PyPI - rucio - Versions diffs - 35.7.0__py3-none-any.whl - Mend

rucio 35.7.0__py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of rucio might be problematic. Click here for more details.

Files changed (493) hide show

rucio/__init__.py +17 -0
rucio/alembicrevision.py +15 -0
rucio/client/__init__.py +15 -0
rucio/client/accountclient.py +433 -0
rucio/client/accountlimitclient.py +183 -0
rucio/client/baseclient.py +974 -0
rucio/client/client.py +76 -0
rucio/client/configclient.py +126 -0
rucio/client/credentialclient.py +59 -0
rucio/client/didclient.py +866 -0
rucio/client/diracclient.py +56 -0
rucio/client/downloadclient.py +1785 -0
rucio/client/exportclient.py +44 -0
rucio/client/fileclient.py +50 -0
rucio/client/importclient.py +42 -0
rucio/client/lifetimeclient.py +90 -0
rucio/client/lockclient.py +109 -0
rucio/client/metaconventionsclient.py +140 -0
rucio/client/pingclient.py +44 -0
rucio/client/replicaclient.py +454 -0
rucio/client/requestclient.py +125 -0
rucio/client/rseclient.py +746 -0
rucio/client/ruleclient.py +294 -0
rucio/client/scopeclient.py +90 -0
rucio/client/subscriptionclient.py +173 -0
rucio/client/touchclient.py +82 -0
rucio/client/uploadclient.py +955 -0
rucio/common/__init__.py +13 -0
rucio/common/cache.py +74 -0
rucio/common/config.py +801 -0
rucio/common/constants.py +159 -0
rucio/common/constraints.py +17 -0
rucio/common/didtype.py +189 -0
rucio/common/dumper/__init__.py +335 -0
rucio/common/dumper/consistency.py +452 -0
rucio/common/dumper/data_models.py +318 -0
rucio/common/dumper/path_parsing.py +64 -0
rucio/common/exception.py +1151 -0
rucio/common/extra.py +36 -0
rucio/common/logging.py +420 -0
rucio/common/pcache.py +1408 -0
rucio/common/plugins.py +153 -0
rucio/common/policy.py +84 -0
rucio/common/schema/__init__.py +150 -0
rucio/common/schema/atlas.py +413 -0
rucio/common/schema/belleii.py +408 -0
rucio/common/schema/domatpc.py +401 -0
rucio/common/schema/escape.py +426 -0
rucio/common/schema/generic.py +433 -0
rucio/common/schema/generic_multi_vo.py +412 -0
rucio/common/schema/icecube.py +406 -0
rucio/common/stomp_utils.py +159 -0
rucio/common/stopwatch.py +55 -0
rucio/common/test_rucio_server.py +148 -0
rucio/common/types.py +403 -0
rucio/common/utils.py +2238 -0
rucio/core/__init__.py +13 -0
rucio/core/account.py +496 -0
rucio/core/account_counter.py +236 -0
rucio/core/account_limit.py +423 -0
rucio/core/authentication.py +620 -0
rucio/core/config.py +456 -0
rucio/core/credential.py +225 -0
rucio/core/did.py +3000 -0
rucio/core/did_meta_plugins/__init__.py +252 -0
rucio/core/did_meta_plugins/did_column_meta.py +331 -0
rucio/core/did_meta_plugins/did_meta_plugin_interface.py +165 -0
rucio/core/did_meta_plugins/filter_engine.py +613 -0
rucio/core/did_meta_plugins/json_meta.py +240 -0
rucio/core/did_meta_plugins/mongo_meta.py +216 -0
rucio/core/did_meta_plugins/postgres_meta.py +316 -0
rucio/core/dirac.py +237 -0
rucio/core/distance.py +187 -0
rucio/core/exporter.py +59 -0
rucio/core/heartbeat.py +363 -0
rucio/core/identity.py +300 -0
rucio/core/importer.py +259 -0
rucio/core/lifetime_exception.py +377 -0
rucio/core/lock.py +576 -0
rucio/core/message.py +282 -0
rucio/core/meta_conventions.py +203 -0
rucio/core/monitor.py +447 -0
rucio/core/naming_convention.py +195 -0
rucio/core/nongrid_trace.py +136 -0
rucio/core/oidc.py +1461 -0
rucio/core/permission/__init__.py +119 -0
rucio/core/permission/atlas.py +1348 -0
rucio/core/permission/belleii.py +1077 -0
rucio/core/permission/escape.py +1078 -0
rucio/core/permission/generic.py +1130 -0
rucio/core/permission/generic_multi_vo.py +1150 -0
rucio/core/quarantined_replica.py +223 -0
rucio/core/replica.py +4158 -0
rucio/core/replica_sorter.py +366 -0
rucio/core/request.py +3089 -0
rucio/core/rse.py +1875 -0
rucio/core/rse_counter.py +186 -0
rucio/core/rse_expression_parser.py +459 -0
rucio/core/rse_selector.py +302 -0
rucio/core/rule.py +4483 -0
rucio/core/rule_grouping.py +1618 -0
rucio/core/scope.py +180 -0
rucio/core/subscription.py +364 -0
rucio/core/topology.py +490 -0
rucio/core/trace.py +375 -0
rucio/core/transfer.py +1517 -0
rucio/core/vo.py +169 -0
rucio/core/volatile_replica.py +150 -0
rucio/daemons/__init__.py +13 -0
rucio/daemons/abacus/__init__.py +13 -0
rucio/daemons/abacus/account.py +116 -0
rucio/daemons/abacus/collection_replica.py +124 -0
rucio/daemons/abacus/rse.py +117 -0
rucio/daemons/atropos/__init__.py +13 -0
rucio/daemons/atropos/atropos.py +242 -0
rucio/daemons/auditor/__init__.py +289 -0
rucio/daemons/auditor/hdfs.py +97 -0
rucio/daemons/auditor/srmdumps.py +355 -0
rucio/daemons/automatix/__init__.py +13 -0
rucio/daemons/automatix/automatix.py +293 -0
rucio/daemons/badreplicas/__init__.py +13 -0
rucio/daemons/badreplicas/minos.py +322 -0
rucio/daemons/badreplicas/minos_temporary_expiration.py +171 -0
rucio/daemons/badreplicas/necromancer.py +196 -0
rucio/daemons/bb8/__init__.py +13 -0
rucio/daemons/bb8/bb8.py +353 -0
rucio/daemons/bb8/common.py +759 -0
rucio/daemons/bb8/nuclei_background_rebalance.py +153 -0
rucio/daemons/bb8/t2_background_rebalance.py +153 -0
rucio/daemons/c3po/__init__.py +13 -0
rucio/daemons/c3po/algorithms/__init__.py +13 -0
rucio/daemons/c3po/algorithms/simple.py +134 -0
rucio/daemons/c3po/algorithms/t2_free_space.py +128 -0
rucio/daemons/c3po/algorithms/t2_free_space_only_pop.py +130 -0
rucio/daemons/c3po/algorithms/t2_free_space_only_pop_with_network.py +294 -0
rucio/daemons/c3po/c3po.py +371 -0
rucio/daemons/c3po/collectors/__init__.py +13 -0
rucio/daemons/c3po/collectors/agis.py +108 -0
rucio/daemons/c3po/collectors/free_space.py +81 -0
rucio/daemons/c3po/collectors/jedi_did.py +57 -0
rucio/daemons/c3po/collectors/mock_did.py +51 -0
