Adding pilot registrations and authentification (Router)

[Robin-Van-de-Merghel]

Changes

Endpoints

Adding a pilot service with some endpoints:

• POST / creates a pilot with (if not prevented) a secret
• DELETE / deletes pilots by stamp
• DELETE /interval deletes pilots that lived more than n days
• POST /token exchanges a pilot secret for a token
• POST /refresh-token refresh a pilot token
• POST /fields/secrets creates secrets
• PATCH /fields/secrets associates a pilot with a secret
• PATCH /fields/jobs associates a pilot with jobs
• PATCH /fields helps modifying pilot fields (benchmark, gridsite, ...)
• GET /search searchs for pilots with parameters

Note

The DELETE /interval is there because we need it directly and because it is faster, but we can simplify it with GET /search then DELETE /.

Security Model

As the security model dictates, pilot secrets are strings, and hashed in the db itself.

Important

For the JWT perspective, we need to chose whether a pilot will need refresh tokens or not, and how long a token will live to implement it.

These changes are mandatory for this PR.

After offline discussions: A pilot will have a different token (refresh and access), and with a different duration.

[Robin-Van-de-Merghel]

The failed CI i'm not sure if I have to regenerate the client manually.

[aldbr]

The failed CI i'm not sure if I have to regenerate the client manually.

Yes, you need to regenerate the client manually, here is the documentation: https://github.com/DIRACGrid/diracx/blob/main/docs/CLIENT.md#updating-the-client

If you have any trouble, please let me know

[fstagni]

These look a bit fragile (e.g. at the moment we are effectively only supporting MySQL, but what if we add support also for e.g. PG?).
Maybe there's nothing different that can be done, but worth checking.

[Robin-Van-de-Merghel]

Just went to the code of SQLAlchemy, there's indeed an IntegrityError, but nothing is generic. We have to get some db-specific error: psycopg2.errors.ForeignKeyViolation for postgres, if error_code == 2291: for oracle, ...

[aldbr]

Can't you rely on an error code instead of relying on a string at least?
Also, it seems you are not using and testing the case where PilotAlreadyExistsError is raised (or I possibly missed it)

[Robin-Van-de-Merghel]

If we check if an error is an instance of another module pymysql we could potentially catch some errors as code that are specific on a db. And even with that, I saw errors where people had to use both IntegrityError from sql-alchemy and pymy integrity error because of a bad handling..

It is not pretty, and you can read this response: https://stackoverflow.com/a/70714697

Also, it seems you are not using and testing the case where PilotAlreadyExistsError is raised (or I possibly missed it)

This part add_pilot_credentials is not used yet but soon will be when Dirac or another entity will register pilots on DiracX and add credentials. I currently didn't catch it, because HTTPExceptions are to be raised on a router, and in the logic it will be automatically raised.
I don't know if it is fine to raise an error from the logic and raise the same one to the router: in a way it helps understand from the logic the potential, in another, it adds code...

[Robin-Van-de-Merghel]

I'll open an issue for this, to later fix this

[Robin-Van-de-Merghel]

Modified from (PilotID, secret) login request to (PilotRef, secret), see this issue I opened about it.

[Robin-Van-de-Merghel]

Tested with this Pilot PR version and worked successfully. Could retrieve a DiracX token from a Pilot.

[Robin-Van-de-Merghel]

If someone has a solution for this CI, I'm all ears.

I moved a function as suggested above to diracx.logic, and it seems to have destroyed OSDB? (I don't use OpenSearch).

[aldbr]

Can't you rely on an error code instead of relying on a string at least?
Also, it seems you are not using and testing the case where PilotAlreadyExistsError is raised (or I possibly missed it)

[Robin-Van-de-Merghel]

[DB Specific bug:]

(pymysql.err.ProgrammingError) (1064, "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'RETURNING `PilotAgents`.`PilotID`' at line 1")
[SQL: INSERT INTO `PilotAgents` (`InitialJobID`, `CurrentJobID`, `PilotJobReference`, `PilotStamp`, `DestinationSite`, `Queue`, `GridSite`, `VO`, `GridType`, `BenchMark`, `SubmissionTime`, `LastUpdateTime`, `Status`, `StatusReason`, `AccountingSent`) VALUES (%s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s) RETURNING `PilotAgents`.`PilotID`]
[parameters: (0, 0, 'aa', '', 'NotAssigned', 'Unknown', 'Unknown', 'diracAdmin', 'DIRAC', 0.0, datetime.datetime(2025, 4, 8, 8, 27, 35, 874664, tzinfo=datetime.timezone.utc), datetime.datetime(2025, 4, 8, 8, 27, 35, 874664, tzinfo=datetime.timezone.utc), 'Submitted', 'Unknown', 'False')]

insert(PilotAgents).values(values).returning(PilotAgents.pilot_id) is not supported in mysql, but the CI passes.

