def getControlledUsers(self, right):
"""Get users and groups which jobs are subject to the given access right"""
userGroupList = "ALL"
# If allInfo flag is defined we can see info for any job
if right == RIGHT_GET_INFO and self.allInfo:
return S_OK(userGroupList)
# Administrators can do everything
if Properties.JOB_ADMINISTRATOR in self.userProperties:
return S_OK(userGroupList)
# Inspectors can see info for all the jobs
if Properties.JOB_MONITOR in self.userProperties and right == RIGHT_GET_INFO:
return S_OK(userGroupList)
userGroupList = []
# User can do many things with his jobs
if Properties.NORMAL_USER in self.userProperties and right in OWNER_RIGHTS:
result = getGroupsForUser(self.userName)
if not result["OK"]:
return result
groups = result["Value"]
for group in groups:
if "NormalUser" in getPropertiesForGroup(group, []):
userGroupList.append((self.userName, group))
# User can do many things with the jobs in the shared group
if Properties.JOB_SHARING in self.userProperties and right in SHARED_GROUP_RIGHTS:
sharedUsers = getUsersInGroup(self.userGroup)
for user in sharedUsers:
userGroupList.append((user, self.userGroup))
userGroupList = list(set(userGroupList))
return S_OK(userGroupList)
def getControlledUsers( self, right ):
""" Get users and groups which jobs are subject to the given access right
"""
userGroupList = 'ALL'
# If allInfo flag is defined we can see info for any job
if right == RIGHT_GET_INFO and self.allInfo:
return S_OK( userGroupList )
# Administrators can do everything
if Properties.JOB_ADMINISTRATOR in self.userProperties:
return S_OK( userGroupList )
# Inspectors can see info for all the jobs
if Properties.JOB_MONITOR in self.userProperties and right == RIGHT_GET_INFO:
return S_OK( userGroupList )
userGroupList = []
# User can do many things with his jobs
if Properties.NORMAL_USER in self.userProperties and right in OWNER_RIGHTS:
result = getGroupsForUser( self.userName )
if not result['OK']:
return result
groups = result['Value']
for group in groups:
if 'NormalUser' in getPropertiesForGroup( group, [] ):
userGroupList.append( ( self.userName, group ) )
# User can do many things with the jobs in the shared group
if Properties.JOB_SHARING in self.userProperties and right in SHARED_GROUP_RIGHTS:
sharedUsers = getUsersInGroup( self.userGroup )
for user in sharedUsers:
userGroupList.append( ( user, self.userGroup ) )
userGroupList = list( set( userGroupList ) )
return S_OK( userGroupList )
def __researchDIRACGroup(self, extSession, chooseScope, state):
"""Research DIRAC groups for authorized user
:param dict extSession: ended authorized external IdP session
:return: -- will return (None, response) to provide error or group selector
will return (grant_user, request) to contionue authorization with choosed group
"""
# Base DIRAC client auth session
firstRequest = createOAuth2Request(extSession["firstRequest"])
# Read requested groups by DIRAC client or user
firstRequest.addScopes(chooseScope)
# Read already authed user
username = extSession["authed"]["username"]
# Requested arguments in first request
provider = firstRequest.provider
self.log.debug("Next groups has been found for %s:" % username, ", ".join(firstRequest.groups))
# Researche Group
result = getGroupsForUser(username)
if not result["OK"]:
return None, self.server.handle_response(
payload=getHTML("server error", theme="error", info=result["Message"]), delSession=True
)
groups = result["Value"]
validGroups = [
group for group in groups if (getIdPForGroup(group) == provider) or ("proxy" in firstRequest.scope)
]
if not validGroups:
return None, self.server.handle_response(
payload=getHTML(
"groups not found.",
theme="error",
info=f"No groups found for {username} and for {provider} Identity Provider.",
),
delSession=True,
)
self.log.debug("The state of %s user groups has been checked:" % username, pprint.pformat(validGroups))
# If group already defined in first request, just return it
if firstRequest.groups:
return extSession["authed"], firstRequest
# If not and we found only one valid group, apply this group
if len(validGroups) == 1:
firstRequest.addScopes(["g:%s" % validGroups[0]])
return extSession["authed"], firstRequest
# Else give user chanse to choose group in browser
with dom.div(cls="row mt-5 justify-content-md-center align-items-center") as tag:
for group in sorted(validGroups):
vo, gr = group.split("_")
with dom.div(cls="col-auto p-2").add(dom.div(cls="card shadow-lg border-0 text-center p-2")):
dom.h4(vo.upper() + " " + gr, cls="p-2")
dom.a(href="%s?state=%s&chooseScope=g:%s" % (self.currentPath, state, group), cls="stretched-link")
html = getHTML(
"group selection..",
body=tag,
icon="users",
info="Dirac use groups to describe permissions. " "You will need to select one of the groups to continue.",
)
return None, self.server.handle_response(payload=html, newSession=extSession)
def syncCSWithVOMS(self):
"""Performs the synchronization of the DIRAC registry with the VOMS data. The resulting
CSAPI object containing modifications is returned as part of the output dictionary.