rucio/daemons/c3po/collectors/network_metrics.py +71 -0
rucio/daemons/c3po/collectors/workload.py +112 -0
rucio/daemons/c3po/utils/__init__.py +13 -0
rucio/daemons/c3po/utils/dataset_cache.py +50 -0
rucio/daemons/c3po/utils/expiring_dataset_cache.py +56 -0
rucio/daemons/c3po/utils/expiring_list.py +62 -0
rucio/daemons/c3po/utils/popularity.py +85 -0
rucio/daemons/c3po/utils/timeseries.py +89 -0
rucio/daemons/cache/__init__.py +13 -0
rucio/daemons/cache/consumer.py +197 -0
rucio/daemons/common.py +415 -0
rucio/daemons/conveyor/__init__.py +13 -0
rucio/daemons/conveyor/common.py +562 -0
rucio/daemons/conveyor/finisher.py +529 -0
rucio/daemons/conveyor/poller.py +404 -0
rucio/daemons/conveyor/preparer.py +205 -0
rucio/daemons/conveyor/receiver.py +249 -0
rucio/daemons/conveyor/stager.py +132 -0
rucio/daemons/conveyor/submitter.py +403 -0
rucio/daemons/conveyor/throttler.py +532 -0
rucio/daemons/follower/__init__.py +13 -0
rucio/daemons/follower/follower.py +101 -0
rucio/daemons/hermes/__init__.py +13 -0
rucio/daemons/hermes/hermes.py +774 -0
rucio/daemons/judge/__init__.py +13 -0
rucio/daemons/judge/cleaner.py +159 -0
rucio/daemons/judge/evaluator.py +185 -0
rucio/daemons/judge/injector.py +162 -0
rucio/daemons/judge/repairer.py +154 -0
rucio/daemons/oauthmanager/__init__.py +13 -0
rucio/daemons/oauthmanager/oauthmanager.py +198 -0
rucio/daemons/reaper/__init__.py +13 -0
rucio/daemons/reaper/dark_reaper.py +278 -0
rucio/daemons/reaper/reaper.py +743 -0
rucio/daemons/replicarecoverer/__init__.py +13 -0
rucio/daemons/replicarecoverer/suspicious_replica_recoverer.py +626 -0
rucio/daemons/rsedecommissioner/__init__.py +13 -0
rucio/daemons/rsedecommissioner/config.py +81 -0
rucio/daemons/rsedecommissioner/profiles/__init__.py +24 -0
rucio/daemons/rsedecommissioner/profiles/atlas.py +60 -0
rucio/daemons/rsedecommissioner/profiles/generic.py +451 -0
rucio/daemons/rsedecommissioner/profiles/types.py +92 -0
rucio/daemons/rsedecommissioner/rse_decommissioner.py +280 -0
rucio/daemons/storage/__init__.py +13 -0
rucio/daemons/storage/consistency/__init__.py +13 -0
rucio/daemons/storage/consistency/actions.py +846 -0
rucio/daemons/tracer/__init__.py +13 -0
rucio/daemons/tracer/kronos.py +536 -0
rucio/daemons/transmogrifier/__init__.py +13 -0
rucio/daemons/transmogrifier/transmogrifier.py +762 -0
rucio/daemons/undertaker/__init__.py +13 -0
rucio/daemons/undertaker/undertaker.py +137 -0
rucio/db/__init__.py +13 -0
rucio/db/sqla/__init__.py +52 -0
rucio/db/sqla/constants.py +201 -0
rucio/db/sqla/migrate_repo/__init__.py +13 -0
rucio/db/sqla/migrate_repo/env.py +110 -0
rucio/db/sqla/migrate_repo/versions/01eaf73ab656_add_new_rule_notification_state_progress.py +70 -0
rucio/db/sqla/migrate_repo/versions/0437a40dbfd1_add_eol_at_in_rules.py +47 -0
rucio/db/sqla/migrate_repo/versions/0f1adb7a599a_create_transfer_hops_table.py +59 -0
rucio/db/sqla/migrate_repo/versions/102efcf145f4_added_stuck_at_column_to_rules.py +43 -0
rucio/db/sqla/migrate_repo/versions/13d4f70c66a9_introduce_transfer_limits.py +91 -0
rucio/db/sqla/migrate_repo/versions/140fef722e91_cleanup_distances_table.py +76 -0
rucio/db/sqla/migrate_repo/versions/14ec5aeb64cf_add_request_external_host.py +43 -0
rucio/db/sqla/migrate_repo/versions/156fb5b5a14_add_request_type_to_requests_idx.py +50 -0
rucio/db/sqla/migrate_repo/versions/1677d4d803c8_split_rse_availability_into_multiple.py +68 -0
rucio/db/sqla/migrate_repo/versions/16a0aca82e12_create_index_on_table_replicas_path.py +40 -0
rucio/db/sqla/migrate_repo/versions/1803333ac20f_adding_provenance_and_phys_group.py +45 -0
rucio/db/sqla/migrate_repo/versions/1a29d6a9504c_add_didtype_chck_to_requests.py +60 -0
rucio/db/sqla/migrate_repo/versions/1a80adff031a_create_index_on_rules_hist_recent.py +40 -0
rucio/db/sqla/migrate_repo/versions/1c45d9730ca6_increase_identity_length.py +140 -0
rucio/db/sqla/migrate_repo/versions/1d1215494e95_add_quarantined_replicas_table.py +73 -0
rucio/db/sqla/migrate_repo/versions/1d96f484df21_asynchronous_rules_and_rule_approval.py +74 -0
rucio/db/sqla/migrate_repo/versions/1f46c5f240ac_add_bytes_column_to_bad_replicas.py +43 -0
rucio/db/sqla/migrate_repo/versions/1fc15ab60d43_add_message_history_table.py +50 -0
rucio/db/sqla/migrate_repo/versions/2190e703eb6e_move_rse_settings_to_rse_attributes.py +134 -0
rucio/db/sqla/migrate_repo/versions/21d6b9dc9961_add_mismatch_scheme_state_to_requests.py +64 -0
rucio/db/sqla/migrate_repo/versions/22cf51430c78_add_availability_column_to_table_rses.py +39 -0
rucio/db/sqla/migrate_repo/versions/22d887e4ec0a_create_sources_table.py +64 -0
rucio/db/sqla/migrate_repo/versions/25821a8a45a3_remove_unique_constraint_on_requests.py +51 -0
rucio/db/sqla/migrate_repo/versions/25fc855625cf_added_unique_constraint_to_rules.py +41 -0
rucio/db/sqla/migrate_repo/versions/269fee20dee9_add_repair_cnt_to_locks.py +43 -0
rucio/db/sqla/migrate_repo/versions/271a46ea6244_add_ignore_availability_column_to_rules.py +44 -0
rucio/db/sqla/migrate_repo/versions/277b5fbb41d3_switch_heartbeats_executable.py +53 -0
rucio/db/sqla/migrate_repo/versions/27e3a68927fb_remove_replicas_tombstone_and_replicas_.py +38 -0
rucio/db/sqla/migrate_repo/versions/2854cd9e168_added_rule_id_column.py +47 -0
rucio/db/sqla/migrate_repo/versions/295289b5a800_processed_by_and__at_in_requests.py +45 -0
rucio/db/sqla/migrate_repo/versions/2962ece31cf4_add_nbaccesses_column_in_the_did_table.py +45 -0
rucio/db/sqla/migrate_repo/versions/2af3291ec4c_added_replicas_history_table.py +57 -0
rucio/db/sqla/migrate_repo/versions/2b69addda658_add_columns_for_third_party_copy_read_.py +45 -0
rucio/db/sqla/migrate_repo/versions/2b8e7bcb4783_add_config_table.py +69 -0
rucio/db/sqla/migrate_repo/versions/2ba5229cb54c_add_submitted_at_to_requests_table.py +43 -0
