python/authn: Implement Roles API

This commit adds the Roles API to the authentication module, enabling role-based access control features. - Added APIs to create, update, delete, get, and list roles. - Added Unit and Integration tests. Signed-off-by: Ryan Koo <[email protected]> Co-authored-by: Ryan Koo <[email protected]> Co-authored-by: Abhishek Gaikwad <[email protected]>
NVIDIA · Aug 15, 2024 · b15826e · b15826e
1 parent 6702cfa
commit b15826e
Show file tree

Hide file tree

Showing 14 changed files with 920 additions and 105 deletions.
diff --git a/python/aistore/sdk/authn/access_attr.py b/python/aistore/sdk/authn/access_attr.py
@@ -0,0 +1,52 @@
+#
+# Copyright (c) 2024, NVIDIA CORPORATION. All rights reserved.
+#
+
+from enum import IntFlag
+
+
+class AccessAttr(IntFlag):
+    """
+    AccessAttr defines permissions as bitwise flags for access control (for more details, refer to the Go API).
+    """
+
+    GET = 1 << 0
+    OBJ_HEAD = 1 << 1
+    PUT = 1 << 2
+    APPEND = 1 << 3
+    OBJ_DELETE = 1 << 4
+    OBJ_MOVE = 1 << 5
+    PROMOTE = 1 << 6
+    OBJ_UPDATE = 1 << 7
+    BCK_HEAD = 1 << 8
+    OBJ_LIST = 1 << 9
+    PATCH = 1 << 10
+    BCK_SET_ACL = 1 << 11
+    LIST_BUCKETS = 1 << 12
+    SHOW_CLUSTER = 1 << 13
+    CREATE_BUCKET = 1 << 14
+    DESTROY_BUCKET = 1 << 15
+    MOVE_BUCKET = 1 << 16
+    ADMIN = 1 << 17
+
+    ACCESS_RO = GET | OBJ_HEAD | LIST_BUCKETS | BCK_HEAD | OBJ_LIST
+    ACCESS_RW = ACCESS_RO | PUT | APPEND | OBJ_DELETE | OBJ_MOVE
+    ACCESS_CLUSTER = LIST_BUCKETS | CREATE_BUCKET | DESTROY_BUCKET | MOVE_BUCKET | ADMIN
+    ACCESS_ALL = (
+        ACCESS_RW
+        | ACCESS_CLUSTER
+        | PROMOTE
+        | OBJ_UPDATE
+        | PATCH
+        | BCK_SET_ACL
+        | SHOW_CLUSTER
+    )
+    ACCESS_NONE = 0
+
+    @staticmethod
+    def describe(perms: int) -> str:
+        """
+        Returns a comma-separated string describing the permissions based on the provided bitwise flags.
+        """
+        access_op = {v.value: v.name for v in AccessAttr}
+        return ",".join(op for perm, op in access_op.items() if perms & perm)
diff --git a/python/aistore/sdk/authn/authn_client.py b/python/aistore/sdk/authn/authn_client.py
@@ -9,8 +9,9 @@
     HTTP_METHOD_POST,
     URL_PATH_AUTHN_USERS,
 )
-from aistore.sdk.authn.authn_types import TokenMsg, LoginMsg
+from aistore.sdk.authn.types import TokenMsg, LoginMsg
 from aistore.sdk.authn.cluster_manager import ClusterManager
+from aistore.sdk.authn.role_manager import RoleManager
 
 # logging
 logging.basicConfig(level=logging.INFO)
@@ -109,3 +110,12 @@ def cluster_manager(self) -> ClusterManager:
             ClusterManager: An instance to manage cluster operations.
         """
         return ClusterManager(client=self._request_client)
+
+    def role_manager(self) -> RoleManager:
+        """
+        Factory method to create a RoleManager instance.
+
+        Returns:
+            RoleManager: An instance to manage role operations.
+        """
+        return RoleManager(client=self._request_client)
diff --git a/python/aistore/sdk/authn/authn_types.py b/python/aistore/sdk/authn/authn_types.py
diff --git a/python/aistore/sdk/authn/cluster_manager.py b/python/aistore/sdk/authn/cluster_manager.py
@@ -13,7 +13,7 @@
     HTTP_METHOD_DELETE,
     URL_PATH_AUTHN_CLUSTERS,
 )
-from aistore.sdk.authn.authn_types import ClusterInfo, ClusterList
+from aistore.sdk.authn.types import ClusterInfo, ClusterList
 
 # logging
 logging.basicConfig(level=logging.INFO)