OpenSource
/
dify
Watch 4
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 152 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7058 Commits
4 Branches
Tree: c3820f55f4
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'c3820f55f4'
${ noResults }
dify/api/extensions/storage/clickzetta_volume/volume_permissions.py

volume_permissions.py 26KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646 
  1. """ClickZetta Volume permission management mechanism

  2. 

  3. This module provides Volume permission checking, validation and management features.

  4. According to ClickZetta's permission model, different Volume types have different permission requirements.

  5. """

  6. 

  7. import logging

  8. from enum import Enum

  9. from typing import Optional

  10. 

  11. logger = logging.getLogger(__name__)

  12. 

  13. 

  14. class VolumePermission(Enum):

  15.     """Volume permission type enumeration"""

  16. 

  17.     READ = "SELECT"  # Corresponds to ClickZetta's SELECT permission

  18.     WRITE = "INSERT,UPDATE,DELETE"  # Corresponds to ClickZetta's write permissions

  19.     LIST = "SELECT"  # Listing files requires SELECT permission

  20.     DELETE = "INSERT,UPDATE,DELETE"  # Deleting files requires write permissions

  21.     USAGE = "USAGE"  # Basic permission required for External Volume

  22. 

  23. 

  24. class VolumePermissionManager:

  25.     """Volume permission manager"""

  26. 

  27.     def __init__(self, connection_or_config, volume_type: str | None = None, volume_name: Optional[str] = None):

  28.         """Initialize permission manager

  29. 

  30.         Args:

  31.             connection_or_config: ClickZetta connection object or configuration dictionary

  32.             volume_type: Volume type (user|table|external)

  33.             volume_name: Volume name (for external volume)

  34.         """

  35.         # Support two initialization methods: connection object or configuration dictionary

  36.         if isinstance(connection_or_config, dict):

  37.             # Create connection from configuration dictionary

  38.             import clickzetta  # type: ignore[import-untyped]

  39. 

  40.             config = connection_or_config

  41.             self._connection = clickzetta.connect(

  42.                 username=config.get("username"),

  43.                 password=config.get("password"),

  44.                 instance=config.get("instance"),

  45.                 service=config.get("service"),

  46.                 workspace=config.get("workspace"),

  47.                 vcluster=config.get("vcluster"),

  48.                 schema=config.get("schema") or config.get("database"),

  49.             )

  50.             self._volume_type = config.get("volume_type", volume_type)

  51.             self._volume_name = config.get("volume_name", volume_name)

  52.         else:

  53.             # Use connection object directly

  54.             self._connection = connection_or_config

  55.             self._volume_type = volume_type

  56.             self._volume_name = volume_name

  57. 

  58.         if not self._connection:

  59.             raise ValueError("Valid connection or config is required")

  60.         if not self._volume_type:

  61.             raise ValueError("volume_type is required")

  62. 

  63.         self._permission_cache: dict[str, set[str]] = {}

  64.         self._current_username = None  # Will get current username from connection

  65. 

  66.     def check_permission(self, operation: VolumePermission, dataset_id: Optional[str] = None) -> bool:

  67.         """Check if user has permission to perform specific operation

  68. 

  69.         Args:

  70.             operation: Type of operation to perform

  71.             dataset_id: Dataset ID (for table volume)

  72. 

  73.         Returns:

  74.             True if user has permission, False otherwise

  75.         """

  76.         try:

  77.             if self._volume_type == "user":

  78.                 return self._check_user_volume_permission(operation)

  79.             elif self._volume_type == "table":

  80.                 return self._check_table_volume_permission(operation, dataset_id)

  81.             elif self._volume_type == "external":

  82.                 return self._check_external_volume_permission(operation)

  83.             else:

  84.                 logger.warning("Unknown volume type: %s", self._volume_type)

  85.                 return False

  86. 

  87.         except Exception as e:

  88.             logger.exception("Permission check failed")

  89.             return False

  90. 

  91.     def _check_user_volume_permission(self, operation: VolumePermission) -> bool:

  92.         """Check User Volume permission

  93. 

  94.         User Volume permission rules:

  95.         - User has full permissions on their own User Volume

  96.         - As long as user can connect to ClickZetta, they have basic User Volume permissions by default

  97.         - Focus more on connection authentication rather than complex permission checking

  98.         """

  99.         try:

  100.             # Get current username

  101.             current_user = self._get_current_username()

  102. 