rucio/db/sqla/migrate_repo/versions/2cbee484dcf9_added_column_volume_to_rse_transfer_.py +42 -0
rucio/db/sqla/migrate_repo/versions/2edee4a83846_add_source_to_requests_and_requests_.py +47 -0
rucio/db/sqla/migrate_repo/versions/2eef46be23d4_change_tokens_pk.py +46 -0
rucio/db/sqla/migrate_repo/versions/2f648fc909f3_index_in_rule_history_on_scope_name.py +40 -0
rucio/db/sqla/migrate_repo/versions/3082b8cef557_add_naming_convention_table_and_closed_.py +67 -0
rucio/db/sqla/migrate_repo/versions/30fa38b6434e_add_index_on_service_column_in_the_message_table.py +44 -0
rucio/db/sqla/migrate_repo/versions/3152492b110b_added_staging_area_column.py +77 -0
rucio/db/sqla/migrate_repo/versions/32c7d2783f7e_create_bad_replicas_table.py +60 -0
rucio/db/sqla/migrate_repo/versions/3345511706b8_replicas_table_pk_definition_is_in_.py +72 -0
rucio/db/sqla/migrate_repo/versions/35ef10d1e11b_change_index_on_table_requests.py +42 -0
rucio/db/sqla/migrate_repo/versions/379a19b5332d_create_rse_limits_table.py +65 -0
rucio/db/sqla/migrate_repo/versions/384b96aa0f60_created_rule_history_tables.py +133 -0
rucio/db/sqla/migrate_repo/versions/3ac1660a1a72_extend_distance_table.py +55 -0
rucio/db/sqla/migrate_repo/versions/3ad36e2268b0_create_collection_replicas_updates_table.py +76 -0
rucio/db/sqla/migrate_repo/versions/3c9df354071b_extend_waiting_request_state.py +60 -0
rucio/db/sqla/migrate_repo/versions/3d9813fab443_add_a_new_state_lost_in_badfilesstatus.py +44 -0
rucio/db/sqla/migrate_repo/versions/40ad39ce3160_add_transferred_at_to_requests_table.py +43 -0
rucio/db/sqla/migrate_repo/versions/4207be2fd914_add_notification_column_to_rules.py +64 -0
rucio/db/sqla/migrate_repo/versions/42db2617c364_create_index_on_requests_external_id.py +40 -0
rucio/db/sqla/migrate_repo/versions/436827b13f82_added_column_activity_to_table_requests.py +43 -0
rucio/db/sqla/migrate_repo/versions/44278720f774_update_requests_typ_sta_upd_idx_index.py +44 -0
rucio/db/sqla/migrate_repo/versions/45378a1e76a8_create_collection_replica_table.py +78 -0
rucio/db/sqla/migrate_repo/versions/469d262be19_removing_created_at_index.py +41 -0
rucio/db/sqla/migrate_repo/versions/4783c1f49cb4_create_distance_table.py +59 -0
rucio/db/sqla/migrate_repo/versions/49a21b4d4357_create_index_on_table_tokens.py +44 -0
rucio/db/sqla/migrate_repo/versions/4a2cbedda8b9_add_source_replica_expression_column_to_.py +43 -0
rucio/db/sqla/migrate_repo/versions/4a7182d9578b_added_bytes_length_accessed_at_columns.py +49 -0
rucio/db/sqla/migrate_repo/versions/4bab9edd01fc_create_index_on_requests_rule_id.py +40 -0
rucio/db/sqla/migrate_repo/versions/4c3a4acfe006_new_attr_account_table.py +63 -0
rucio/db/sqla/migrate_repo/versions/4cf0a2e127d4_adding_transient_metadata.py +43 -0
rucio/db/sqla/migrate_repo/versions/4df2c5ddabc0_remove_temporary_dids.py +55 -0
rucio/db/sqla/migrate_repo/versions/50280c53117c_add_qos_class_to_rse.py +45 -0
rucio/db/sqla/migrate_repo/versions/52153819589c_add_rse_id_to_replicas_table.py +43 -0
rucio/db/sqla/migrate_repo/versions/52fd9f4916fa_added_activity_to_rules.py +43 -0
rucio/db/sqla/migrate_repo/versions/53b479c3cb0f_fix_did_meta_table_missing_updated_at_.py +45 -0
rucio/db/sqla/migrate_repo/versions/5673b4b6e843_add_wfms_metadata_to_rule_tables.py +47 -0
rucio/db/sqla/migrate_repo/versions/575767d9f89_added_source_history_table.py +58 -0
rucio/db/sqla/migrate_repo/versions/58bff7008037_add_started_at_to_requests.py +45 -0
rucio/db/sqla/migrate_repo/versions/58c8b78301ab_rename_callback_to_message.py +106 -0
rucio/db/sqla/migrate_repo/versions/5f139f77382a_added_child_rule_id_column.py +55 -0
rucio/db/sqla/migrate_repo/versions/688ef1840840_adding_did_meta_table.py +50 -0
rucio/db/sqla/migrate_repo/versions/6e572a9bfbf3_add_new_split_container_column_to_rules.py +47 -0
rucio/db/sqla/migrate_repo/versions/70587619328_add_comment_column_for_subscriptions.py +43 -0
rucio/db/sqla/migrate_repo/versions/739064d31565_remove_history_table_pks.py +41 -0
rucio/db/sqla/migrate_repo/versions/7541902bf173_add_didsfollowed_and_followevents_table.py +91 -0
rucio/db/sqla/migrate_repo/versions/7ec22226cdbf_new_replica_state_for_temporary_.py +72 -0
rucio/db/sqla/migrate_repo/versions/810a41685bc1_added_columns_rse_transfer_limits.py +49 -0
rucio/db/sqla/migrate_repo/versions/83f991c63a93_correct_rse_expression_length.py +43 -0
rucio/db/sqla/migrate_repo/versions/8523998e2e76_increase_size_of_extended_attributes_.py +43 -0
rucio/db/sqla/migrate_repo/versions/8ea9122275b1_adding_missing_function_based_indices.py +53 -0
rucio/db/sqla/migrate_repo/versions/90f47792bb76_add_clob_payload_to_messages.py +45 -0
rucio/db/sqla/migrate_repo/versions/914b8f02df38_new_table_for_lifetime_model_exceptions.py +68 -0
rucio/db/sqla/migrate_repo/versions/94a5961ddbf2_add_estimator_columns.py +45 -0
rucio/db/sqla/migrate_repo/versions/9a1b149a2044_add_saml_identity_type.py +94 -0
rucio/db/sqla/migrate_repo/versions/9a45bc4ea66d_add_vp_table.py +54 -0
rucio/db/sqla/migrate_repo/versions/9eb936a81eb1_true_is_true.py +72 -0
rucio/db/sqla/migrate_repo/versions/a08fa8de1545_transfer_stats_table.py +55 -0
rucio/db/sqla/migrate_repo/versions/a118956323f8_added_vo_table_and_vo_col_to_rse.py +76 -0
rucio/db/sqla/migrate_repo/versions/a193a275255c_add_status_column_in_messages.py +47 -0
rucio/db/sqla/migrate_repo/versions/a5f6f6e928a7_1_7_0.py +121 -0
rucio/db/sqla/migrate_repo/versions/a616581ee47_added_columns_to_table_requests.py +59 -0
rucio/db/sqla/migrate_repo/versions/a6eb23955c28_state_idx_non_functional.py +52 -0
rucio/db/sqla/migrate_repo/versions/a74275a1ad30_added_global_quota_table.py +54 -0
rucio/db/sqla/migrate_repo/versions/a93e4e47bda_heartbeats.py +64 -0
