_module.add_rse(rse, vo=vo, deterministic=deterministic, volatile=volatile, city=city,
                               region_code=region_code, country_name=country_name, staging_area=staging_area,
@@ -102,8 +119,9 @@ def del_rse(rse, issuer, vo='def', *, session: "Session"):
     rse_id = rse_module.get_rse_id(rse=rse, vo=vo, session=session)
 
     kwargs = {'rse': rse, 'rse_id': rse_id}
-    if not permission.has_permission(issuer=issuer, vo=vo, action='del_rse', kwargs=kwargs, session=session):
-        raise exception.AccessDenied('Account %s can not delete RSE' % (issuer))
+    auth_result = permission.has_permission(issuer=issuer, vo=vo, action='del_rse', kwargs=kwargs, session=session)
+    if not auth_result.allowed:
+        raise exception.AccessDenied('Account %s can not delete RSE. %s' % (issuer, auth_result.message))
 
     return rse_module.del_rse(rse_id, session=session)
 
@@ -142,8 +160,9 @@ def del_rse_attribute(rse, key, issuer, vo='def', *, session: "Session"):
     rse_id = rse_module.get_rse_id(rse=rse, vo=vo, session=session)
 
     kwargs = {'rse': rse, 'rse_id': rse_id, 'key': key}
-    if not permission.has_permission(issuer=issuer, vo=vo, action='del_rse_attribute', kwargs=kwargs, session=session):
-        raise exception.AccessDenied('Account %s can not delete RSE attributes' % (issuer))
+    auth_result = permission.has_permission(issuer=issuer, vo=vo, action='del_rse_attribute', kwargs=kwargs, session=session)
+    if not auth_result.allowed:
+        raise exception.AccessDenied('Account %s can not delete RSE attributes. %s' % (issuer, auth_result.message))
 
     return rse_module.del_rse_attribute(rse_id=rse_id, key=key, session=session)
 
@@ -164,8 +183,9 @@ def add_rse_attribute(rse, key, value, issuer, vo='def', *, session: "Session"):
     rse_id = rse_module.get_rse_id(rse=rse, vo=vo, session=session)
 
     kwargs = {'rse': rse, 'rse_id': rse_id, 'key': key, 'value': value}
-    if not permission.has_permission(issuer=issuer, vo=vo, action='add_rse_attribute', kwargs=kwargs, session=session):
-        raise exception.AccessDenied('Account %s can not add RSE attributes' % (issuer))
+    auth_result = permission.has_permission(issuer=issuer, vo=vo, action='add_rse_attribute', kwargs=kwargs, session=session)
+    if not auth_result.allowed:
+        raise exception.AccessDenied('Account %s can not add RSE attributes. %s' % (issuer, auth_result.message))
 
     return rse_module.add_rse_attribute(rse_id=rse_id, key=key, value=value, session=session)
 
@@ -227,8 +247,9 @@ def add_protocol(rse, issuer, vo='def', *, session: "Session", **data):
     rse_id = rse_module.get_rse_id(rse=rse, vo=vo, session=session)
 
     kwargs = {'rse': rse, 'rse_id': rse_id}
-    if not permission.has_permission(issuer=issuer, vo=vo, action='add_protocol', kwargs=kwargs, session=session):
-        raise exception.AccessDenied('Account %s can not add protocols to RSE %s' % (issuer, rse))
+    auth_result = permission.has_permission(issuer=issuer, vo=vo, action='add_protocol', kwargs=kwargs, session=session)
+    if not auth_result.allowed:
+        raise exception.AccessDenied('Account %s can not add protocols to RSE %s. %s' % (issuer, rse, auth_result.message))
     rse_module.add_protocol(rse_id, data['data'], session=session)
 
 
@@ -265,8 +286,9 @@ def del_protocols(rse, scheme, issuer, vo='def', hostname=None, port=None, *, se
     """
     rse_id = rse_module.get_rse_id(rse=rse, vo=vo, session=session)
     kwargs = {'rse': rse, 'rse_id': rse_id}
-    if not permission.has_permission(issuer=issuer, vo=vo, action='del_protocol', kwargs=kwargs, session=session):
-        raise exception.AccessDenied('Account %s can not delete protocols from RSE %s' % (issuer, rse))
+    auth_result = permission.has_permission(issuer=issuer, vo=vo, action='del_protocol', kwargs=kwargs, session=session)
+    if not auth_result.allowed:
+        raise exception.AccessDenied('Account %s can not delete protocols from RSE %s. %s' % (issuer, rse, auth_result.message))
     rse_module.del_protocols(rse_id=rse_id, scheme=scheme, hostname=hostname, port=port, session=session)
 