  103.             # Check basic connection status

  104.             with self._connection.cursor() as cursor:

  105.                 # Simple connection test, if query can be executed user has basic permissions

  106.                 cursor.execute("SELECT 1")

  107.                 result = cursor.fetchone()

  108. 

  109.                 if result:

  110.                     logger.debug(

  111.                         "User Volume permission check for %s, operation %s: granted (basic connection verified)",

  112.                         current_user,

  113.                         operation.name,

  114.                     )

  115.                     return True

  116.                 else:

  117.                     logger.warning(

  118.                         "User Volume permission check failed: cannot verify basic connection for %s", current_user

  119.                     )

  120.                     return False

  121. 

  122.         except Exception as e:

  123.             logger.exception("User Volume permission check failed")

  124.             # For User Volume, if permission check fails, it might be a configuration issue, provide friendlier error message

  125.             logger.info("User Volume permission check failed, but permission checking is disabled in this version")

  126.             return False

  127. 

  128.     def _check_table_volume_permission(self, operation: VolumePermission, dataset_id: Optional[str]) -> bool:

  129.         """Check Table Volume permission

  130. 

  131.         Table Volume permission rules:

  132.         - Table Volume permissions inherit from corresponding table permissions

  133.         - SELECT permission -> can READ/LIST files

  134.         - INSERT,UPDATE,DELETE permissions -> can WRITE/DELETE files

  135.         """

  136.         if not dataset_id:

  137.             logger.warning("dataset_id is required for table volume permission check")

  138.             return False

  139. 

  140.         table_name = f"dataset_{dataset_id}" if not dataset_id.startswith("dataset_") else dataset_id

  141. 

  142.         try:

  143.             # Check table permissions

  144.             permissions = self._get_table_permissions(table_name)

  145.             required_permissions = set(operation.value.split(","))

  146. 

  147.             # Check if has all required permissions

  148.             has_permission = required_permissions.issubset(permissions)

  149. 

  150.             logger.debug(

  151.                 "Table Volume permission check for %s, operation %s: required=%s, has=%s, granted=%s",

  152.                 table_name,

  153.                 operation.name,

  154.                 required_permissions,

  155.                 permissions,

  156.                 has_permission,

  157.             )

  158. 

  159.             return has_permission

  160. 

  161.         except Exception as e:

  162.             logger.exception("Table volume permission check failed for %s", table_name)

  163.             return False

  164. 

  165.     def _check_external_volume_permission(self, operation: VolumePermission) -> bool:

  166.         """Check External Volume permission

  167. 

  168.         External Volume permission rules:

  169.         - Try to get permissions for External Volume

  170.         - If permission check fails, perform fallback verification

  171.         - For development environment, provide more lenient permission checking

  172.         """

  173.         if not self._volume_name:

  174.             logger.warning("volume_name is required for external volume permission check")

  175.             return False

  176. 

  177.         try:

  178.             # Check External Volume permissions

  179.             permissions = self._get_external_volume_permissions(self._volume_name)

  180. 

  181.             # External Volume permission mapping: determine required permissions based on operation type

  182.             required_permissions = set()

  183. 

  184.             if operation in [VolumePermission.READ, VolumePermission.LIST]:

  185.                 required_permissions.add("read")

  186.             elif operation in [VolumePermission.WRITE, VolumePermission.DELETE]:

  187.                 required_permissions.add("write")

  188. 

  189.             # Check if has all required permissions

  190.             has_permission = required_permissions.issubset(permissions)

  191. 

  192.             logger.debug(

  193.                 "External Volume permission check for %s, operation %s: required=%s, has=%s, granted=%s",

  194.                 self._volume_name,

  195.                 operation.name,

  196.                 required_permissions,

  197.                 permissions,

  198.                 has_permission,

  199.             )

  200. 

  201.             # If permission check fails, try fallback verification

  202.             if not has_permission:

  203.                 logger.info("Direct permission check failed for %s, trying fallback verification", self._volume_name)

  204. 