rucio/db/sqla/migrate_repo/versions/ae2a56fcc89_added_comment_column_to_rules.py +49 -0
rucio/db/sqla/migrate_repo/versions/b0070f3695c8_add_deletedidmeta_table.py +57 -0
rucio/db/sqla/migrate_repo/versions/b4293a99f344_added_column_identity_to_table_tokens.py +43 -0
rucio/db/sqla/migrate_repo/versions/b5493606bbf5_fix_primary_key_for_subscription_history.py +41 -0
rucio/db/sqla/migrate_repo/versions/b7d287de34fd_removal_of_replicastate_source.py +91 -0
rucio/db/sqla/migrate_repo/versions/b818052fa670_add_index_to_quarantined_replicas.py +40 -0
rucio/db/sqla/migrate_repo/versions/b8caac94d7f0_add_comments_column_for_subscriptions_.py +43 -0
rucio/db/sqla/migrate_repo/versions/b96a1c7e1cc4_new_bad_pfns_table_and_bad_replicas_.py +143 -0
rucio/db/sqla/migrate_repo/versions/bb695f45c04_extend_request_state.py +76 -0
rucio/db/sqla/migrate_repo/versions/bc68e9946deb_add_staging_timestamps_to_request.py +50 -0
rucio/db/sqla/migrate_repo/versions/bf3baa1c1474_correct_pk_and_idx_for_history_tables.py +72 -0
rucio/db/sqla/migrate_repo/versions/c0937668555f_add_qos_policy_map_table.py +55 -0
rucio/db/sqla/migrate_repo/versions/c129ccdb2d5_add_lumiblocknr_to_dids.py +43 -0
rucio/db/sqla/migrate_repo/versions/ccdbcd48206e_add_did_type_column_index_on_did_meta_.py +65 -0
rucio/db/sqla/migrate_repo/versions/cebad904c4dd_new_payload_column_for_heartbeats.py +47 -0
rucio/db/sqla/migrate_repo/versions/d1189a09c6e0_oauth2_0_and_jwt_feature_support_adding_.py +146 -0
rucio/db/sqla/migrate_repo/versions/d23453595260_extend_request_state_for_preparer.py +104 -0
rucio/db/sqla/migrate_repo/versions/d6dceb1de2d_added_purge_column_to_rules.py +44 -0
rucio/db/sqla/migrate_repo/versions/d6e2c3b2cf26_remove_third_party_copy_column_from_rse.py +43 -0
rucio/db/sqla/migrate_repo/versions/d91002c5841_new_account_limits_table.py +103 -0
rucio/db/sqla/migrate_repo/versions/e138c364ebd0_extending_columns_for_filter_and_.py +49 -0
rucio/db/sqla/migrate_repo/versions/e59300c8b179_support_for_archive.py +104 -0
rucio/db/sqla/migrate_repo/versions/f1b14a8c2ac1_postgres_use_check_constraints.py +29 -0
rucio/db/sqla/migrate_repo/versions/f41ffe206f37_oracle_global_temporary_tables.py +74 -0
rucio/db/sqla/migrate_repo/versions/f85a2962b021_adding_transfertool_column_to_requests_.py +47 -0
rucio/db/sqla/migrate_repo/versions/fa7a7d78b602_increase_refresh_token_size.py +43 -0
rucio/db/sqla/migrate_repo/versions/fb28a95fe288_add_replicas_rse_id_tombstone_idx.py +37 -0
rucio/db/sqla/migrate_repo/versions/fe1a65b176c9_set_third_party_copy_read_and_write_.py +43 -0
rucio/db/sqla/migrate_repo/versions/fe8ea2fa9788_added_third_party_copy_column_to_rse_.py +43 -0
rucio/db/sqla/models.py +1740 -0
rucio/db/sqla/sautils.py +55 -0
rucio/db/sqla/session.py +498 -0
rucio/db/sqla/types.py +206 -0
rucio/db/sqla/util.py +543 -0
rucio/gateway/__init__.py +13 -0
rucio/gateway/account.py +339 -0
rucio/gateway/account_limit.py +286 -0
rucio/gateway/authentication.py +375 -0
rucio/gateway/config.py +217 -0
rucio/gateway/credential.py +71 -0
rucio/gateway/did.py +970 -0
rucio/gateway/dirac.py +81 -0
rucio/gateway/exporter.py +59 -0
rucio/gateway/heartbeat.py +74 -0
rucio/gateway/identity.py +204 -0
rucio/gateway/importer.py +45 -0
rucio/gateway/lifetime_exception.py +120 -0
rucio/gateway/lock.py +153 -0
rucio/gateway/meta_conventions.py +87 -0
rucio/gateway/permission.py +71 -0
rucio/gateway/quarantined_replica.py +78 -0
rucio/gateway/replica.py +529 -0
rucio/gateway/request.py +321 -0
rucio/gateway/rse.py +600 -0
rucio/gateway/rule.py +417 -0
rucio/gateway/scope.py +99 -0
rucio/gateway/subscription.py +277 -0
rucio/gateway/vo.py +122 -0
rucio/rse/__init__.py +96 -0
rucio/rse/protocols/__init__.py +13 -0
rucio/rse/protocols/bittorrent.py +184 -0
rucio/rse/protocols/cache.py +122 -0
rucio/rse/protocols/dummy.py +111 -0
rucio/rse/protocols/gfal.py +703 -0
rucio/rse/protocols/globus.py +243 -0
rucio/rse/protocols/gsiftp.py +92 -0
rucio/rse/protocols/http_cache.py +82 -0
rucio/rse/protocols/mock.py +123 -0
rucio/rse/protocols/ngarc.py +209 -0
rucio/rse/protocols/posix.py +250 -0
rucio/rse/protocols/protocol.py +594 -0
rucio/rse/protocols/rclone.py +364 -0
rucio/rse/protocols/rfio.py +136 -0
rucio/rse/protocols/srm.py +338 -0
rucio/rse/protocols/ssh.py +413 -0
rucio/rse/protocols/storm.py +206 -0
rucio/rse/protocols/webdav.py +550 -0
rucio/rse/protocols/xrootd.py +301 -0
rucio/rse/rsemanager.py +764 -0
rucio/tests/__init__.py +13 -0
rucio/tests/common.py +270 -0
rucio/tests/common_server.py +132 -0
rucio/transfertool/__init__.py +13 -0
rucio/transfertool/bittorrent.py +199 -0
rucio/transfertool/bittorrent_driver.py +52 -0
rucio/transfertool/bittorrent_driver_qbittorrent.py +133 -0
rucio/transfertool/fts3.py +1596 -0
rucio/transfertool/fts3_plugins.py +152 -0
rucio/transfertool/globus.py +201 -0
rucio/transfertool/globus_library.py +181 -0
rucio/transfertool/mock.py +90 -0
rucio/transfertool/transfertool.py +221 -0
rucio/vcsversion.py +11 -0
rucio/version.py +38 -0
rucio/web/__init__.py +13 -0
rucio/web/rest/__init__.py +13 -0
rucio/web/rest/flaskapi/__init__.py +13 -0
rucio/web/rest/flaskapi/authenticated_bp.py +27 -0
rucio/web/rest/flaskapi/v1/__init__.py +13 -0
rucio/web/rest/flaskapi/v1/accountlimits.py +236 -0
rucio/web/rest/flaskapi/v1/accounts.py +1089 -0
rucio/web/rest/flaskapi/v1/archives.py +102 -0
rucio/web/rest/flaskapi/v1/auth.py +1644 -0
rucio/web/rest/flaskapi/v1/common.py +426 -0
rucio/web/rest/flaskapi/v1/config.py +304 -0
rucio/web/rest/flaskapi/v1/credentials.py +212 -0
rucio/web/rest/flaskapi/v1/dids.py +2334 -0
rucio/web/rest/flaskapi/v1/dirac.py +116 -0
rucio/web/rest/flaskapi/v1/export.py +75 -0
rucio/web/rest/flaskapi/v1/heartbeats.py +127 -0