 
@@ -286,8 +308,9 @@ def update_protocols(rse, scheme, data, issuer, vo='def', hostname=None, port=No
     """
     rse_id = rse_module.get_rse_id(rse=rse, vo=vo, session=session)
     kwargs = {'rse': rse, 'rse_id': rse_id}
-    if not permission.has_permission(issuer=issuer, vo=vo, action='update_protocol', kwargs=kwargs, session=session):
-        raise exception.AccessDenied('Account %s can not update protocols from RSE %s' % (issuer, rse))
+    auth_result = permission.has_permission(issuer=issuer, vo=vo, action='update_protocol', kwargs=kwargs, session=session)
+    if not auth_result.allowed:
+        raise exception.AccessDenied('Account %s can not update protocols from RSE %s. %s' % (issuer, rse, auth_result.message))
     rse_module.update_protocols(rse_id=rse_id, scheme=scheme, hostname=hostname, port=port, data=data, session=session)
 
 
@@ -310,8 +333,9 @@ def set_rse_usage(rse, source, used, free, issuer, files=None, vo='def', *, sess
     rse_id = rse_module.get_rse_id(rse=rse, vo=vo, session=session)
 
     kwargs = {'rse': rse, 'rse_id': rse_id}
-    if not permission.has_permission(issuer=issuer, vo=vo, action='set_rse_usage', kwargs=kwargs, session=session):
-        raise exception.AccessDenied('Account %s can not update RSE usage information for RSE %s' % (issuer, rse))
+    auth_result = permission.has_permission(issuer=issuer, vo=vo, action='set_rse_usage', kwargs=kwargs, session=session)
+    if not auth_result.allowed:
+        raise exception.AccessDenied('Account %s can not update RSE usage information for RSE %s. %s' % (issuer, rse, auth_result.message))
 
     return rse_module.set_rse_usage(rse_id=rse_id, source=source, used=used, free=free, files=files, session=session)
 
@@ -374,8 +398,9 @@ def set_rse_limits(rse, name, value, issuer, vo='def', *, session: "Session"):
     """
     rse_id = rse_module.get_rse_id(rse=rse, vo=vo, session=session)
     kwargs = {'rse': rse, 'rse_id': rse_id}
-    if not permission.has_permission(issuer=issuer, vo=vo, action='set_rse_limits', kwargs=kwargs, session=session):
-        raise exception.AccessDenied('Account %s can not update RSE limits for RSE %s' % (issuer, rse))
+    auth_result = permission.has_permission(issuer=issuer, vo=vo, action='set_rse_limits', kwargs=kwargs, session=session)
+    if not auth_result.allowed:
+        raise exception.AccessDenied('Account %s can not update RSE limits for RSE %s. %s' % (issuer, rse, auth_result.message))
 
     return rse_module.set_rse_limits(rse_id=rse_id, name=name, value=value, session=session)
 
@@ -395,8 +420,9 @@ def delete_rse_limits(rse, name, issuer, vo='def', *, session: "Session"):
     """
     rse_id = rse_module.get_rse_id(rse=rse, vo=vo, session=session)
     kwargs = {'rse': rse, 'rse_id': rse_id}
-    if not permission.has_permission(issuer=issuer, vo=vo, action='delete_rse_limits', kwargs=kwargs, session=session):
-        raise exception.AccessDenied('Account %s can not update RSE limits for RSE %s' % (issuer, rse))
+    auth_result = permission.has_permission(issuer=issuer, vo=vo, action='delete_rse_limits', kwargs=kwargs, session=session)
+    if not auth_result.allowed:
+        raise exception.AccessDenied('Account %s can not update RSE limits for RSE %s. %s' % (issuer, rse, auth_result.message))
 
     return rse_module.delete_rse_limits(rse_id=rse_id, name=name, session=session)
 