  205.                 # Fallback verification: try listing Volume to verify basic access permissions

  206.                 try:

  207.                     with self._connection.cursor() as cursor:

  208.                         cursor.execute("SHOW VOLUMES")

  209.                         volumes = cursor.fetchall()

  210.                         for volume in volumes:

  211.                             if len(volume) > 0 and volume[0] == self._volume_name:

  212.                                 logger.info("Fallback verification successful for %s", self._volume_name)

  213.                                 return True

  214.                 except Exception as fallback_e:

  215.                     logger.warning("Fallback verification failed for %s: %s", self._volume_name, fallback_e)

  216. 

  217.             return has_permission

  218. 

  219.         except Exception as e:

  220.             logger.exception("External volume permission check failed for %s", self._volume_name)

  221.             logger.info("External Volume permission check failed, but permission checking is disabled in this version")

  222.             return False

  223. 

  224.     def _get_table_permissions(self, table_name: str) -> set[str]:

  225.         """Get user permissions for specified table

  226. 

  227.         Args:

  228.             table_name: Table name

  229. 

  230.         Returns:

  231.             Set of user permissions for this table

  232.         """

  233.         cache_key = f"table:{table_name}"

  234. 

  235.         if cache_key in self._permission_cache:

  236.             return self._permission_cache[cache_key]

  237. 

  238.         permissions = set()

  239. 

  240.         try:

  241.             with self._connection.cursor() as cursor:

  242.                 # Use correct ClickZetta syntax to check current user permissions

  243.                 cursor.execute("SHOW GRANTS")

  244.                 grants = cursor.fetchall()

  245. 

  246.                 # Parse permission results, find permissions for this table

  247.                 for grant in grants:

  248.                     if len(grant) >= 3:  # Typical format: (privilege, object_type, object_name, ...)

  249.                         privilege = grant[0].upper()

  250.                         object_type = grant[1].upper() if len(grant) > 1 else ""

  251.                         object_name = grant[2] if len(grant) > 2 else ""

  252. 

  253.                         # Check if it's permission for this table

  254.                         if (

  255.                             object_type == "TABLE"

  256.                             and object_name == table_name

  257.                             or object_type == "SCHEMA"

  258.                             and object_name in table_name

  259.                         ):

  260.                             if privilege in ["SELECT", "INSERT", "UPDATE", "DELETE", "ALL"]:

  261.                                 if privilege == "ALL":

  262.                                     permissions.update(["SELECT", "INSERT", "UPDATE", "DELETE"])

  263.                                 else:

  264.                                     permissions.add(privilege)

  265. 

  266.                 # If no explicit permissions found, try executing a simple query to verify permissions

  267.                 if not permissions:

  268.                     try:

  269.                         cursor.execute(f"SELECT COUNT(*) FROM {table_name} LIMIT 1")

  270.                         permissions.add("SELECT")

  271.                     except Exception:

  272.                         logger.debug("Cannot query table %s, no SELECT permission", table_name)

  273. 

  274.         except Exception as e:

  275.             logger.warning("Could not check table permissions for %s: %s", table_name, e)

  276.             # Safe default: deny access when permission check fails

  277.             pass

  278. 

  279.         # Cache permission information

  280.         self._permission_cache[cache_key] = permissions

  281.         return permissions

  282. 

  283.     def _get_current_username(self) -> str:

  284.         """Get current username"""

  285.         if self._current_username:

  286.             return self._current_username

  287. 

  288.         try:

  289.             with self._connection.cursor() as cursor:

  290.                 cursor.execute("SELECT CURRENT_USER()")

  291.                 result = cursor.fetchone()

  292.                 if result:

  293.                     self._current_username = result[0]

  294.                     return str(self._current_username)

  295.         except Exception as e:

  296.             logger.exception("Failed to get current username")

  297. 

  298.         return "unknown"

  299. 

  300.     def _get_user_permissions(self, username: str) -> set[str]:

  301.         """Get user's basic permission set"""

  302.         cache_key = f"user_permissions:{username}"

  303. 

  304.         if cache_key in self._permission_cache:

  305.             return self._permission_cache[cache_key]

  306. 

  307.         permissions = set()

  308. 

  309.         try:

  310.             with self._connection.cursor() as cursor:

  311.                 # Use correct ClickZetta syntax to check current user permissions

  312.                 cursor.execute("SHOW GRANTS")

  313.                 grants = cursor.fetchall()

  314. 