rucio/web/rest/flaskapi/v1/identities.py +261 -0
rucio/web/rest/flaskapi/v1/import.py +132 -0
rucio/web/rest/flaskapi/v1/lifetime_exceptions.py +312 -0
rucio/web/rest/flaskapi/v1/locks.py +358 -0
rucio/web/rest/flaskapi/v1/main.py +91 -0
rucio/web/rest/flaskapi/v1/meta_conventions.py +241 -0
rucio/web/rest/flaskapi/v1/metrics.py +36 -0
rucio/web/rest/flaskapi/v1/nongrid_traces.py +97 -0
rucio/web/rest/flaskapi/v1/ping.py +88 -0
rucio/web/rest/flaskapi/v1/redirect.py +365 -0
rucio/web/rest/flaskapi/v1/replicas.py +1890 -0
rucio/web/rest/flaskapi/v1/requests.py +998 -0
rucio/web/rest/flaskapi/v1/rses.py +2239 -0
rucio/web/rest/flaskapi/v1/rules.py +854 -0
rucio/web/rest/flaskapi/v1/scopes.py +159 -0
rucio/web/rest/flaskapi/v1/subscriptions.py +650 -0
rucio/web/rest/flaskapi/v1/templates/auth_crash.html +80 -0
rucio/web/rest/flaskapi/v1/templates/auth_granted.html +82 -0
rucio/web/rest/flaskapi/v1/traces.py +100 -0
rucio/web/rest/flaskapi/v1/types.py +20 -0
rucio/web/rest/flaskapi/v1/vos.py +278 -0
rucio/web/rest/main.py +18 -0
rucio/web/rest/metrics.py +27 -0
rucio/web/rest/ping.py +27 -0
rucio-35.7.0.data/data/rucio/etc/alembic.ini.template +71 -0
rucio-35.7.0.data/data/rucio/etc/alembic_offline.ini.template +74 -0
rucio-35.7.0.data/data/rucio/etc/globus-config.yml.template +5 -0
rucio-35.7.0.data/data/rucio/etc/ldap.cfg.template +30 -0
rucio-35.7.0.data/data/rucio/etc/mail_templates/rule_approval_request.tmpl +38 -0
rucio-35.7.0.data/data/rucio/etc/mail_templates/rule_approved_admin.tmpl +4 -0
rucio-35.7.0.data/data/rucio/etc/mail_templates/rule_approved_user.tmpl +17 -0
rucio-35.7.0.data/data/rucio/etc/mail_templates/rule_denied_admin.tmpl +6 -0
rucio-35.7.0.data/data/rucio/etc/mail_templates/rule_denied_user.tmpl +17 -0
rucio-35.7.0.data/data/rucio/etc/mail_templates/rule_ok_notification.tmpl +19 -0
rucio-35.7.0.data/data/rucio/etc/rse-accounts.cfg.template +25 -0
rucio-35.7.0.data/data/rucio/etc/rucio.cfg.atlas.client.template +42 -0
rucio-35.7.0.data/data/rucio/etc/rucio.cfg.template +257 -0
rucio-35.7.0.data/data/rucio/etc/rucio_multi_vo.cfg.template +234 -0
rucio-35.7.0.data/data/rucio/requirements.server.txt +268 -0
rucio-35.7.0.data/data/rucio/tools/bootstrap.py +34 -0
rucio-35.7.0.data/data/rucio/tools/merge_rucio_configs.py +144 -0
rucio-35.7.0.data/data/rucio/tools/reset_database.py +40 -0
rucio-35.7.0.data/scripts/rucio +2542 -0
rucio-35.7.0.data/scripts/rucio-abacus-account +74 -0
rucio-35.7.0.data/scripts/rucio-abacus-collection-replica +46 -0
rucio-35.7.0.data/scripts/rucio-abacus-rse +78 -0
rucio-35.7.0.data/scripts/rucio-admin +2447 -0
rucio-35.7.0.data/scripts/rucio-atropos +60 -0
rucio-35.7.0.data/scripts/rucio-auditor +205 -0
rucio-35.7.0.data/scripts/rucio-automatix +50 -0
rucio-35.7.0.data/scripts/rucio-bb8 +57 -0
rucio-35.7.0.data/scripts/rucio-c3po +85 -0
rucio-35.7.0.data/scripts/rucio-cache-client +134 -0
rucio-35.7.0.data/scripts/rucio-cache-consumer +42 -0
rucio-35.7.0.data/scripts/rucio-conveyor-finisher +58 -0
rucio-35.7.0.data/scripts/rucio-conveyor-poller +66 -0
rucio-35.7.0.data/scripts/rucio-conveyor-preparer +37 -0
rucio-35.7.0.data/scripts/rucio-conveyor-receiver +43 -0
rucio-35.7.0.data/scripts/rucio-conveyor-stager +76 -0
rucio-35.7.0.data/scripts/rucio-conveyor-submitter +139 -0
rucio-35.7.0.data/scripts/rucio-conveyor-throttler +104 -0
rucio-35.7.0.data/scripts/rucio-dark-reaper +53 -0
rucio-35.7.0.data/scripts/rucio-dumper +160 -0
rucio-35.7.0.data/scripts/rucio-follower +44 -0
rucio-35.7.0.data/scripts/rucio-hermes +54 -0
rucio-35.7.0.data/scripts/rucio-judge-cleaner +89 -0
rucio-35.7.0.data/scripts/rucio-judge-evaluator +137 -0
rucio-35.7.0.data/scripts/rucio-judge-injector +44 -0
rucio-35.7.0.data/scripts/rucio-judge-repairer +44 -0
rucio-35.7.0.data/scripts/rucio-kronos +43 -0
rucio-35.7.0.data/scripts/rucio-minos +53 -0
rucio-35.7.0.data/scripts/rucio-minos-temporary-expiration +50 -0
rucio-35.7.0.data/scripts/rucio-necromancer +120 -0
rucio-35.7.0.data/scripts/rucio-oauth-manager +63 -0
rucio-35.7.0.data/scripts/rucio-reaper +83 -0
rucio-35.7.0.data/scripts/rucio-replica-recoverer +248 -0
rucio-35.7.0.data/scripts/rucio-rse-decommissioner +66 -0
rucio-35.7.0.data/scripts/rucio-storage-consistency-actions +74 -0
rucio-35.7.0.data/scripts/rucio-transmogrifier +77 -0
rucio-35.7.0.data/scripts/rucio-undertaker +76 -0
rucio-35.7.0.dist-info/METADATA +72 -0
rucio-35.7.0.dist-info/RECORD +493 -0
rucio-35.7.0.dist-info/WHEEL +5 -0
rucio-35.7.0.dist-info/licenses/AUTHORS.rst +97 -0
rucio-35.7.0.dist-info/licenses/LICENSE +201 -0
rucio-35.7.0.dist-info/top_level.txt +1 -0

rucio/core/permission/generic_multi_vo.py ADDED Viewed

@@ -0,0 +1,1150 @@
+# Copyright European Organization for Nuclear Research (CERN) since 2012
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+from typing import TYPE_CHECKING
+import rucio.core.scope
+from rucio.common.constants import RseAttr
+from rucio.core.account import has_account_attribute, list_account_attributes
+from rucio.core.identity import exist_identity_account
+from rucio.core.lifetime_exception import list_exceptions
+from rucio.core.rse import list_rse_attributes
+from rucio.core.rse_expression_parser import parse_expression
+from rucio.core.rule import get_rule
+from rucio.db.sqla.constants import IdentityType
+if TYPE_CHECKING:
+    from typing import Optional
+    from sqlalchemy.orm import Session
+    from rucio.common.types import InternalAccount
+def has_permission(issuer, action, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if an account has the specified permission to
+    execute an action with parameters.
+    :param issuer: Account identifier which issues the command..
