add support to populate the gridmapdir + bug fixes

lib/puppet/provider/gridmapdirentry/gridmapdirentry.rb

@@ -0,0 +1,47 @@
+Puppet::Type.type(:gridmapdirentry).provide(:gridmapdirentry) do
+  desc "ensures that file entries for pool accounts are present in gridmapdir"
+
+  def create
+    expand(resource[:start],resource[:number],resource[:prefix],resource[:digits]).each { |accountname|
+      path = resource[:gridmapdir] + '/' + accountname
+      if (! File.exist?(path) ) 
+        File.open(path,"w",0644){} #create empty file
+      end 
+    }
+  end
+
+  def destroy
+    expand(resource[:start],resource[:number],resource[:prefix],resource[:digits]).each { |accountname|
+      path = resource[:gridmapdir] + '/' + accountname
+      if (File.exist?(path) ) 
+        File.delete(path)
+      end 
+    }
+  end
+
+  def exists?
+    allexist = true
+    expand(resource[:start],resource[:number],resource[:prefix],resource[:digits]).each { |accountname|
+      path = resource[:gridmapdir] + '/' + accountname
+      if (! File.exists?(path))
+        allexist = false
+      end
+    }
+    return allexist
+  end
+
+  def expand(from,number,prefix,digits)
+    expanded = []
+    if ("0" == digits.to_s) 
+      expanded.push(prefix)
+    else
+      (from.to_s.to_i() .. (from.to_s.to_i()+number.to_s.to_i()-1)).each { |c|
+        format = '%.'+digits.to_s()+'d'
+        name=prefix + (format % c).to_s()
+        expanded.push(name)
+      }
+    end
+    return expanded
+  end
+
+end

lib/puppet/type/gridmapdirentry.rb

@@ -0,0 +1,61 @@
+Puppet::Type.newtype(:gridmapdirentry) do 
+  @doc = "ensures that file entries for pool accounts are present in gridmapdir"
+  ensurable
+
+  newparam(:prefix) do 
+    desc "account prefix"
+    validate do |value|
+      unless  value =~ /^[a-zA-Z]+/
+        raise ArgumentError , "%s invalid prefix name" % value
+      end
+    end
+    isnamevar
+  end
+
+  newparam(:number) do 
+    desc "number of pool accounts to be created"
+    defaultto 10
+    validate do |value|
+      unless  value.to_s =~ /^[\d]+/
+        raise ArgumentError , "number of pool accounts must be an integer: \"%s\"" % value
+      end
+    end
+  end
+
+
+  newparam(:start) do 
+    desc "first number to start with"
+    defaultto "1"
+    validate do |value|
+      unless  value.to_s =~ /^[\d]+$/
+        raise ArgumentError , "\"%s\" first number must be an integer" % value
+      end
+    end
+  end
+
+  newparam(:digits) do 
+    desc "number of digits"
+    defaultto "3"
+    validate do |value|
+      unless  value.to_s =~ /^[\d]$/
+        raise ArgumentError , "\"%s\" number of digits must be an integer" % value
+      end
+    end
+  end
+
+  newparam(:gridmapdir) do 
+    desc "path to the gridmapdir"
+    defaultto "/etc/grid-security/gridmapdir"
+    validate do |value|
+      unless  value =~ /^\//
+        raise ArgumentError , "\"%s\" must be a valid absolute path" % value
+      end
+    end
+  end
+
+  autorequire(:file) do
+  	[ self[:gridmapdir] ]
+  end
+
+end
+

manifests/enable_lcgdm_vo.pp

@@ -0,0 +1,19 @@
+define vosupport::enable_lcgdm_vo (
+   $voname=$name,
+   $unprivilegedmkgridmap=false,
+   $gridservice="LFC"
+)
+{
+   $vomappingdata = hiera_hash('vosupport::mappings',undef)
+   $poolaccounts  = hiera_hash('vosupport::poolaccounts',undef)
+   $vomsservers   = hiera_hash('vosupport::vomsservers',undef)
+   $configfile    = "/etc/lcgdm-mkgridmap.conf"
+
+   concat::fragment{"${voname}_lcgdmmkgridmapconf":
+     target  => $configfile,
+     order   => "08",
+     content => template('vosupport/lcgdm-mkgridmap.conf.erb'),
+   }
+
+}
+