Those changes can be applied by the caller depending on the mode (dry or a real run)
:return: S_OK with a dictionary containing the results of the synchronization operation
"""
resultDict = defaultdict(list)
# Get DIRAC group vs VOMS Role Mappings
result = getVOMSRoleGroupMapping(self.vo)
if not result["OK"]:
return result
vomsDIRACMapping = result["Value"]["VOMSDIRAC"]
diracVOMSMapping = result["Value"]["DIRACVOMS"]
noVOMSGroups = result["Value"]["NoVOMS"]
noSyncVOMSGroups = result["Value"]["NoSyncVOMS"]
vomsSrv = VOMSService(self.vo)
# Get VOMS users
result = vomsSrv.getUsers()
if not result["OK"]:
self.log.error("Could not retrieve user information from VOMS", result["Message"])
return result
self.vomsUserDict = result["Value"]
message = "There are %s user entries in VOMS for VO %s" % (len(self.vomsUserDict), self.vomsVOName)
self.adminMsgs["Info"].append(message)
self.log.info("VOMS user entries", message)
self.log.debug(self.vomsUserDict)
# Get DIRAC users
result = self.getVOUserData(self.vo)
if not result["OK"]:
return result
diracUserDict = result["Value"]
self.adminMsgs["Info"].append(
"There are %s registered users in DIRAC for VO %s" % (len(diracUserDict), self.vo)
)
self.log.info(
"Users already registered", ": there are %s registered users in DIRAC VO %s" % (len(diracUserDict), self.vo)
)
# Find new and obsoleted user DNs
existingDNs = []
obsoletedDNs = []
newDNs = []
for user in diracUserDict:
dn = diracUserDict[user]["DN"]
# We can have users with more than one DN registered
dnList = fromChar(dn)
existingDNs.extend(dnList)
for dn in dnList:
if dn not in self.vomsUserDict:
obsoletedDNs.append(dn)
for dn in self.vomsUserDict:
if dn not in existingDNs:
newDNs.append(dn)
allDiracUsers = getAllUsers()
nonVOUserDict = {}
nonVOUsers = list(set(allDiracUsers) - set(diracUserDict))
if nonVOUsers:
result = self.csapi.describeUsers(nonVOUsers)
if not result["OK"]:
self.log.error("Could not retrieve CS User description")
return result
nonVOUserDict = result["Value"]
# Process users
defaultVOGroup = getVOOption(self.vo, "DefaultGroup", "%s_user" % self.vo)