@@ -448,8 +474,9 @@ def update_rse(rse, parameters, issuer, vo='def', *, session: "Session"):
     """
     rse_id = rse_module.get_rse_id(rse=rse, vo=vo, session=session)
     kwargs = {'rse': rse, 'rse_id': rse_id}
-    if not permission.has_permission(issuer=issuer, vo=vo, action='update_rse', kwargs=kwargs, session=session):
-        raise exception.AccessDenied('Account %s can not update RSE' % (issuer))
+    auth_result = permission.has_permission(issuer=issuer, vo=vo, action='update_rse', kwargs=kwargs, session=session)
+    if not auth_result.allowed:
+        raise exception.AccessDenied('Account %s can not update RSE. %s' % (issuer, auth_result.message))
     return rse_module.update_rse(rse_id=rse_id, parameters=parameters, session=session)
 
 
@@ -466,8 +493,9 @@ def add_distance(source, destination, issuer, vo='def', distance=None, *, sessio
     :param session: The database session in use.
     """
     kwargs = {'source': source, 'destination': destination}
-    if not permission.has_permission(issuer=issuer, vo=vo, action='add_distance', kwargs=kwargs, session=session):
-        raise exception.AccessDenied('Account %s can not add RSE distances' % (issuer))
+    auth_result = permission.has_permission(issuer=issuer, vo=vo, action='add_distance', kwargs=kwargs, session=session)
+    if not auth_result.allowed:
+        raise exception.AccessDenied('Account %s can not add RSE distances. %s' % (issuer, auth_result.message))
     try:
         return distance_module.add_distance(src_rse_id=rse_module.get_rse_id(source, vo=vo, session=session),
                                             dest_rse_id=rse_module.get_rse_id(destination, vo=vo, session=session),
@@ -490,8 +518,9 @@ def update_distance(source, destination, distance, issuer, vo='def', *, session:
     :param session: The database session to use.
     """
     kwargs = {'source': source, 'destination': destination}
-    if not permission.has_permission(issuer=issuer, vo=vo, action='update_distance', kwargs=kwargs, session=session):
-        raise exception.AccessDenied('Account %s can not update RSE distances' % (issuer))
+    auth_result = permission.has_permission(issuer=issuer, vo=vo, action='update_distance', kwargs=kwargs, session=session)
+    if not auth_result.allowed:
+        raise exception.AccessDenied('Account %s can not update RSE distances. %s' % (issuer, auth_result.message))
 
     return distance_module.update_distances(src_rse_id=rse_module.get_rse_id(source, vo=vo, session=session),
                                             dest_rse_id=rse_module.get_rse_id(destination, vo=vo, session=session),
@@ -530,8 +559,9 @@ def delete_distance(source, destination, issuer, vo='def', *, session: "Session"
     :param session: The database session in use.
     """
     kwargs = {'source': source, 'destination': destination}
-    if not permission.has_permission(issuer=issuer, vo=vo, action='delete_distance', kwargs=kwargs, session=session):
-        raise exception.AccessDenied('Account %s can not update RSE distances' % issuer)
+    auth_result = permission.has_permission(issuer=issuer, vo=vo, action='delete_distance', kwargs=kwargs, session=session)
+    if not auth_result.allowed:
+        raise exception.AccessDenied('Account %s can not update RSE distances. %s' % (issuer, auth_result.message))
 
     return distance_module.delete_distances(src_rse_id=rse_module.get_rse_id(source, vo=vo, session=session),
                                             dest_rse_id=rse_module.get_rse_id(destination, vo=vo, session=session),
@@ -555,8 +585,9 @@ def add_qos_policy(rse, qos_policy, issuer, vo='def', *, session: "Session"):
 
     rse_id = rse_module.get_rse_id(rse=rse, vo=vo, session=session)
     kwargs = {'rse_id': rse_id}
-    if not permission.has_permission(issuer=issuer, action='add_qos_policy', kwargs=kwargs, session=session):
-        raise exception.AccessDenied('Account %s cannot add QoS policies to RSE %s' % (issuer, rse))
+    auth_result = permission.has_permission(issuer=issuer, action='add_qos_policy', kwargs=kwargs, session=session)
+    if not auth_result.allowed:
+        raise exception.AccessDenied('Account %s cannot add QoS policies to RSE %s. %s' % (issuer, rse, auth_result.message))
 
     return rse_module.add_qos_policy(rse_id, qos_policy, session=session)
 