manifests/enable_vo.pp

@@ -3,8 +3,10 @@
    $voname=$name,
    $enable_poolaccounts = true,
    $enable_mappings_for_service = undef,
+   $enable_mkgridmap_for_service = undef,
    $enable_environment = true,
-   $enable_voms = true
+   $enable_voms = true,
+   $enable_gridmapdir = false
 )
 {    
     if ($enable_voms) {
@@ -59,6 +61,21 @@
 	content => template('vosupport/groupmapfile.erb')
       }    
     }
+
+    if $enable_mkgridmap_for_service != undef {
+        include vosupport::vo_lcgdm_mappings
+
+        vosupport::enable_lcgdm_vo{$voname:
+            voname=>$voname,
+            unprivilegedmkgridmap=>false,
+            gridservice=>$enable_mkgridmap_for_service
+        }
+    }
+
+    if $enable_gridmapdir {
+      include vosupport::vo_gridmapdir
+      Setupgridmapdir <| voname == $voname |>
+    }
 }
 
 

manifests/init.pp

@@ -1,9 +1,11 @@
 class vosupport(
   $supported_vos = hiera("vosupport_supported_vos",[]), #list of supported VOs we want to enable
   $enable_poolaccounts = hiera("vosupport_enable_poolaccounts",True), #whether to create pool accounts
+  $enable_mkgridmap_for_service = hiera("vosupport_enable_mkgridmap_for_service",undef), #a service to enable mkgridmap for (LFC...)
   $enable_mappings_for_service = hiera("vosupport_enable_mappings_for_service",undef), #a service to enable mappings for (WMS, ARGUS...)
   $enable_environment = hiera("vosupport_enable_environment",True), #whether to set up the gridenv for these VOs
   $enable_voms = hiera("vosupport_enable_voms",True), #whether to enable VOMS client for these VOs
+  $enable_gridmapdir_for_group = hiera("vosupport_enable_gridmapdir_for_group",undef), #if specified, create and populate gridmapdir with pool accounts and sets the ownership of the gridmapdir to the specified group name
 )  
 {
 
@@ -18,11 +20,22 @@
   }
   file {"clean-grid-env-funcs.sh":
     path => '/usr/libexec/clean-grid-env-funcs.sh',
-    source => 'puppet:///modules/vosupport/grid-env-funcs.sh',
+    source => 'puppet:///modules/vosupport/clean-grid-env-funcs.sh',
     owner => "root",
     group => "root",
     mode => 0644,
   }
+
+  #create gridmapdir if necessary
+  if $enable_gridmapdir_for_group != undef {
+    file {'/etc/grid-security/gridmapdir':
+      ensure => directory,
+      mode => 0770,
+      owner => root,
+      group => $enable_gridmapdir_for_group,
+      require => File['/etc/grid-security']
+    }
+  }
 
   #
   # overall process: 
@@ -40,13 +53,15 @@
   #enable the list of supported VOs from the class parameters (most likely coming from hiera)
   #for create_resources to be happy we need to convert the  $supported_vos array into a hash
   #i.e. yaml that looks like "{ vo1: {}, vo2: {}, etc. }"
-  $supported_vos_hash=parseyaml(inline_template("{ <%= @supported_vos.collect{ |voname| voname + ': {}' }.join(', ') %>} "))  
+  $supported_vos_hash=parseyaml(inline_template("{ <%= @supported_vos.collect{ |voname| voname + ': {}' }.join(', ') %>} "))     
 
   $supported_vos_params={
     enable_poolaccounts => $enable_poolaccounts,
     enable_mappings_for_service => $enable_mappings_for_service,
+    enable_mkgridmap_for_service => $enable_mkgridmap_for_service,
     enable_environment => $enable_environment,
-    enable_voms => $enable_voms
+    enable_voms => $enable_voms,
+    enable_gridmapdir => $enable_gridmapdir_for_group? { undef => false, default => true}
   }
   create_resources("vosupport::enable_vo", $supported_vos_hash, $supported_vos_params)
 }

