Merge pull request dmwm#4619 from zdenekmaxa/reqmgr2-reqmgr_auxiliary…

…-database

ReqMgr2 auxiliary database

bin/reqmgr-sw-update

@@ -0,0 +1,31 @@
+#!/usr/bin/env python
+
+"""
+Helper script calling function to update software known to
+ReqMgr - CMSSW versions and scram architectures.
+
+The script takes 1 argument - name of the configuration file (tag
+collector address, target database is all read from there down the line).
+
+Experience tells that it's better (due to CMS tag collector instability)
+to retrieve data asynchronously into a private ReqMgr database. Rather
+than consult TC at every request injection.
+
+"""
+
+import sys
+import os
+
+from WMCore.reqmgr.service.auxiliary import update_software
+
+
+if len(sys.argv) < 2:
+    print ("ERROR: %s: Please specify configuration file as the only "
+           "argument." % sys.argv[0])
+    sys.exit(1)
+config_file = sys.argv[1]
+if not os.path.exists(config_file):
+    print ("ERROR: %s: Specified config file '%s' does not exist." %
+           (sys.argv[0], config_file))
+    sys.exit(1)
+update_software(config_file)

setup_dependencies.py

@@ -66,10 +66,11 @@
                                     'src/couchapps/WMStats+'],
                         },
                 'reqmgr2':{
-                        'packages': ['WMCore.ReqMgr+',
+                        'packages': ['WMCore.reqmgr+',
                                     ],
                         'systems': ['wmc-rest', 'wmc-runtime', 'wmc-database'],
                         'statics': ['src/couchapps/ReqMgr+',
+                                    'src/couchapps/ReqMgrAux+',
                                     'src/couchapps/ConfigCache+',
                                     'src/couchapps/WMStats+',
                                     'src/html/reqmgr+',

src/couchapps/ReqMgrAux/_id

@@ -0,0 +1 @@
+_design/ReqMgrAux

src/couchapps/ReqMgrAux/couchapp.json

@@ -0,0 +1,5 @@
+{
+    "appName": "ReqMgrAux",
+    "description": "CouchApp",
+    "visualisationTitle": "ReqMgr Auxiliary database CouchApp"
+}

src/couchapps/ReqMgrAux/language

@@ -0,0 +1 @@
+javascript

src/couchapps/ReqMgrAux/validate_doc_update.js

@@ -0,0 +1,49 @@
+function(newDoc, oldDoc, userCtx) {
+   // Determines the doc operation type
+   var DOCOPS = { modif:0, creat:1, delet:2 };
+   var docOp = oldDoc ? (newDoc._deleted === true ? DOCOPS.delet : DOCOPS.modif)
+                      : DOCOPS.creat;
+
+   // Function to get the user list of site/groups for the given role
+   var getRole = function(role) {
+      var roles = userCtx.roles;
+      for (i in roles) {
+         if(typeof(roles[i]) == "object" && roles[i][0] === role)
+            return roles[i][1]; // Request comes from backend auth handler
+         if(typeof(roles[i]) == "string" && roles[i] === role)
+            return []; // Request comes from other handlers (i.e. host auth)
+      }
+      return null;
+   }
+
+   // Function to check if user has the role for a given group or site
+   var matchesRole = function(role, grpsite) {
+      var r = getRole(role);
+      if (r != null)
+         if (grpsite === "" || r.indexOf(grpsite) != -1)
+            return true;
+      return false;
+   }
+
+   // Gets whether the user is a global admin
+   // name=null means requests coming from the local replicator, so we must allow
+   // (the cms couch auth does not allow name=null, so it affects only internal
+   // replication requests)
+   var isGlobalAdm = (userCtx.name === null)
+                     || matchesRole("_admin", "")
+                     || matchesRole("-admin", "group:couchdb");
+
+   //---------------------------------
+   // Authorization rules for Myapp DB
+
+   // The following rule aplies for all operation types
+   var allowed = isGlobalAdm || matchesRole("admin", "group:reqmgr")
+                             || matchesRole("web-service", "group:facops")
+                             || matchesRole("production-operator", "group:dataops");
+
+   // Throw if user not validated
+   if(!allowed) {
+      log(toJSON(userCtx));
+      throw {forbidden: "User not authorized for action."};
+   }
+}