@@ -577,8 +608,9 @@ def delete_qos_policy(rse, qos_policy, issuer, vo='def', *, session: "Session"):
 
     rse_id = rse_module.get_rse_id(rse=rse, vo=vo, session=session)
     kwargs = {'rse_id': rse}
-    if not permission.has_permission(issuer=issuer, action='delete_qos_policy', kwargs=kwargs, session=session):
-        raise exception.AccessDenied('Account %s cannot delete QoS policies from RSE %s' % (issuer, rse))
+    auth_result = permission.has_permission(issuer=issuer, action='delete_qos_policy', kwargs=kwargs, session=session)
+    if not auth_result.allowed:
+        raise exception.AccessDenied('Account %s cannot delete QoS policies from RSE %s. %s' % (issuer, rse, auth_result.message))
 
     return rse_module.delete_qos_policy(rse_id, qos_policy, session=session)
 

rucio/gateway/rule.py

@@ -111,8 +111,9 @@ def add_replication_rule(
 
     validate_schema(name='rule', obj=kwargs, vo=vo)
 
-    if not has_permission(issuer=issuer, vo=vo, action='add_rule', kwargs=kwargs, session=session):
-        raise AccessDenied('Account %s can not add replication rule' % (issuer))
+    auth_result = has_permission(issuer=issuer, vo=vo, action='add_rule', kwargs=kwargs, session=session)
+    if not auth_result.allowed:
+        raise AccessDenied('Account %s can not add replication rule. %s' % (issuer, auth_result.message))
 
     account_internal = InternalAccount(account, vo=vo)
     dids_with_internal_scope = [{'name': d['name'], 'scope': InternalScope(d['scope'], vo=vo)} for d in dids]
@@ -152,8 +153,10 @@ def get_replication_rule(rule_id: str, issuer: str, vo: str = 'def', *, session:
     :param session: The database session in use.
     """
     kwargs = {'rule_id': rule_id}
-    if is_multi_vo(session=session) and not has_permission(issuer=issuer, vo=vo, action='access_rule_vo', kwargs=kwargs, session=session):
-        raise AccessDenied('Account %s can not access rules at other VOs.' % (issuer))
+    if is_multi_vo(session=session):
+        auth_result = has_permission(issuer=issuer, vo=vo, action='access_rule_vo', kwargs=kwargs, session=session)
+        if not auth_result.allowed:
+            raise AccessDenied('Account %s can not access rules at other VOs. %s' % (issuer, auth_result.message))
     result = rule.get_rule(rule_id, session=session)
     return gateway_update_return_dict(result, session=session)
 
@@ -209,8 +212,10 @@ def list_replication_rule_history(
     :param session: The database session in use.
     """
     kwargs = {'rule_id': rule_id}
-    if is_multi_vo(session=session) and not has_permission(issuer=issuer, vo=vo, action='access_rule_vo', kwargs=kwargs, session=session):
-        raise AccessDenied('Account %s can not access rules at other VOs.' % (issuer))
+    if is_multi_vo(session=session):
+        auth_result = has_permission(issuer=issuer, vo=vo, action='access_rule_vo', kwargs=kwargs, session=session)
+        if not auth_result.allowed:
+            raise AccessDenied('Account %s can not access rules at other VOs. %s' % (issuer, auth_result.message))
     return rule.list_rule_history(rule_id, session=session)
 
 
@@ -278,10 +283,13 @@ def delete_replication_rule(
     :raises:               RuleNotFound, AccessDenied
     """
     kwargs = {'rule_id': rule_id, 'purge_replicas': purge_replicas}
-    if is_multi_vo(session=session) and not has_permission(issuer=issuer, vo=vo, action='access_rule_vo', kwargs=kwargs, session=session):
-        raise AccessDenied('Account %s can not access rules at other VOs.' % (issuer))
-    if not has_permission(issuer=issuer, vo=vo, action='del_rule', kwargs=kwargs):
-        raise AccessDenied('Account %s can not remove this replication rule.' % (issuer))
+    if is_multi_vo(session=session):
+        auth_result = has_permission(issuer=issuer, vo=vo, action='access_rule_vo', kwargs=kwargs, session=session)
+        if not auth_result.allowed:
+            raise AccessDenied('Account %s can not access rules at other VOs. %s' % (issuer, auth_result.message))
+    auth_result = has_permission(issuer=issuer, vo=vo, action='del_rule', kwargs=kwargs)
+    if not auth_result.allowed:
+        raise AccessDenied('Account %s can not remove this replication rule. %s' % (issuer, auth_result.message))
     rule.delete_rule(rule_id=rule_id, purge_replicas=purge_replicas, soft=True, session=session)
 