+    :param action:  The action(API call) called by the account.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed, otherwise False
+    """
+    perm = {'add_account': perm_add_account,
+            'del_account': perm_del_account,
+            'update_account': perm_update_account,
+            'add_rule': perm_add_rule,
+            'add_subscription': perm_add_subscription,
+            'add_scope': perm_add_scope,
+            'add_rse': perm_add_rse,
+            'update_rse': perm_update_rse,
+            'add_protocol': perm_add_protocol,
+            'del_protocol': perm_del_protocol,
+            'update_protocol': perm_update_protocol,
+            'declare_bad_file_replicas': perm_declare_bad_file_replicas,
+            'declare_suspicious_file_replicas': perm_declare_suspicious_file_replicas,
+            'add_replicas': perm_add_replicas,
+            'delete_replicas': perm_delete_replicas,
+            'skip_availability_check': perm_skip_availability_check,
+            'update_replicas_states': perm_update_replicas_states,
+            'add_rse_attribute': perm_add_rse_attribute,
+            'del_rse_attribute': perm_del_rse_attribute,
+            'del_rse': perm_del_rse,
+            'del_rule': perm_del_rule,
+            'update_rule': perm_update_rule,
+            'approve_rule': perm_approve_rule,
+            'update_subscription': perm_update_subscription,
+            'reduce_rule': perm_reduce_rule,
+            'move_rule': perm_move_rule,
+            'get_auth_token_user_pass': perm_get_auth_token_user_pass,
+            'get_auth_token_gss': perm_get_auth_token_gss,
+            'get_auth_token_x509': perm_get_auth_token_x509,
+            'get_auth_token_saml': perm_get_auth_token_saml,
+            'add_account_identity': perm_add_account_identity,
+            'add_did': perm_add_did,
+            'add_dids': perm_add_dids,
+            'attach_dids': perm_attach_dids,
+            'detach_dids': perm_detach_dids,
+            'attach_dids_to_dids': perm_attach_dids_to_dids,
+            'create_did_sample': perm_create_did_sample,
+            'set_metadata': perm_set_metadata,
+            'set_status': perm_set_status,
+            'queue_requests': perm_queue_requests,
+            'set_rse_usage': perm_set_rse_usage,
+            'set_rse_limits': perm_set_rse_limits,
+            'list_requests': perm_list_requests,
+            'list_requests_history': perm_list_requests_history,
+            'get_request_by_did': perm_get_request_by_did,
+            'get_request_history_by_did': perm_get_request_history_by_did,
+            'cancel_request': perm_cancel_request,
+            'get_next': perm_get_next,
+            'set_local_account_limit': perm_set_local_account_limit,
+            'set_global_account_limit': perm_set_global_account_limit,
+            'delete_local_account_limit': perm_delete_local_account_limit,
+            'delete_global_account_limit': perm_delete_global_account_limit,
+            'config_sections': perm_config,
+            'config_add_section': perm_config,
+            'config_has_section': perm_config,
+            'config_options': perm_config,
+            'config_has_option': perm_config,
+            'config_get': perm_config,
+            'config_items': perm_config,
+            'config_set': perm_config,
+            'config_remove_section': perm_config,
+            'config_remove_option': perm_config,
+            'get_local_account_usage': perm_get_local_account_usage,
+            'get_global_account_usage': perm_get_global_account_usage,
+            'add_attribute': perm_add_account_attribute,
+            'del_attribute': perm_del_account_attribute,
+            'list_heartbeats': perm_list_heartbeats,
+            'resurrect': perm_resurrect,
+            'update_lifetime_exceptions': perm_update_lifetime_exceptions,
+            'get_auth_token_ssh': perm_get_auth_token_ssh,
+            'get_signed_url': perm_get_signed_url,
+            'add_bad_pfns': perm_add_bad_pfns,
+            'del_account_identity': perm_del_account_identity,
+            'del_identity': perm_del_identity,
+            'remove_did_from_followed': perm_remove_did_from_followed,
+            'remove_dids_from_followed': perm_remove_dids_from_followed,
+            'add_vo': perm_add_vo,
+            'list_vos': perm_list_vos,
+            'recover_vo_root_identity': perm_recover_vo_root_identity,
+            'update_vo': perm_update_vo,
+            'access_rule_vo': perm_access_rule_vo}
+    return perm.get(action, perm_default)(issuer=issuer, kwargs=kwargs, session=session)
+def _is_root(issuer):
+    return issuer.external == 'root'
+def perm_default(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Default permission.
+    :param issuer: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed, otherwise False
+    """
+    return _is_root(issuer) or has_account_attribute(account=issuer, key='admin', session=session)
+def perm_add_rse(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if an account can add a RSE.
+    :param issuer: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed, otherwise False
+    """
+    return _is_root(issuer) or has_account_attribute(account=issuer, key='admin', session=session)
+def perm_update_rse(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if an account can update a RSE.
+    :param issuer: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed, otherwise False
+    """
+    return _is_root(issuer) or has_account_attribute(account=issuer, key='admin', session=session)
+def perm_add_rule(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if an account can add a replication rule.
+    :param issuer: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed, otherwise False
+    """
+    if kwargs['account'] == issuer and not kwargs['locked']:
+        return True
+    if _is_root(issuer) or has_account_attribute(account=issuer, key='admin', session=session):
+        return True
+    return False
+def perm_add_subscription(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if an account can add a subscription.
+    :param issuer: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed, otherwise False
+    """
+    if _is_root(issuer) or has_account_attribute(account=issuer, key='admin', session=session):
+        return True
+    return False
+def perm_add_rse_attribute(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if an account can add a RSE attribute.
+    :param issuer: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed, otherwise False
+    """
+    if _is_root(issuer) or has_account_attribute(account=issuer, key='admin', session=session):
+        return True
+    return False
+def perm_del_rse_attribute(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if an account can delete a RSE attribute.
+    :param issuer: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed, otherwise False
+    """
+    if _is_root(issuer) or has_account_attribute(account=issuer, key='admin', session=session):
+        return True
+    return False
+def perm_del_rse(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if an account can delete a RSE.
+    :param issuer: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed, otherwise False
+    """
+    return _is_root(issuer) or has_account_attribute(account=issuer, key='admin', session=session)
+def perm_add_account(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if an account can add an account.
+    :param issuer: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed, otherwise False
+    """
+    return _is_root(issuer)
+def perm_del_account(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if an account can del an account.
+    :param issuer: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed, otherwise False
+    """
+    return _is_root(issuer)
+def perm_update_account(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if an account can update an account.
+    :param issuer: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed, otherwise False
+    """
+    return _is_root(issuer) or has_account_attribute(account=issuer, key='admin', session=session)
+def perm_add_scope(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if an account can add a scop to a account.
+    :param issuer: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed, otherwise False
+    """
+    return _is_root(issuer) or has_account_attribute(account=issuer, key='admin', session=session)
+def perm_get_auth_token_user_pass(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if a user can request a token with user_pass for an account.
+    :param issuer: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed, otherwise False
+    """
+    if exist_identity_account(identity=kwargs['username'], type_=IdentityType.USERPASS, account=kwargs['account'], session=session):
+        return True
+    return False
+def perm_get_auth_token_gss(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if a user can request a token with user_pass for an account.
+    :param issuer: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed, otherwise False
+    """
+    if exist_identity_account(identity=kwargs['gsscred'], type_=IdentityType.GSS, account=kwargs['account'], session=session):
+        return True
+    return False
+def perm_get_auth_token_x509(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if a user can request a token with user_pass for an account.
+    :param issuer: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed, otherwise False
+    """
+    if exist_identity_account(identity=kwargs['dn'], type_=IdentityType.X509, account=kwargs['account'], session=session):
+        return True
+    return False
+def perm_get_auth_token_saml(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if a user can request a token with user_pass for an account.
+    :param issuer: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed, otherwise False
+    """
+    if exist_identity_account(identity=kwargs['saml_nameid'], type_=IdentityType.SAML, account=kwargs['account'], session=session):
+        return True
+    return False
+def perm_add_account_identity(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if an account can add an identity to an account.
+    :param issuer: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed, otherwise False
+    """
+    return _is_root(issuer) or has_account_attribute(account=issuer, key='admin', session=session)
+def perm_del_account_identity(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if an account can delete an identity to an account.
+    :param issuer: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed, otherwise False
+    """
+    return _is_root(issuer) or has_account_attribute(account=issuer, key='admin', session=session)
+def perm_del_identity(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if an account can delete an identity.
+    :param issuer: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed, otherwise False
+    """
+    return _is_root(issuer) or issuer.external in kwargs.get('accounts')
+def perm_add_did(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if an account can add an data identifier to a scope.
+    :param issuer: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed, otherwise False
+    """
+    # Check the accounts of the issued rules
+    if not _is_root(issuer) and not has_account_attribute(account=issuer, key='admin', session=session):
+        for rule in kwargs.get('rules', []):
+            if rule['account'] != issuer:
+                return False
+    return _is_root(issuer)\
+        or has_account_attribute(account=issuer, key='admin', session=session)\
+        or rucio.core.scope.is_scope_owner(scope=kwargs['scope'], account=issuer, session=session)\
+        or kwargs['scope'].external == 'mock'
+def perm_add_dids(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if an account can bulk add data identifiers.
+    :param issuer: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed, otherwise False
+    """
+    # Check the accounts of the issued rules
+    if not _is_root(issuer) and not has_account_attribute(account=issuer, key='admin', session=session):
+        for did in kwargs['dids']:
+            for rule in did.get('rules', []):
+                if rule['account'] != issuer:
+                    return False
+    return _is_root(issuer) or has_account_attribute(account=issuer, key='admin', session=session)
+def perm_attach_dids(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if an account can append an data identifier to the other data identifier.