  315.                 # Parse permission results, find user's basic permissions

  316.                 for grant in grants:

  317.                     if len(grant) >= 3:  # Typical format: (privilege, object_type, object_name, ...)

  318.                         privilege = grant[0].upper()

  319.                         object_type = grant[1].upper() if len(grant) > 1 else ""

  320. 

  321.                         # Collect all relevant permissions

  322.                         if privilege in ["SELECT", "INSERT", "UPDATE", "DELETE", "ALL"]:

  323.                             if privilege == "ALL":

  324.                                 permissions.update(["SELECT", "INSERT", "UPDATE", "DELETE"])

  325.                             else:

  326.                                 permissions.add(privilege)

  327. 

  328.         except Exception as e:

  329.             logger.warning("Could not check user permissions for %s: %s", username, e)

  330.             # Safe default: deny access when permission check fails

  331.             pass

  332. 

  333.         # Cache permission information

  334.         self._permission_cache[cache_key] = permissions

  335.         return permissions

  336. 

  337.     def _get_external_volume_permissions(self, volume_name: str) -> set[str]:

  338.         """Get user permissions for specified External Volume

  339. 

  340.         Args:

  341.             volume_name: External Volume name

  342. 

  343.         Returns:

  344.             Set of user permissions for this Volume

  345.         """

  346.         cache_key = f"external_volume:{volume_name}"

  347. 

  348.         if cache_key in self._permission_cache:

  349.             return self._permission_cache[cache_key]

  350. 

  351.         permissions = set()

  352. 

  353.         try:

  354.             with self._connection.cursor() as cursor:

  355.                 # Use correct ClickZetta syntax to check Volume permissions

  356.                 logger.info("Checking permissions for volume: %s", volume_name)

  357.                 cursor.execute(f"SHOW GRANTS ON VOLUME {volume_name}")

  358.                 grants = cursor.fetchall()

  359. 

  360.                 logger.info("Raw grants result for %s: %s", volume_name, grants)

  361. 

  362.                 # Parse permission results

  363.                 # Format: (granted_type, privilege, conditions, granted_on, object_name, granted_to,

  364.                 #       grantee_name, grantor_name, grant_option, granted_time)

  365.                 for grant in grants:

  366.                     logger.info("Processing grant: %s", grant)

  367.                     if len(grant) >= 5:

  368.                         granted_type = grant[0]

  369.                         privilege = grant[1].upper()

  370.                         granted_on = grant[3]

  371.                         object_name = grant[4]

  372. 

  373.                         logger.info(

  374.                             "Grant details - type: %s, privilege: %s, granted_on: %s, object_name: %s",

  375.                             granted_type,

  376.                             privilege,

  377.                             granted_on,

  378.                             object_name,

  379.                         )

  380. 

  381.                         # Check if it's permission for this Volume or hierarchical permission

  382.                         if (

  383.                             granted_type == "PRIVILEGE" and granted_on == "VOLUME" and object_name.endswith(volume_name)

  384.                         ) or (granted_type == "OBJECT_HIERARCHY" and granted_on == "VOLUME"):

  385.                             logger.info("Matching grant found for %s", volume_name)

  386. 

  387.                             if "READ" in privilege:

  388.                                 permissions.add("read")

  389.                                 logger.info("Added READ permission for %s", volume_name)

  390.                             if "WRITE" in privilege:

  391.                                 permissions.add("write")

  392.                                 logger.info("Added WRITE permission for %s", volume_name)

  393.                             if "ALTER" in privilege:

  394.                                 permissions.add("alter")

  395.                                 logger.info("Added ALTER permission for %s", volume_name)

  396.                             if privilege == "ALL":

  397.                                 permissions.update(["read", "write", "alter"])

  398.                                 logger.info("Added ALL permissions for %s", volume_name)

  399. 

  400.                 logger.info("Final permissions for %s: %s", volume_name, permissions)

  401. 

  402.                 # If no explicit permissions found, try viewing Volume list to verify basic permissions

  403.                 if not permissions:

  404.                     try:

  405.                         cursor.execute("SHOW VOLUMES")

  406.                         volumes = cursor.fetchall()

  407.                         for volume in volumes:

  408.                             if len(volume) > 0 and volume[0] == volume_name:

  409.                                 permissions.add("read")  # At least has read permission

  410.                                 logger.debug("Volume %s found in SHOW VOLUMES, assuming read permission", volume_name)

  411.                                 break

  412.                     except Exception:

  413.                         logger.debug("Cannot access volume %s, no basic permission", volume_name)

  414. 