 
@@ -305,11 +313,14 @@ def update_replication_rule(
     :raises:            RuleNotFound if no Rule can be found.
     """
     kwargs = {'rule_id': rule_id, 'options': options}
-    if is_multi_vo(session=session) and not has_permission(issuer=issuer, vo=vo, action='access_rule_vo', kwargs=kwargs, session=session):
-        raise AccessDenied('Account %s can not access rules at other VOs.' % (issuer))
+    if is_multi_vo(session=session):
+        auth_result = has_permission(issuer=issuer, vo=vo, action='access_rule_vo', kwargs=kwargs, session=session)
+        if not auth_result.allowed:
+            raise AccessDenied('Account %s can not access rules at other VOs. %s' % (issuer, auth_result.message))
     if 'approve' in options:
-        if not has_permission(issuer=issuer, vo=vo, action='approve_rule', kwargs=kwargs, session=session):
-            raise AccessDenied('Account %s can not approve/deny this replication rule.' % (issuer))
+        auth_result = has_permission(issuer=issuer, vo=vo, action='approve_rule', kwargs=kwargs, session=session)
+        if not auth_result.allowed:
+            raise AccessDenied('Account %s can not approve/deny this replication rule. %s' % (issuer, auth_result.message))
 
         issuer_ia = InternalAccount(issuer, vo=vo)
         if options['approve']:
@@ -317,8 +328,9 @@ def update_replication_rule(
         else:
             rule.deny_rule(rule_id=rule_id, approver=issuer_ia, reason=options.get('comment', None), session=session)
     else:
-        if not has_permission(issuer=issuer, vo=vo, action='update_rule', kwargs=kwargs, session=session):
-            raise AccessDenied('Account %s can not update this replication rule.' % (issuer))
+        auth_result = has_permission(issuer=issuer, vo=vo, action='update_rule', kwargs=kwargs, session=session)
+        if not auth_result.allowed:
+            raise AccessDenied('Account %s can not update this replication rule. %s' % (issuer, auth_result.message))
         if 'account' in options:
             options['account'] = InternalAccount(options['account'], vo=vo)
         rule.update_rule(rule_id=rule_id, options=options, session=session)
@@ -346,10 +358,13 @@ def reduce_replication_rule(
     :raises:                    RuleReplaceFailed, RuleNotFound
     """
     kwargs = {'rule_id': rule_id, 'copies': copies, 'exclude_expression': exclude_expression}
-    if is_multi_vo(session=session) and not has_permission(issuer=issuer, vo=vo, action='access_rule_vo', kwargs=kwargs, session=session):
-        raise AccessDenied('Account %s can not access rules at other VOs.' % (issuer))
-    if not has_permission(issuer=issuer, vo=vo, action='reduce_rule', kwargs=kwargs, session=session):
-        raise AccessDenied('Account %s can not reduce this replication rule.' % (issuer))
+    if is_multi_vo(session=session):
+        auth_result = has_permission(issuer=issuer, vo=vo, action='access_rule_vo', kwargs=kwargs, session=session)
+        if not auth_result.allowed:
+            raise AccessDenied('Account %s can not access rules at other VOs. %s' % (issuer, auth_result.message))
+    auth_result = has_permission(issuer=issuer, vo=vo, action='reduce_rule', kwargs=kwargs, session=session)
+    if not auth_result.allowed:
+        raise AccessDenied('Account %s can not reduce this replication rule. %s' % (issuer, auth_result.message))
 
     return rule.reduce_rule(rule_id=rule_id, copies=copies, exclude_expression=exclude_expression, session=session)
 