+    :param issuer: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed, otherwise False
+    """
+    return _is_root(issuer)\
+        or has_account_attribute(account=issuer, key='admin', session=session)\
+        or rucio.core.scope.is_scope_owner(scope=kwargs['scope'], account=issuer, session=session)\
+        or kwargs['scope'].external == 'mock'
+def perm_attach_dids_to_dids(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if an account can append an data identifier to the other data identifier.
+    :param issuer: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed, otherwise False
+    """
+    if _is_root(issuer) or has_account_attribute(account=issuer, key='admin', session=session):
+        return True
+    else:
+        attachments = kwargs['attachments']
+        scopes = [did['scope'] for did in attachments]
+        scopes = list(set(scopes))
+        for scope in scopes:
+            if not rucio.core.scope.is_scope_owner(scope, issuer, session=session):
+                return False
+        return True
+def perm_create_did_sample(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if an account can create a sample of a data identifier collection.
+    :param issuer: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed, otherwise False
+    """
+    return _is_root(issuer)\
+        or has_account_attribute(account=issuer, key='admin', session=session)\
+        or rucio.core.scope.is_scope_owner(scope=kwargs['scope'], account=issuer, session=session)\
+        or kwargs['scope'].external == 'mock'
+def perm_del_rule(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if an issuer can delete a replication rule.
+    :param issuer: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed to call the API call, otherwise False
+    """
+    if _is_root(issuer) or has_account_attribute(account=issuer, key='admin', session=session):
+        return True
+    return False
+def perm_update_rule(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if an issuer can update a replication rule.
+    :param issuer: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed to call the API call, otherwise False
+    """
+    if _is_root(issuer) or has_account_attribute(account=issuer, key='admin', session=session):
+        return True
+    return False
+def perm_approve_rule(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if an issuer can approve a replication rule.
+    :param issuer: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed to call the API call, otherwise False
+    """
+    if _is_root(issuer) or has_account_attribute(account=issuer, key='admin', session=session):
+        return True
+    return False
+def perm_reduce_rule(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if an issuer can reduce a replication rule.
+    :param issuer: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed to call the API call, otherwise False
+    """
+    if _is_root(issuer) or has_account_attribute(account=issuer, key='admin', session=session):
+        return True
+    return False
+def perm_move_rule(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if an issuer can move a replication rule.
+    :param issuer:   Account identifier which issues the command.
+    :param kwargs:   List of arguments for the action.
+    :param session: The DB session to use
+    :returns:        True if account is allowed to call the API call, otherwise False
+    """
+    if _is_root(issuer) or has_account_attribute(account=issuer, key='admin', session=session):
+        return True
+    return False
+def perm_update_subscription(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if an account can update a subscription.
+    :param issuer: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed, otherwise False
+    """
+    if _is_root(issuer) or has_account_attribute(account=issuer, key='admin', session=session):
+        return True
+    return False
+def perm_detach_dids(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if an account can detach an data identifier from the other data identifier.
+    :param issuer: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed, otherwise False
+    """
+    return perm_attach_dids(issuer, kwargs, session=session)
+def perm_set_metadata(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if an account can set a metadata on a data identifier.
+    :param issuer: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed, otherwise False
+    """
+    return _is_root(issuer) or has_account_attribute(account=issuer, key='admin', session=session) or rucio.core.scope.is_scope_owner(scope=kwargs['scope'], account=issuer, session=session)
+def perm_set_status(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if an account can set status on an data identifier.
+    :param issuer: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed, otherwise False
+    """
+    if kwargs.get('open', False):
+        if not _is_root(issuer) and not has_account_attribute(account=issuer, key='admin', session=session):
+            return False
+    return _is_root(issuer) or has_account_attribute(account=issuer, key='admin', session=session) or rucio.core.scope.is_scope_owner(scope=kwargs['scope'], account=issuer, session=session)
+def perm_add_protocol(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if an account can add a protocol to an RSE.
+    :param issuer: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed, otherwise False
+    """
+    return _is_root(issuer) or has_account_attribute(account=issuer, key='admin', session=session)
+def perm_del_protocol(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if an account can delete protocols from an RSE.
+    :param issuer: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed, otherwise False
+    """
+    return _is_root(issuer) or has_account_attribute(account=issuer, key='admin', session=session)
+def perm_update_protocol(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if an account can update protocols of an RSE.
+    :param issuer: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed, otherwise False
+    """
+    return _is_root(issuer) or has_account_attribute(account=issuer, key='admin', session=session)
+def perm_declare_bad_file_replicas(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if an account can declare bad file replicas.
+    :param issuer: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed, otherwise False
+    """
+    return _is_root(issuer)
+def perm_declare_suspicious_file_replicas(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if an account can declare suspicious file replicas.
+    :param issuer: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed, otherwise False
+    """
+    return True
+def perm_add_replicas(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if an account can add replicas.
+    :param issuer: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed, otherwise False
+    """
+    return str(kwargs.get('rse', '')).endswith('SCRATCHDISK')\
+        or str(kwargs.get('rse', '')).endswith('USERDISK')\
+        or str(kwargs.get('rse', '')).endswith('MOCK')\
+        or str(kwargs.get('rse', '')).endswith('LOCALGROUPDISK')\
+        or _is_root(issuer)\
+        or has_account_attribute(account=issuer, key='admin', session=session)
+def perm_skip_availability_check(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if an account can skip the availabity check to add/delete file replicas.
+    :param issuer: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed, otherwise False
+    """
+    return _is_root(issuer) or has_account_attribute(account=issuer, key='admin', session=session)
+def perm_delete_replicas(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if an account can delete replicas.
+    :param issuer: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed, otherwise False
+    """
+    return False
+def perm_update_replicas_states(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if an account can delete replicas.
+    :param issuer: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed, otherwise False
+    """
+    return _is_root(issuer) or has_account_attribute(account=issuer, key='admin', session=session)
+def perm_queue_requests(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if an account can submit transfer or deletion requests on destination RSEs for data identifiers.
+    :param issuer: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed, otherwise False
+    """
+    return _is_root(issuer)
+def perm_list_requests(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if an account can list requests.
+    :param issuer: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed, otherwise False
+    """
+    return _is_root(issuer) or has_account_attribute(account=issuer, key='admin', session=session)
+def perm_list_requests_history(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if an account can list historical requests.
+    :param issuer: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed, otherwise False
+    """
+    return _is_root(issuer) or has_account_attribute(account=issuer, key='admin', session=session)
+def perm_get_request_by_did(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if an account can get a request by DID.
+    :param issuer: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed, otherwise False
+    """
+    return True
+def perm_get_request_history_by_did(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if an account can get a historical request by DID.
+    :param issuer: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed, otherwise False
+    """
+    return _is_root(issuer) or has_account_attribute(account=issuer, key='admin', session=session)
+def perm_cancel_request(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if an account can cancel a request.
+    :param issuer: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed, otherwise False
+    """
+    return _is_root(issuer)
+def perm_get_next(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if an account can retrieve the next request matching the request type and state.
+    :param issuer: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed, otherwise False
+    """
+    return _is_root(issuer)
+def perm_set_rse_usage(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if an account can set RSE usage information.
+    :param issuer: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed to call the API call, otherwise False
+    """
+    return _is_root(issuer)
+def perm_set_rse_limits(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if an account can set RSE limits.
+    :param issuer: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed to call the API call, otherwise False
+    """
+    return _is_root(issuer) or has_account_attribute(account=issuer, key='admin', session=session)
+def perm_set_local_account_limit(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if an account can set an account limit.