# If a user is (previously put by hand) in a "QuarantineGroup",
# then the default group will be ignored.
# So, this option is only considered for the case of existing users.
quarantineVOGroup = getVOOption(self.vo, "QuarantineGroup")
newAddedUserDict = {}
for dn in self.vomsUserDict:
newDNForExistingUser = ""
diracName = ""
if dn in existingDNs:
for user in diracUserDict:
if dn in fromChar(diracUserDict[user]["DN"]):
diracName = user
break
if dn in newDNs:
# Find if the DN is already registered in the DIRAC CS
for user in nonVOUserDict:
if dn in fromChar(nonVOUserDict[user]["DN"]):
diracName = user
diracUserDict[diracName] = nonVOUserDict[user]
break
# Check the nickName in the same VO to see if the user is already registered
# with another DN
nickName = self.vomsUserDict[dn].get("nickname")
if nickName in diracUserDict or nickName in newAddedUserDict:
diracName = nickName
# This is a flag for adding the new DN to an already existing user
newDNForExistingUser = dn
# We have a real new user
if not diracName:
if nickName:
newDiracName = nickName
else:
newDiracName = self.getUserName(dn)
# Do not consider users with Suspended status in VOMS
if self.vomsUserDict[dn]["suspended"] or self.vomsUserDict[dn]["certSuspended"]:
resultDict["SuspendedUsers"].append(newDiracName)
continue
# If the chosen user name exists already, append a distinguishing suffix
ind = 1
trialName = newDiracName
while newDiracName in allDiracUsers:
# We have a user with the same name but with a different DN
newDiracName = "%s_%d" % (trialName, ind)
ind += 1
# We now have everything to add the new user
userDict = {"DN": dn, "CA": self.vomsUserDict[dn]["CA"], "Email": self.vomsUserDict[dn]["mail"]}
groupsWithRole = []
for role in self.vomsUserDict[dn]["Roles"]:
groupList = vomsDIRACMapping.get(role, [])
for group in groupList:
if group not in noSyncVOMSGroups:
groupsWithRole.append(group)
userDict["Groups"] = list(set(groupsWithRole + [defaultVOGroup]))
# Run the sync plugins for extra info and/or validations
if self.syncPlugin:
try:
self.syncPlugin.verifyAndUpdateUserInfo(newDiracName, userDict)
except ValueError as e:
self.log.error("Error validating new user", "nickname %s\n error %s" % (newDiracName, e))
self.adminMsgs["Errors"].append(
"Error validating new user %s: %s\n %s" % (newDiracName, userDict, e)
)
continue
message = "\n Added new user %s:\n" % newDiracName
for key in userDict:
message += " %s: %s\n" % (key, str(userDict[key]))
self.adminMsgs["Info"].append(message)
self.voChanged = True
if self.autoAddUsers:
self.log.info("Adding new user %s: %s" % (newDiracName, str(userDict)))
result = self.csapi.modifyUser(newDiracName, userDict, createIfNonExistant=True)
if not result["OK"]:
self.log.warn("Failed adding new user %s" % newDiracName)
resultDict["NewUsers"].append(newDiracName)
newAddedUserDict[newDiracName] = userDict
continue
# We have an already existing user
modified = False
suspendedInVOMS = self.vomsUserDict[dn]["suspended"] or self.vomsUserDict[dn]["certSuspended"]
suspendedVOList = getUserOption(diracName, "Suspended", [])
knownEmail = getUserOption(diracName, "Email", None)
userDict = {
"DN": diracUserDict[diracName]["DN"],
"CA": diracUserDict[diracName]["CA"],
"Email": self.vomsUserDict[dn].get("mail", self.vomsUserDict[dn].get("emailAddress")) or knownEmail,
}
# Set Suspended status for the user for this particular VO
if suspendedInVOMS and self.vo not in suspendedVOList:
suspendedVOList.append(self.vo)
userDict["Suspended"] = ",".join(suspendedVOList)
modified = True
# Remove the lifted Suspended status
if not suspendedInVOMS and self.vo in suspendedVOList and self.autoLiftSuspendedStatus:
newList = []
for vo in suspendedVOList:
if vo != self.vo:
newList.append(vo)
if not newList:
newList = ["None"]
userDict["Suspended"] = ",".join(newList)
modified = True
if newDNForExistingUser:
userDict["DN"] = ",".join([dn, diracUserDict.get(diracName, newAddedUserDict.get(diracName))["DN"]])
userDict["CA"] = ",".join(
[self.vomsUserDict[dn]["CA"], diracUserDict.get(diracName, newAddedUserDict.get(diracName))["CA"]]
)
modified = True
existingGroups = diracUserDict.get(diracName, {}).get("Groups", [])