@@ -371,8 +386,10 @@ def examine_replication_rule(
     :param session: The database session in use.
     """
     kwargs = {'rule_id': rule_id}
-    if is_multi_vo(session=session) and not has_permission(issuer=issuer, vo=vo, action='access_rule_vo', kwargs=kwargs, session=session):
-        raise AccessDenied('Account %s can not access rules at other VOs.' % (issuer))
+    if is_multi_vo(session=session):
+        auth_result = has_permission(issuer=issuer, vo=vo, action='access_rule_vo', kwargs=kwargs, session=session)
+        if not auth_result.allowed:
+            raise AccessDenied('Account %s can not access rules at other VOs. %s' % (issuer, auth_result.message))
     result = rule.examine_rule(rule_id, session=session)
     result = gateway_update_return_dict(result, session=session)
     if 'transfers' in result:
@@ -409,9 +426,12 @@ def move_replication_rule(
         'override': override,
     }
 
-    if is_multi_vo(session=session) and not has_permission(issuer=issuer, vo=vo, action='access_rule_vo', kwargs=kwargs, session=session):
-        raise AccessDenied('Account %s can not access rules at other VOs.' % (issuer))
-    if not has_permission(issuer=issuer, vo=vo, action='move_rule', kwargs=kwargs, session=session):
-        raise AccessDenied('Account %s can not move this replication rule.' % (issuer))
+    if is_multi_vo(session=session):
+        auth_result = has_permission(issuer=issuer, vo=vo, action='access_rule_vo', kwargs=kwargs, session=session)
+        if not auth_result.allowed:
+            raise AccessDenied('Account %s can not access rules at other VOs. %s' % (issuer, auth_result.message))
+    auth_result = has_permission(issuer=issuer, vo=vo, action='move_rule', kwargs=kwargs, session=session)
+    if not auth_result.allowed:
+        raise AccessDenied('Account %s can not move this replication rule. %s' % (issuer, auth_result.message))
 
     return rule.move_rule(**kwargs, session=session)

rucio/gateway/scope.py

@@ -68,8 +68,9 @@ def add_scope(
     validate_schema(name='scope', obj=scope, vo=vo)
 
     kwargs = {'scope': scope, 'account': account}
-    if not rucio.gateway.permission.has_permission(issuer=issuer, vo=vo, action='add_scope', kwargs=kwargs, session=session):
-        raise rucio.common.exception.AccessDenied('Account %s can not add scope' % (issuer))
+    auth_result = rucio.gateway.permission.has_permission(issuer=issuer, vo=vo, action='add_scope', kwargs=kwargs, session=session)
+    if not auth_result.allowed:
+        raise rucio.common.exception.AccessDenied('Account %s can not add scope. %s' % (issuer, auth_result.message))
 
     internal_scope = InternalScope(scope, vo=vo)
     internal_account = InternalAccount(account, vo=vo)

rucio/gateway/subscription.py

@@ -13,7 +13,6 @@
 # limitations under the License.
 
 from collections import namedtuple
-from collections.abc import Iterator
 from json import dumps, loads
 from typing import TYPE_CHECKING, Any, Literal, Optional, Union
 
@@ -25,6 +24,8 @@ from rucio.db.sqla.session import read_session, stream_session, transactional_se
 from rucio.gateway.permission import has_permission
 
 if TYPE_CHECKING:
+    from collections.abc import Iterator
+
     from sqlalchemy.orm import Session
 