+    :param account: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed, otherwise False
+    """
+    if _is_root(issuer) or has_account_attribute(account=issuer, key='admin', session=session):
+        return True
+    # Check if user is a country admin
+    admin_in_country = []
+    for kv in list_account_attributes(account=issuer, session=session):
+        if kv['key'].startswith('country-') and kv['value'] == 'admin':
+            admin_in_country.append(kv['key'].partition('-')[2])
+    if admin_in_country and list_rse_attributes(rse_id=kwargs['rse_id'], session=session).get(RseAttr.COUNTRY) in admin_in_country:
+        return True
+    return False
+def perm_set_global_account_limit(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if an account can set a global account limit.
+    :param account: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed, otherwise False
+    """
+    if _is_root(issuer) or has_account_attribute(account=issuer, key='admin', session=session):
+        return True
+    # Check if user is a country admin
+    admin_in_country = set()
+    for kv in list_account_attributes(account=issuer, session=session):
+        if kv['key'].startswith('country-') and kv['value'] == 'admin':
+            admin_in_country.add(kv['key'].partition('-')[2])
+    resolved_rse_countries = {list_rse_attributes(rse_id=rse['rse_id'], session=session).get(RseAttr.COUNTRY)
+                              for rse in parse_expression(kwargs['rse_expression'], filter_={'vo': issuer.vo}, session=session)}
+    if resolved_rse_countries.issubset(admin_in_country):
+        return True
+    return False
+def perm_delete_local_account_limit(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if an account can delete an account limit.
+    :param account: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed, otherwise False
+    """
+    if _is_root(issuer) or has_account_attribute(account=issuer, key='admin', session=session):
+        return True
+    # Check if user is a country admin
+    admin_in_country = []
+    for kv in list_account_attributes(account=issuer, session=session):
+        if kv['key'].startswith('country-') and kv['value'] == 'admin':
+            admin_in_country.append(kv['key'].partition('-')[2])
+    if admin_in_country and list_rse_attributes(rse_id=kwargs['rse_id'], session=session).get(RseAttr.COUNTRY) in admin_in_country:
+        return True
+    return False
+def perm_delete_global_account_limit(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if an account can delete a global account limit.
+    :param issuer: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed, otherwise False
+    """
+    if _is_root(issuer) or has_account_attribute(account=issuer, key='admin', session=session):
+        return True
+    # Check if user is a country admin
+    admin_in_country = set()
+    for kv in list_account_attributes(account=issuer, session=session):
+        if kv['key'].startswith('country-') and kv['value'] == 'admin':
+            admin_in_country.add(kv['key'].partition('-')[2])
+    if admin_in_country:
+        resolved_rse_countries = {list_rse_attributes(rse_id=rse['rse_id'], session=session).get(RseAttr.COUNTRY)
+                                  for rse in parse_expression(kwargs['rse_expression'], filter_={'vo': issuer.vo}, session=session)}
+        if resolved_rse_countries.issubset(admin_in_country):
+            return True
+    return False
+def perm_config(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if an account can read/write the configuration.
+    :param issuer: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed to call the API call, otherwise False
+    """
+    return _is_root(issuer) or has_account_attribute(account=issuer, key='admin', session=session)
+def perm_get_local_account_usage(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if an account can get the account usage of an account.
+    :param issuer: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed, otherwise False
+    """
+    if _is_root(issuer) or has_account_attribute(account=issuer, key='admin', session=session) or kwargs.get('account') == issuer:
+        return True
+    # Check if user is a country admin
+    for kv in list_account_attributes(account=issuer, session=session):
+        if kv['key'].startswith('country-') and kv['value'] == 'admin':
+            return True
+    return False
+def perm_get_global_account_usage(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if an account can get the account usage of an account.
+    :param issuer: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed, otherwise False
+    """
+    if _is_root(issuer) or has_account_attribute(account=issuer, key='admin', session=session) or kwargs.get('account') == issuer:
+        return True
+    # Check if user is a country admin for all involved countries
+    admin_in_country = set()
+    for kv in list_account_attributes(account=issuer, session=session):
+        if kv['key'].startswith('country-') and kv['value'] == 'admin':
+            admin_in_country.add(kv['key'].partition('-')[2])
+    resolved_rse_countries = {list_rse_attributes(rse_id=rse['rse_id'], session=session).get(RseAttr.COUNTRY)
+                              for rse in parse_expression(kwargs['rse_exp'], filter_={'vo': issuer.vo}, session=session)}
+    if resolved_rse_countries.issubset(admin_in_country):
+        return True
+    return False
+def perm_add_account_attribute(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if an account can add attributes to accounts.
+    :param issuer: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed to call the API call, otherwise False
+    """
+    return _is_root(issuer) or has_account_attribute(account=issuer, key='admin', session=session)
+def perm_del_account_attribute(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if an account can add attributes to accounts.
+    :param issuer: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed to call the API call, otherwise False
+    """
+    return perm_add_account_attribute(issuer, kwargs, session=session)
+def perm_list_heartbeats(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if an account can list heartbeats.
+    :param issuer: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed to call the API call, otherwise False
+    """
+    return _is_root(issuer)
+def perm_resurrect(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if an account can resurrect DIDS.
+    :param issuer: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed to call the API call, otherwise False
+    """
+    return _is_root(issuer) or has_account_attribute(account=issuer, key='admin', session=session)
+def perm_update_lifetime_exceptions(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if an account can approve/reject Lifetime Model exceptions.
+    :param issuer: Account identifier which issues the command.
+    :param session: The DB session to use
+    :returns: True if account is allowed to call the API call, otherwise False
+    """
+    if kwargs['vo'] is not None:
+        exceptions = next(list_exceptions(exception_id=kwargs['exception_id'], states=False, session=session))
+        if exceptions['scope'].vo != kwargs['vo']:
+            return False
+    return _is_root(issuer) or has_account_attribute(account=issuer, key='admin', session=session)
+def perm_get_auth_token_ssh(issuer: "InternalAccount", kwargs: dict, *, session: "Optional[Session]" = None) -> bool:
+    """
+    Checks if an account can request an ssh token.
+    :param issuer: Account identifier which issues the command.
+    :param session: The DB session to use
+    :returns: True if account is allowed to call the API call, otherwise False
+    """
+    return True
+def perm_get_signed_url(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if an account can request a signed URL.
+    :param issuer: Account identifier which issues the command.
+    :param session: The DB session to use
+    :returns: True if account is allowed to call the API call, otherwise False
+    """
+    return _is_root(issuer)
+def perm_add_bad_pfns(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if an account can declare bad PFNs.
+    :param issuer: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed, otherwise False
+    """
+    return _is_root(issuer)
+def perm_remove_did_from_followed(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if an account can remove did from followed table.
+    :param issuer: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed, otherwise False
+    """
+    return _is_root(issuer)\
+        or has_account_attribute(account=issuer, key='admin', session=session)\
+        or kwargs['account'] == issuer\
+        or kwargs['scope'].external == 'mock'
+def perm_remove_dids_from_followed(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if an account can bulk remove dids from followed table.
+    :param issuer: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed, otherwise False
+    """
+    if _is_root(issuer) or has_account_attribute(account=issuer, key='admin', session=session):
+        return True
+    if not kwargs['account'] == issuer:
+        return False
+    return True
+def perm_add_vo(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if an account can add a VO.
+    :param issuer: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed, otherwise False
+    """
+    return (issuer.internal == 'super_root')
+def perm_list_vos(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if an account can list a VO.
+    :param issuer: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed, otherwise False
+    """
+    return (issuer.internal == 'super_root')
+def perm_recover_vo_root_identity(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if an account can recover identities for VOs.
+    :param issuer: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed, otherwise False
+    """
+    return (issuer.internal == 'super_root')
+def perm_update_vo(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if an account can update a VO.
+    :param issuer: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed, otherwise False
+    """
+    return (issuer.internal == 'super_root')
+def perm_access_rule_vo(issuer, kwargs, *, session: "Optional[Session]" = None):
+    """
+    Checks if we're at the same VO as the rule_id's
+    :param issuer: Account identifier which issues the command.
+    :param kwargs: List of arguments for the action.
+    :param session: The DB session to use
+    :returns: True if account is allowed, otherwise False
+    """
+    return get_rule(kwargs['rule_id'])['scope'].vo == issuer.vo