  415.         except Exception as e:

  416.             logger.warning("Could not check external volume permissions for %s: %s", volume_name, e)

  417.             # When permission check fails, try basic Volume access verification

  418.             try:

  419.                 with self._connection.cursor() as cursor:

  420.                     cursor.execute("SHOW VOLUMES")

  421.                     volumes = cursor.fetchall()

  422.                     for volume in volumes:

  423.                         if len(volume) > 0 and volume[0] == volume_name:

  424.                             logger.info("Basic volume access verified for %s", volume_name)

  425.                             permissions.add("read")

  426.                             permissions.add("write")  # Assume has write permission

  427.                             break

  428.             except Exception as basic_e:

  429.                 logger.warning("Basic volume access check failed for %s: %s", volume_name, basic_e)

  430.                 # Last fallback: assume basic permissions

  431.                 permissions.add("read")

  432. 

  433.         # Cache permission information

  434.         self._permission_cache[cache_key] = permissions

  435.         return permissions

  436. 

  437.     def clear_permission_cache(self):

  438.         """Clear permission cache"""

  439.         self._permission_cache.clear()

  440.         logger.debug("Permission cache cleared")

  441. 

  442.     def get_permission_summary(self, dataset_id: Optional[str] = None) -> dict[str, bool]:

  443.         """Get permission summary

  444. 

  445.         Args:

  446.             dataset_id: Dataset ID (for table volume)

  447. 

  448.         Returns:

  449.             Permission summary dictionary

  450.         """

  451.         summary = {}

  452. 

  453.         for operation in VolumePermission:

  454.             summary[operation.name.lower()] = self.check_permission(operation, dataset_id)

  455. 

  456.         return summary

  457. 

  458.     def check_inherited_permission(self, file_path: str, operation: VolumePermission) -> bool:

  459.         """Check permission inheritance for file path

  460. 

  461.         Args:

  462.             file_path: File path

  463.             operation: Operation to perform

  464. 

  465.         Returns:

  466.             True if user has permission, False otherwise

  467.         """

  468.         try:

  469.             # Parse file path

  470.             path_parts = file_path.strip("/").split("/")

  471. 

  472.             if not path_parts:

  473.                 logger.warning("Invalid file path for permission inheritance check")

  474.                 return False

  475. 

  476.             # For Table Volume, first layer is dataset_id

  477.             if self._volume_type == "table":

  478.                 if len(path_parts) < 1:

  479.                     return False

  480. 

  481.                 dataset_id = path_parts[0]

  482. 

  483.                 # Check permissions for dataset

  484.                 has_dataset_permission = self.check_permission(operation, dataset_id)

  485. 

  486.                 if not has_dataset_permission:

  487.                     logger.debug("Permission denied for dataset %s", dataset_id)

  488.                     return False

  489. 

  490.                 # Check path traversal attack

  491.                 if self._contains_path_traversal(file_path):

  492.                     logger.warning("Path traversal attack detected: %s", file_path)

  493.                     return False

  494. 

  495.                 # Check if accessing sensitive directory

  496.                 if self._is_sensitive_path(file_path):

  497.                     logger.warning("Access to sensitive path denied: %s", file_path)

  498.                     return False

  499. 

  500.                 logger.debug("Permission inherited for path %s", file_path)

  501.                 return True

  502. 

  503.             elif self._volume_type == "user":

  504.                 # User Volume permission inheritance

  505.                 current_user = self._get_current_username()

  506. 

  507.                 # Check if attempting to access other user's directory

  508.                 if len(path_parts) > 1 and path_parts[0] != current_user:

  509.                     logger.warning("User %s attempted to access %s's directory", current_user, path_parts[0])

  510.                     return False

  511. 

  512.                 # Check basic permissions

  513.                 return self.check_permission(operation)

  514. 

  515.             elif self._volume_type == "external":

  516.                 # External Volume permission inheritance

  517.                 # Check permissions for External Volume

  518.                 return self.check_permission(operation)

  519. 

  520.             else:

  521.                 logger.warning("Unknown volume type for permission inheritance: %s", self._volume_type)

  522.                 return False

  523. 