nonVOGroups = list(set(existingGroups) - set(diracVOMSMapping))
groupsWithRole = []
for role in self.vomsUserDict[dn]["Roles"]:
groupList = vomsDIRACMapping.get(role, [])
for group in groupList:
if group not in noSyncVOMSGroups:
groupsWithRole.append(group)
keepGroups = nonVOGroups + groupsWithRole
if not quarantineVOGroup or quarantineVOGroup not in existingGroups:
keepGroups += [defaultVOGroup]
if quarantineVOGroup and quarantineVOGroup in existingGroups:
keepGroups = [quarantineVOGroup]
for group in existingGroups:
if group in nonVOGroups:
continue
role = diracVOMSMapping.get(group, "")
# Among already existing groups for the user keep those without a special VOMS Role
# because this membership is done by hand in the CS
if "Role" not in role:
keepGroups.append(group)
# Keep existing groups with no VOMS attribute if any
if group in noVOMSGroups:
keepGroups.append(group)
# Keep groups for which syncronization with VOMS is forbidden
if group in noSyncVOMSGroups:
keepGroups.append(group)
userDict["Groups"] = list(set(keepGroups))
# Merge together groups for the same user but different DNs
if diracName in newAddedUserDict:
otherGroups = newAddedUserDict[diracName].get("Groups", [])
userDict["Groups"] = list(set(keepGroups + otherGroups))
modified = True
if not existingGroups and diracName in allDiracUsers:
groups = getGroupsForUser(diracName)
if groups["OK"]:
self.log.info("Found groups for user %s %s" % (diracName, groups["Value"]))
userDict["Groups"] = list(set(groups["Value"] + keepGroups))
addedGroups = list(set(userDict["Groups"]) - set(groups["Value"]))
modified = True
message = "\n Modified user %s:\n" % diracName
message += " Added to group(s) %s\n" % ",".join(addedGroups)
self.adminMsgs["Info"].append(message)
# Check if something changed before asking CSAPI to modify
if diracName in diracUserDict:
message = "\n Modified user %s:\n" % diracName
modMsg = ""
for key in userDict:
if key == "Groups":
addedGroups = set(userDict[key]) - set(diracUserDict.get(diracName, {}).get(key, []))
removedGroups = set(diracUserDict.get(diracName, {}).get(key, [])) - set(userDict[key])
if addedGroups:
modMsg += " Added to group(s) %s\n" % ",".join(addedGroups)
if removedGroups:
modMsg += " Removed from group(s) %s\n" % ",".join(removedGroups)
elif key == "Suspended":
if userDict["Suspended"] == "None":
modMsg += " Suspended status removed\n"
else:
modMsg += " User Suspended in VOs: %s\n" % userDict["Suspended"]
else:
oldValue = str(diracUserDict.get(diracName, {}).get(key, ""))
if str(userDict[key]) != oldValue:
modMsg += " %s: %s -> %s\n" % (key, oldValue, str(userDict[key]))
if modMsg:
self.adminMsgs["Info"].append(message + modMsg)
modified = True
if self.autoModifyUsers and modified:
result = self.csapi.modifyUser(diracName, userDict)
if result["OK"] and result["Value"]:
self.log.info("Modified user %s: %s" % (diracName, str(userDict)))
self.voChanged = True
resultDict["ModifiedUsers"].append(diracName)
# Check if there are potentially obsoleted users
oldUsers = set()
for user in diracUserDict:
dnSet = set(fromChar(diracUserDict[user]["DN"]))
if not dnSet.intersection(set(self.vomsUserDict)) and user not in nonVOUserDict:
existingGroups = diracUserDict.get(user, {}).get("Groups", [])
nonVOGroups = list(set(existingGroups) - set(diracVOMSMapping))
removedGroups = list(set(existingGroups) - set(nonVOGroups))
if removedGroups:
self.log.info("Checking user for deletion", "%s: %s" % (user, existingGroups))
self.log.info("User has groups in other VOs", "%s: %s" % (user, nonVOGroups))
userDict = diracUserDict[user]
userDict["Groups"] = nonVOGroups
if self.autoModifyUsers:
result = self.csapi.modifyUser(user, userDict)
if result["OK"] and result["Value"]:
self.log.info("Modified user %s: %s" % (user, str(userDict)))
self.voChanged = True
message = "\n Modified user %s:\n" % user
modMsg = " Removed from group(s) %s\n" % ",".join(removedGroups)
self.adminMsgs["Info"].append(message + modMsg)
resultDict["ModifiedUsers"].append(user)
continue
if not any(group in noVOMSGroups for group in existingGroups):
oldUsers.add(user)
# Check for obsoleted DNs
for user in diracUserDict:
dnSet = set(fromChar(diracUserDict[user]["DN"]))
