def sync_roles_to_group_accounts(): result = requests.get(CRIC_GROUP_API, verify=False) # Pods don't like the CRIC certificate all_cric_groups = json.loads(result.text) client = Client() for group, data in all_cric_groups.items(): if group in role_group_mapping: group_name = role_group_mapping[group]['name'] group_email = role_group_mapping[group]['email'] print('Setting identities for %s' % group_name) try: client.get_account(group_name) except AccountNotFound: print('Adding group account %s with %s' % (group_name, group_email)) client.add_account(group_name, 'GROUP', group_email) group_info = {user['dn']: user['email'] for user in data['users']} current_identities = set(identity['identity'] for identity in client.list_identities(group_name)) target_identities = set(group_info.keys()) add_identities = target_identities - current_identities del_identities = current_identities - target_identities # FIXME: This does not pick up email changes with the same DN for identity in add_identities: print('Adding %s to %s with %s' % (identity, group_name, group_info[identity])) client.add_identity(account=group_name, identity=identity, authtype='X509', email=group_info[identity]) for identity in del_identities: print('Deleting %s from %s' % (identity, group_name)) client.del_identity(account=group_name, identity=identity, authtype='X509')
def sync_egroups_to_group_accounts(): result = requests.get(CRIC_EGROUP_API, verify=False) # Pods don't like the CRIC certificate all_cric_groups = json.loads(result.text) client = Client() for group, data in all_cric_groups.items(): if 'egroups' in data and data['egroups'] and 'users' in data and data[ 'users']: group_name = data['egroups'][0].replace('-', '_').lower() group_email = data['egroups'][0] + '@cern.ch' try: print('Checking for account %s in Rucio' % group_name) client.get_account(group_name) except AccountNotFound: print('Adding group account %s with %s' % (group_name, group_email)) client.add_account(group_name, 'GROUP', group_email) # Note: This does not pick up email changes with the same DN group_info = {user['dn']: user['email'] for user in data['users']} current_identities = set( identity['identity'] for identity in client.list_identities(group_name)) target_identities = set(group_info.keys()) add_identities = target_identities - current_identities del_identities = current_identities - target_identities for identity in add_identities: print('Adding %s to %s with %s' % (identity, group_name, group_info[identity])) client.add_identity(account=group_name, identity=identity, authtype='X509', email=group_info[identity]) for identity in del_identities: print('Deleting %s from %s' % (identity, group_name)) client.del_identity(account=group_name, identity=identity, authtype='X509')
class SyncAccounts(object): """ Class for sync accounts for a list of 'real' RSEs """ def __init__(self, rses=None, rsefilter=None, identity=None): self.rcli = Client(account='root', auth_type=None) self._get_identity(identity) if rses is None: rses = [] for rse in self.rcli.list_rses(): attrs = self.rcli.list_rse_attributes(rse=rse['rse']) if 'cms_type' in attrs and attrs['cms_type'] == 'real': rses.append(rse['rse']) self.accounts = [] for rse in rses: if rsefilter is None or re.match(rsefilter, rse): self.accounts.append(SYNC_ACCOUNT_FMT % rse.lower()) def _get_identity(self, identity): if identity is None: identity = {'from': os.environ['RUCIO_ACCOUNT']} if 'from' in identity: identity = list(self.rcli.list_identities( account=identity['from']))[0] self.identity = identity def _create_account(self, account, dry=False): missing = False try: self.rcli.get_account(account) except AccountNotFound: missing = True if missing and dry: logging.info('creating account %s. Dry run', account) elif missing: try: self.rcli.add_account( account=account, type='USER', email=None ) logging.debug('created account %s', account) except DatabaseException: logging.warn('Could not create account %s', account) return missing def _add_account_attr(self, account, dry=False): attrs = list(self.rcli.list_account_attributes(account))[0] attr = {u'key': u'admin', u'value': u'true'} # depending on rucio version also this can be a return value attr_alt = {u'key': u'admin', u'value': True} missing = (attr not in attrs) and (attr_alt not in attrs) if missing and dry: logging.info('setting attribute for account %s. Dry run', account) elif missing: self.rcli.add_account_attribute( account=account, key=attr['key'], value=attr['value'] ) logging.debug('set attribute for account %s.', account) return missing def _add_identity(self, account, dry=False): identities = list(self.rcli.list_identities(account=account)) idmissing = self.identity not in identities if idmissing and dry: logging.info('adding %s for account %s. Dry run', self.identity, account) elif idmissing: try: self.rcli.add_identity(account=account, identity=self.identity['identity'], authtype=self.identity['type'], email=None) logging.debug('added %s for account %s', self.identity, account) except Duplicate: # Sometimes idmissing doesn't seem to work logging.warn('identity %s for account %s existed', self.identity, account) return False return idmissing def update(self, dry=False): """ Created or updates the sync accounts """ stat = { 'account': [], 'attribute': [], 'identity': [], 'tot': [] } for account in self.accounts: logging.debug("Considering %s", account) stat['tot'].append(account) created = self._create_account(account, dry) if created: stat['account'].append(account) if created and dry: stat['attribute'].append(account) stat['identity'].append(account) else: try: logging.debug("Adding attribute to %s", account) if self._add_account_attr(account, dry): stat['attribute'].append(account) logging.debug("Adding identity to %s", account) if self._add_identity(account, dry): stat['identity'].append(account) except AccountNotFound: logging.warn('Attributes and identiy not added') return stat
}, "prefix": "/tmp/rucio_rse/" }, ) for key, value in attr.items(): client.add_rse_attribute(rse, key, value) for rse in prod_rses: for rse2 in prod_rses: if rse2 == rse: continue client.add_distance(rse, rse2, {"distance": 1, "ranking": 1}) client.add_scope(account="root", scope="cms") client.add_account("transfer_ops", "SERVICE", "*****@*****.**") client.add_identity( account="transfer_ops", identity="ddmlab", authtype="USERPASS", email="*****@*****.**", ) # why is this still a workaround? from rucio.core.account import add_account_attribute from rucio.common.types import InternalAccount add_account_attribute(InternalAccount("transfer_ops"), "admin", True) client.add_account("wma_prod", "SERVICE", "*****@*****.**") client.add_identity( account="wma_prod", identity="ddmlab",