 
@@ -65,8 +66,9 @@ def add_subscription(
     :param session: The database session in use.
     :returns: subscription_id
     """
-    if not has_permission(issuer=issuer, vo=vo, action='add_subscription', kwargs={'account': account}, session=session):
-        raise AccessDenied('Account %s can not add subscription' % (issuer))
+    auth_result = has_permission(issuer=issuer, vo=vo, action='add_subscription', kwargs={'account': account}, session=session)
+    if not auth_result.allowed:
+        raise AccessDenied('Account %s can not add subscription. %s' % (issuer, auth_result.message))
     try:
         if filter_:
             if not isinstance(filter_, dict):
@@ -120,8 +122,9 @@ def update_subscription(
     :param session: The database session in use.
     :raises: SubscriptionNotFound if subscription is not found
     """
-    if not has_permission(issuer=issuer, vo=vo, action='update_subscription', kwargs={'account': account}, session=session):
-        raise AccessDenied('Account %s can not update subscription' % (issuer))
+    auth_result = has_permission(issuer=issuer, vo=vo, action='update_subscription', kwargs={'account': account}, session=session)
+    if not auth_result.allowed:
+        raise AccessDenied('Account %s can not update subscription. %s' % (issuer, auth_result.message))
     try:
         if not isinstance(metadata, dict):
             raise TypeError('metadata should be a dict')
@@ -163,7 +166,7 @@ def list_subscriptions(
     vo: str = 'def',
     *,
     session: "Session"
-) -> Iterator[dict[str, Any]]:
+) -> 'Iterator[dict[str, Any]]':
     """
     Returns a dictionary with the subscription information :
     Examples: ``{'status': 'INACTIVE/ACTIVE/BROKEN', 'last_modified_date': ...}``
@@ -190,9 +193,9 @@ def list_subscriptions(
         if 'filter' in sub:
             fil = loads(sub['filter'])
             if 'account' in fil:
-                fil['account'] = [InternalAccount(acc, fromExternal=False).external for acc in fil['account']]
+                fil['account'] = [InternalAccount(acc, from_external=False).external for acc in fil['account']]
             if 'scope' in fil:
-                fil['scope'] = [InternalScope(sco, fromExternal=False).external for sco in fil['scope']]
+                fil['scope'] = [InternalScope(sco, from_external=False).external for sco in fil['scope']]
             sub['filter'] = dumps(fil)
 
         yield sub
@@ -205,7 +208,7 @@ def list_subscription_rule_states(
     vo: str = 'def',
     *,
     session: "Session"
-) -> Iterator[SubscriptionRuleState]:
+) -> 'Iterator[SubscriptionRuleState]':
     """Returns a list of with the number of rules per state for a subscription.
 
     :param name: Name of the subscription
@@ -269,9 +272,9 @@ def get_subscription_by_id(
     if 'filter' in sub:
         fil = loads(sub['filter'])
         if 'account' in fil:
-            fil['account'] = [InternalAccount(acc, fromExternal=False).external for acc in fil['account']]
+            fil['account'] = [InternalAccount(acc, from_external=False).external for acc in fil['account']]
         if 'scope' in fil:
-            fil['scope'] = [InternalScope(sco, fromExternal=False).external for sco in fil['scope']]
+            fil['scope'] = [InternalScope(sco, from_external=False).external for sco in fil['scope']]
         sub['filter'] = dumps(fil)
 
     return sub

rucio/gateway/vo.py

@@ -44,8 +44,9 @@ def add_vo(new_vo: str, issuer: str, description: Optional[str] = None, email: O
     validate_schema('vo', new_vo, vo=vo)
 
     kwargs = {}
-    if not has_permission(issuer=issuer, action='add_vo', kwargs=kwargs, vo=vo, session=session):
-        raise exception.AccessDenied('Account {} cannot add a VO'.format(issuer))
+    auth_result = has_permission(issuer=issuer, action='add_vo', kwargs=kwargs, vo=vo, session=session)
+    if not auth_result.allowed:
+        raise exception.AccessDenied('Account {} cannot add a VO. {}'.format(issuer, auth_result.message))
 
     vo_core.add_vo(vo=new_vo, description=description, email=email, session=session)
 
@@ -60,8 +61,9 @@ def list_vos(issuer: str, vo: str = 'def', *, session: "Session") -> list[dict[s
     :param session: The database session in use.
     '''
     kwargs = {}
-    if not has_permission(issuer=issuer, action='list_vos', kwargs=kwargs, vo=vo, session=session):
-        raise exception.AccessDenied('Account {} cannot list VOs'.format(issuer))
+    auth_result = has_permission(issuer=issuer, action='list_vos', kwargs=kwargs, vo=vo, session=session)
+    if not auth_result.allowed:
+        raise exception.AccessDenied('Account {} cannot list VOs. {}'.format(issuer, auth_result.message))
 
     return vo_core.list_vos(session=session)
 
@@ -94,8 +96,9 @@ def recover_vo_root_identity(
     """
     kwargs = {}
     root_vo = vo_core.map_vo(root_vo)
-    if not has_permission(issuer=issuer, vo=vo, action='recover_vo_root_identity', kwargs=kwargs, session=session):
-        raise exception.AccessDenied('Account %s can not recover root identity' % (issuer))
+    auth_result = has_permission(issuer=issuer, vo=vo, action='recover_vo_root_identity', kwargs=kwargs, session=session)
+    if not auth_result.allowed:
+        raise exception.AccessDenied('Account %s can not recover root identity. %s' % (issuer, auth_result.message))
 
     account = InternalAccount('root', vo=root_vo)
 