for dn in dnSet:
if dn in obsoletedDNs and user not in oldUsers:
existingGroups = diracUserDict.get(user, {}).get("Groups", [])
nonVOGroups = list(set(existingGroups) - set(diracVOMSMapping))
if nonVOGroups:
self.log.verbose("User has groups in other VOs", "%s: %s" % (user, nonVOGroups))
continue
self.log.verbose("Modified user %s: dropped DN %s" % (user, dn))
if self.autoModifyUsers:
userDict = diracUserDict[user]
modDNSet = dnSet - set([dn])
if modDNSet:
userDict["DN"] = ",".join(modDNSet)
result = self.csapi.modifyUser(user, userDict)
if result["OK"] and result["Value"]:
self.log.info("Modified user %s: dropped DN %s" % (user, dn))
self.adminMsgs["Info"].append("Modified user %s: dropped DN %s" % (user, dn))
self.voChanged = True
resultDict["ModifiedUsers"].append(diracName)
else:
oldUsers.add(user)
if oldUsers:
self.voChanged = True
if self.autoDeleteUsers:
self.log.info("The following users will be deleted: %s" % str(oldUsers))
result = self.csapi.deleteUsers(oldUsers)
if result["OK"]:
self.adminMsgs["Info"].append("The following users are deleted from CS:\n %s\n" % str(oldUsers))
resultDict["DeletedUsers"] = oldUsers
else:
self.adminMsgs["Errors"].append("Error in deleting users from CS:\n %s" % str(oldUsers))
self.log.error("Error while user deletion from CS", result)
else:
self.adminMsgs["Info"].append(
"The following users to be checked for deletion:\n\t%s" % "\n\t".join(sorted(oldUsers))
)
self.log.info("The following users to be checked for deletion:", "\n\t".join(sorted(oldUsers)))
resultDict["CSAPI"] = self.csapi
resultDict["AdminMessages"] = self.adminMsgs
resultDict["VOChanged"] = self.voChanged
return S_OK(resultDict)
sourceSE = sys.argv[2]
targetSE1 = sys.argv[3]
targetSE2 = sys.argv[4]
gLogger.always( "will use '%s' group" % userGroup )
admin = DiracAdmin()
userName = admin._getCurrentUser()
if not userName["OK"]:
gLogger.error( userName["Message"] )
sys.exit( -1 )
userName = userName["Value"]
gLogger.always( "current user is '%s'" % userName )
userGroups = getGroupsForUser( userName )
if not userGroups["OK"]:
gLogger.error( userGroups["Message"] )
sys.exit( -1 )
userGroups = userGroups["Value"]
if userGroup not in userGroups:
gLogger.error( "'%s' is not a member of the '%s' group" % ( userName, userGroup ) )
sys.exit( -1 )
userDN = getDNForUsername( userName )
if not userDN["OK"]:
gLogger.error( userDN["Message"] )
sys.exit( -1 )
userDN = userDN["Value"][0]
gLogger.always( "userDN is %s" % userDN )
sourceSE = sys.argv[2]
targetSE1 = sys.argv[3]
targetSE2 = sys.argv[4]
gLogger.always("will use '%s' group" % userGroup)
admin = DiracAdmin()
userName = admin._getCurrentUser()
if not userName["OK"]:
gLogger.error(userName["Message"])
sys.exit(-1)
userName = userName["Value"]
gLogger.always("current user is '%s'" % userName)
userGroups = getGroupsForUser(userName)
if not userGroups["OK"]:
gLogger.error(userGroups["Message"])
sys.exit(-1)
userGroups = userGroups["Value"]
if userGroup not in userGroups:
gLogger.error("'%s' is not a member of the '%s' group" %
(userName, userGroup))
sys.exit(-1)
userDN = getDNForUsername(userName)
if not userDN["OK"]:
gLogger.error(userDN["Message"])
sys.exit(-1)
userDN = userDN["Value"][0]
import DIRAC
from DIRAC import gLogger, gConfig
from DIRAC.ConfigurationSystem.Client.Helpers.Resources import getSites
from DIRAC.DataManagementSystem.Client.FTSClient import FTSClient
from DIRAC.DataManagementSystem.Client.FTSSite import FTSSite
from DIRAC.Interfaces.API.DiracAdmin import DiracAdmin
from DIRAC.ConfigurationSystem.Client.Helpers.Registry import getGroupsForUser
admin = DiracAdmin()
currentUser = admin._getCurrentUser()
if not currentUser["OK"]:
gLogger.error( currentUser["Message"] )
DIRAC.exit(-1)
currentUser = currentUser["Value"]
userGroups = getGroupsForUser( currentUser )
if not userGroups["OK"]:
gLogger.error( userGroups["Message"] )
DIRAC.exit( -1 )
userGroups = userGroups["Value"]
if "diracAdmin" not in userGroups:
gLogger.error( "you are not allowed to change FTSSites configuration" )
DIRAC.exit( -1 )
args = Script.getPositionalArgs()
maxActiveJobs = 50
ftsSite = ftsServer = ""
if not len( args ) == 3:
Script.showHelp()