  524.         except Exception as e:

  525.             logger.exception("Permission inheritance check failed")

  526.             return False

  527. 

  528.     def _contains_path_traversal(self, file_path: str) -> bool:

  529.         """Check if path contains path traversal attack"""

  530.         # Check common path traversal patterns

  531.         traversal_patterns = [

  532.             "../",

  533.             "..\\",

  534.             "..%2f",

  535.             "..%2F",

  536.             "..%5c",

  537.             "..%5C",

  538.             "%2e%2e%2f",

  539.             "%2e%2e%5c",

  540.             "....//",

  541.             "....\\\\",

  542.         ]

  543. 

  544.         file_path_lower = file_path.lower()

  545. 

  546.         for pattern in traversal_patterns:

  547.             if pattern in file_path_lower:

  548.                 return True

  549. 

  550.         # Check absolute path

  551.         if file_path.startswith("/") or file_path.startswith("\\"):

  552.             return True

  553. 

  554.         # Check Windows drive path

  555.         if len(file_path) >= 2 and file_path[1] == ":":

  556.             return True

  557. 

  558.         return False

  559. 

  560.     def _is_sensitive_path(self, file_path: str) -> bool:

  561.         """Check if path is sensitive path"""

  562.         sensitive_patterns = [

  563.             "passwd",

  564.             "shadow",

  565.             "hosts",

  566.             "config",

  567.             "secrets",

  568.             "private",

  569.             "key",

  570.             "certificate",

  571.             "cert",

  572.             "ssl",

  573.             "database",

  574.             "backup",

  575.             "dump",

  576.             "log",

  577.             "tmp",

  578.         ]

  579. 

  580.         file_path_lower = file_path.lower()

  581. 

  582.         return any(pattern in file_path_lower for pattern in sensitive_patterns)

  583. 

  584.     def validate_operation(self, operation: str, dataset_id: Optional[str] = None) -> bool:

  585.         """Validate operation permission

  586. 

  587.         Args:

  588.             operation: Operation name (save|load|exists|delete|scan)

  589.             dataset_id: Dataset ID

  590. 

  591.         Returns:

  592.             True if operation is allowed, False otherwise

  593.         """

  594.         operation_mapping = {

  595.             "save": VolumePermission.WRITE,

  596.             "load": VolumePermission.READ,

  597.             "load_once": VolumePermission.READ,

  598.             "load_stream": VolumePermission.READ,

  599.             "download": VolumePermission.READ,

  600.             "exists": VolumePermission.READ,

  601.             "delete": VolumePermission.DELETE,

  602.             "scan": VolumePermission.LIST,

  603.         }

  604. 

  605.         if operation not in operation_mapping:

  606.             logger.warning("Unknown operation: %s", operation)

  607.             return False

  608. 

  609.         volume_permission = operation_mapping[operation]

  610.         return self.check_permission(volume_permission, dataset_id)

  611. 

  612. 

  613. class VolumePermissionError(Exception):

  614.     """Volume permission error exception"""

  615. 

  616.     def __init__(self, message: str, operation: str, volume_type: str, dataset_id: Optional[str] = None):

  617.         self.operation = operation

  618.         self.volume_type = volume_type

  619.         self.dataset_id = dataset_id

  620.         super().__init__(message)

  621. 

  622. 

  623. def check_volume_permission(

  624.     permission_manager: VolumePermissionManager, operation: str, dataset_id: Optional[str] = None

  625. ) -> None:

  626.     """Permission check decorator function

  627. 

  628.     Args:

  629.         permission_manager: Permission manager

  630.         operation: Operation name

  631.         dataset_id: Dataset ID

  632. 

  633.     Raises:

  634.         VolumePermissionError: If no permission

  635.     """

  636.     if not permission_manager.validate_operation(operation, dataset_id):

  637.         error_message = f"Permission denied for operation '{operation}' on {permission_manager._volume_type} volume"

  638.         if dataset_id:

  639.             error_message += f" (dataset: {dataset_id})"

  640. 

  641.         raise VolumePermissionError(

  642.             error_message,

  643.             operation=operation,

  644.             volume_type=permission_manager._volume_type or "unknown",

  645.             dataset_id=dataset_id,

  646.         )