@@ -116,7 +119,8 @@ def update_vo(updated_vo: str, parameters: dict[str, Any], issuer: str, vo: str
     """
     kwargs = {}
     updated_vo = vo_core.map_vo(updated_vo)
-    if not has_permission(issuer=issuer, action='update_vo', kwargs=kwargs, vo=vo, session=session):
-        raise exception.AccessDenied('Account {} cannot update VO'.format(issuer))
+    auth_result = has_permission(issuer=issuer, action='update_vo', kwargs=kwargs, vo=vo, session=session)
+    if not auth_result.allowed:
+        raise exception.AccessDenied('Account {} cannot update VO. {}'.format(issuer, auth_result.message))
 
     return vo_core.update_vo(vo=updated_vo, parameters=parameters, session=session)

rucio/rse/__init__.py

@@ -14,7 +14,7 @@
 
 from dogpile.cache import make_region
 
-from rucio.common.utils import is_client
+from rucio.common.client import is_client
 from rucio.rse import rsemanager
 
 if is_client():
@@ -77,7 +77,7 @@ if rsemanager.CLIENT_MODE:   # pylint:disable=no-member
 
 
 if rsemanager.SERVER_MODE:   # pylint:disable=no-member
-    from rucio.common.cache import make_region_memcached
+    from rucio.common.cache import MemcacheRegion
     from rucio.core.rse import get_rse_id, get_rse_protocols
     from rucio.core.vo import map_vo
 
@@ -92,5 +92,5 @@ if rsemanager.SERVER_MODE:   # pylint:disable=no-member
 
     setattr(rsemanager, '__request_rse_info', tmp_rse_info)
     setattr(rsemanager, '__get_signed_url', get_signed_url_server)
-    RSE_REGION = make_region_memcached(expiration_time=900)
+    RSE_REGION = MemcacheRegion(expiration_time=900)
     setattr(rsemanager, 'RSE_REGION', RSE_REGION)

rucio/rse/protocols/bittorrent.py

@@ -19,8 +19,9 @@ import time
 from urllib.parse import parse_qs, urlencode, urlparse
 
 from rucio.common import exception
+from rucio.common.bittorrent import construct_torrent
 from rucio.common.extra import import_extras
-from rucio.common.utils import construct_torrent, resolve_ip
+from rucio.common.utils import resolve_ip
 from rucio.rse import rsemanager
 from rucio.rse.protocols.protocol import RSEProtocol
 
@@ -182,3 +183,12 @@ class Default(RSEProtocol):
                 time.sleep(0.25)
         finally:
             ses.remove_torrent(handle)
+
+    def delete(self, path):
+        raise NotImplementedError
+
+    def put(self, source, target, source_dir, transfer_timeout=None):
+        raise NotImplementedError
+
+    def rename(self, path, new_path):
+        raise NotImplementedError

rucio/rse/protocols/cache.py

@@ -49,17 +49,6 @@ class Default(protocol.RSEProtocol):
         """
         return ''.join([self.rse['scheme'], '://%s' % self.rse['hostname'], path])
 
-    def exists(self, pfn):
-        """ Checks if the requested file is known by the referred RSE.
-
-            :param pfn: Physical file name
-
-            :returns: True if the file exists, False if it doesn't
-
-            :raise  ServiceUnavailable
-        """
-        raise NotImplementedError
-
     def connect(self):
         """ Establishes the actual connection to the referred RSE.
 

rucio/rse/protocols/dummy.py

@@ -38,17 +38,6 @@ class Default(protocol.RSEProtocol):
         """
         return ''.join([self.rse['scheme'], '://%s' % self.rse['hostname'], path])
 
-    def exists(self, pfn):
-        """ Checks if the requested file is known by the referred RSE.
-
-            :param pfn: Physical file name
-
-            :returns: True if the file exists, False if it doesn't
-
-            :raise  ServiceUnavailable
-        """
-        raise NotImplementedError
-
     def connect(self):
         """ Establishes the actual connection to the referred RSE.