[Robin-Van-de-Merghel]

Added support for pilots in this diracx-charts PR

[Robin-Van-de-Merghel]

Could merge cli commands to have only dirac internal add-pilot*

[aldbr]

• I have the feeling that this function should go in diracx.logic, it looks like it does not directly interact with sqlalchemy
• Aren't you supposed to use the search method instead of get_pilot_credentials_by_stamp, get_secrets_by_hashed_secrets_bulk
• I haven't checked what you do with DBInBadStateError, but if you don't catch it anywhere then the transaction should be automatically rolled back. See

  diracx/docs/dev/explanations/components/routes.md

  Lines 94 to 128 in b787d8d

  	### SQL Databases
  	To depend on a SQL-backed database, use the classes in `diracx.routers.dependencies`. The connection is managed through a central pool, with transactions opened for the duration of a request. Successful requests commit the transaction, while requests with HTTP status code `>=400` roll back the transaction. Connections are returned to the pool for reuse.
  	Example:
  	```python
  	from diracx.routers.dependencies import JobDB, JobLoggingDB
  	@router.delete("/{job_id}")
  	async def delete_single_job(job_db: JobDB, job_logging_db: JobLoggingDB): ...
  	```
  	There are advanced and uncommon scenarios where committing a transaction is necessary even when returning an error response (e.g., revoking tokens in the database and returning an error to a potentially malicious user). In such cases, explicitly committing the transaction before raising an exception is crucial. Without this explicit commit, the intended changes would be rolled back along with the transaction, leading to unintended consequences:
  	```python
  	from diracx.routers.dependencies import AuthDB
  	@router.post("/token")
  	async def token(auth_db: AuthDB, ...)
  	...
  	if refresh_token_attributes["status"] == RefreshTokenStatus.REVOKED:
  	# Revoke all the user tokens associated with the subject
  	await auth_db.revoke_user_refresh_tokens(sub)
  	# Explicitly commit the transaction to ensure the revocation is saved,
  	# even though an error will be returned to the user.
  	await auth_db.conn.commit()
  	# Raise an HTTP exception to signal the error
  	raise HTTPException(status_code=401)
  	```
  	Refer to the [SQLAlchemy documentation](https://docs.sqlalchemy.org/en/20/core/pooling.html) for more details.

[Robin-Van-de-Merghel]

For this part:

• Maybe I need yes to add it to the logic 🤔
• For the search, I'm waiting it to be generic, because for now the mechanic of search does not completely do what I want (the error for example)
• For the DBInBadStateError, I don't catch it to raise a 500 error: if I catch it and raise a 4XX error, it is bad, because the problem does not come from the client but from the server.

For the last point, I prefer when there's an error inside the DB to rollback everything, because if I insert corrupted data, it will be a mess to find which one is corrupted

[aldbr]

Same question as earlier here: don't you need these checks in create_credentials?

[aldbr]

@fstagni

It is true that:
a pilot is associated to at most 1 secret
a secret could be associated to more than a pilot, but 1 by default.
This table looks to me it is still needed.

Why do you think the PilotToSecretMapping is still needed if we have a 1-N relationship?
In PilotAgents we can have a secret_id foreign key that would point to PilotSecrets.secret_id.

Having a PilotToSecretMapping implies a N-N relationship I think.

[Robin-Van-de-Merghel]

Facing #417 , so set require_auth to False.

[Robin-Van-de-Merghel]

As discussed offline:

• We won't use pilot user anymore
• We will separate pilot route into pilots/ and pilot_management/
• Users and Pilots will have a different token, and we will have to separate one from the other
• Pilot refresh tokens will last more than user's, and we will refresh tokens as we fetch data from the Pilot