def sync_roles_to_group_accounts():
result = requests.get(CRIC_GROUP_API, verify=False) # Pods don't like the CRIC certificate
all_cric_groups = json.loads(result.text)
client = Client()
for group, data in all_cric_groups.items():
if group in role_group_mapping:
group_name = role_group_mapping[group]['name']
group_email = role_group_mapping[group]['email']
print('Setting identities for %s' % group_name)
try:
client.get_account(group_name)
except AccountNotFound:
print('Adding group account %s with %s' % (group_name, group_email))
client.add_account(group_name, 'GROUP', group_email)
group_info = {user['dn']: user['email'] for user in data['users']}
current_identities = set(identity['identity'] for identity in client.list_identities(group_name))
target_identities = set(group_info.keys())
add_identities = target_identities - current_identities
del_identities = current_identities - target_identities
# FIXME: This does not pick up email changes with the same DN
for identity in add_identities:
print('Adding %s to %s with %s' % (identity, group_name, group_info[identity]))
client.add_identity(account=group_name, identity=identity, authtype='X509', email=group_info[identity])
for identity in del_identities:
print('Deleting %s from %s' % (identity, group_name))
client.del_identity(account=group_name, identity=identity, authtype='X509')
def sync_egroups_to_group_accounts():
result = requests.get(CRIC_EGROUP_API,
verify=False) # Pods don't like the CRIC certificate
all_cric_groups = json.loads(result.text)
client = Client()
for group, data in all_cric_groups.items():
if 'egroups' in data and data['egroups'] and 'users' in data and data[
'users']:
group_name = data['egroups'][0].replace('-', '_').lower()
group_email = data['egroups'][0] + '@cern.ch'
try:
print('Checking for account %s in Rucio' % group_name)
client.get_account(group_name)
except AccountNotFound:
print('Adding group account %s with %s' %
(group_name, group_email))
client.add_account(group_name, 'GROUP', group_email)
# Note: This does not pick up email changes with the same DN
group_info = {user['dn']: user['email'] for user in data['users']}
current_identities = set(
identity['identity']
for identity in client.list_identities(group_name))
target_identities = set(group_info.keys())
add_identities = target_identities - current_identities
del_identities = current_identities - target_identities
for identity in add_identities:
print('Adding %s to %s with %s' %
(identity, group_name, group_info[identity]))
client.add_identity(account=group_name,
identity=identity,
authtype='X509',
email=group_info[identity])
for identity in del_identities:
print('Deleting %s from %s' % (identity, group_name))
client.del_identity(account=group_name,
identity=identity,
authtype='X509')
class SyncAccounts(object):
"""
Class for sync accounts for a list of 'real' RSEs
"""
def __init__(self, rses=None, rsefilter=None, identity=None):
self.rcli = Client(account='root', auth_type=None)
self._get_identity(identity)
if rses is None:
rses = []
for rse in self.rcli.list_rses():
attrs = self.rcli.list_rse_attributes(rse=rse['rse'])
if 'cms_type' in attrs and attrs['cms_type'] == 'real':
rses.append(rse['rse'])
self.accounts = []
for rse in rses:
if rsefilter is None or re.match(rsefilter, rse):
self.accounts.append(SYNC_ACCOUNT_FMT % rse.lower())
def _get_identity(self, identity):
if identity is None:
identity = {'from': os.environ['RUCIO_ACCOUNT']}
if 'from' in identity:
identity = list(self.rcli.list_identities(
account=identity['from']))[0]
self.identity = identity
def _create_account(self, account, dry=False):
missing = False
try:
self.rcli.get_account(account)
except AccountNotFound:
missing = True
if missing and dry:
logging.info('creating account %s. Dry run',
account)
elif missing:
try:
self.rcli.add_account(
account=account,
type='USER',
email=None
)
logging.debug('created account %s',
account)
except DatabaseException:
logging.warn('Could not create account %s',
account)
return missing
def _add_account_attr(self, account, dry=False):
attrs = list(self.rcli.list_account_attributes(account))[0]
attr = {u'key': u'admin', u'value': u'true'}
# depending on rucio version also this can be a return value
attr_alt = {u'key': u'admin', u'value': True}
missing = (attr not in attrs) and (attr_alt not in attrs)
if missing and dry:
logging.info('setting attribute for account %s. Dry run',
account)
elif missing:
self.rcli.add_account_attribute(
account=account,
key=attr['key'],
value=attr['value']
)
logging.debug('set attribute for account %s.',
account)
return missing
def _add_identity(self, account, dry=False):
identities = list(self.rcli.list_identities(account=account))
idmissing = self.identity not in identities
if idmissing and dry:
logging.info('adding %s for account %s. Dry run', self.identity, account)
elif idmissing:
try:
self.rcli.add_identity(account=account, identity=self.identity['identity'],
authtype=self.identity['type'], email=None)
logging.debug('added %s for account %s', self.identity, account)
except Duplicate: # Sometimes idmissing doesn't seem to work
logging.warn('identity %s for account %s existed', self.identity, account)
return False
return idmissing
def update(self, dry=False):
"""
Created or updates the sync accounts
"""
stat = {
'account': [],
'attribute': [],
'identity': [],
'tot': []
}
for account in self.accounts:
logging.debug("Considering %s", account)
stat['tot'].append(account)
created = self._create_account(account, dry)
if created:
stat['account'].append(account)
if created and dry:
stat['attribute'].append(account)
stat['identity'].append(account)
else:
try:
logging.debug("Adding attribute to %s", account)
if self._add_account_attr(account, dry):
stat['attribute'].append(account)
logging.debug("Adding identity to %s", account)
if self._add_identity(account, dry):
stat['identity'].append(account)
except AccountNotFound:
logging.warn('Attributes and identiy not added')
return stat
},
"prefix": "/tmp/rucio_rse/"
},
)
for key, value in attr.items():
client.add_rse_attribute(rse, key, value)
for rse in prod_rses:
for rse2 in prod_rses:
if rse2 == rse:
continue
client.add_distance(rse, rse2, {"distance": 1, "ranking": 1})
client.add_scope(account="root", scope="cms")
client.add_account("transfer_ops", "SERVICE", "*****@*****.**")
client.add_identity(
account="transfer_ops",
identity="ddmlab",
authtype="USERPASS",
email="*****@*****.**",
)
# why is this still a workaround?
from rucio.core.account import add_account_attribute
from rucio.common.types import InternalAccount
add_account_attribute(InternalAccount("transfer_ops"), "admin", True)
client.add_account("wma_prod", "SERVICE", "*****@*****.**")
client.add_identity(
account="wma_prod",
identity="ddmlab",