manifests/setupgridmapdir.pp

@@ -0,0 +1,19 @@
+define vosupport::setupgridmapdir (
+  $prefix=$name,
+  $number,
+  $start=1,
+  $digits=3,
+  $gridmapdir='/etc/grid-security/gridmapdir',
+  $voname='',
+)
+{
+      gridmapdirentry {$prefix:
+        ensure => present,
+        number => $number,
+        start  => $start,
+        digits => $digits,
+        gridmapdir => $gridmapdir,
+        require => File[$gridmapdir],
+      }
+}
+

manifests/test.pp

@@ -0,0 +1,11 @@
+class vosupport::test {
+
+  class {'vosupport':
+    supported_vos => [atlas, cms, lhcb, alice, dteam, ops, 'vo.aleph.cern.ch', 'vo.delphi.cern.ch', 'vo.l3.cern.ch', 
+                      'vo.opal.cern.ch', ilc, 'envirogrids.vo.eu-egee.org', geant4, na48, unosat, 'vo.gear.cern.ch',
+                      'vo.sixt.cern.ch'], #prod.vo.eu-eela.eu: missing voms
+  }
+  #$supported_vos_hash=parseyaml(inline_template("{ <%= @supported_vos.collect{ |voname| voname + ': {}' }.join(', ') %>} "))  
+  include vosupport::vo_poolaccounts      
+  Setuphome <| voname == "vo.delphi.cern.ch" |>
+}

manifests/virtual_setupgridmapdir.pp

@@ -0,0 +1,18 @@
+define vosupport::virtual_setupgridmapdir (
+  $prefix=$name,
+  $number,
+  $start=1,
+  $digits=3,
+  $gridmapdir='/etc/grid-security/gridmapdir',
+  $voname='',
+)
+{
+      @vosupport::setupgridmapdir {$name:
+      	prefix => $prefix,
+        number => $number,
+        start  => $start,
+        digits => $digits,
+        gridmapdir => $gridmapdir,
+        voname => $voname,
+      }
+}

manifests/vo_gridmapdir.pp

@@ -0,0 +1,7 @@
+#initialize VO gridmapdir virtual resources
+class vosupport::vo_gridmapdir()
+{
+
+  $poolaccounts = hiera_hash('vosupport::poolaccounts',undef)
+  create_resources('vosupport::virtual_setupgridmapdir',$poolaccounts, {gridmapdir => '/etc/grid-security/gridmapdir'})
+}

manifests/vo_lcgdm_mappings.pp

@@ -0,0 +1,48 @@
+#initialize VO LCGDM mapping resources
+class vosupport::vo_lcgdm_mappings(
+   $configfile   = "/etc/lcgdm-mkgridmap.conf",
+   $mapfile      = "/etc/lcgdm-mapfile",
+   $localmapfile = "/etc/lcgdm-mapfile-local",
+   $logfile      = "/var/log/lcgdm-mkgridmap.log"
+)
+{
+   concat{$configfile:
+     owner =>  'root',
+     group =>  'root',
+     mode  =>  '0644',
+     warn => "# File managed by Puppet module vosupport",
+   }
+   concat::fragment{'lcgdmmkgridmapconf footer':
+     target  => $configfile,
+     order   => '99',
+     content => template('vosupport/lcgdm-mkgridmap.conf_footer.erb')
+   }
+   file{
+     "$mapfile":
+      ensure => present,
+      owner  => root,
+      group  => root,
+      mode   => 644;
+     "$localmapfile":
+      ensure => present,
+      owner  => root,
+      group  => root,
+      mode   => 644
+   }
+
+   # for edg-mkgridmap   
+   package {"edg-mkgridmap": 
+    ensure => present,
+    require => Class["emirepos::emirepositories"]
+     }
+
+   cron {"${configfile}-cron":
+    command => "(date; /usr/libexec/edg-mkgridmap/edg-mkgridmap.pl --conf=$configfile --output=$mapfile --safe) >> $logfile 2>&1",
+    environment => "PATH=/sbin:/bin:/usr/sbin:/usr/bin",
+    user        => root,
+    hour        => [5,11,18,23],
+    minute      => 55,
+    require     => [Concat[$configfile], Package['edg-mkgridmap']]
+  }
+}
+

manifests/vo_poolaccounts.pp

@@ -32,5 +32,5 @@
   }
 
   $poolaccounts = hiera_hash('vosupport::poolaccounts',undef)
-  create_resources('vosupport::virtual_setuphome',$poolaccounts)
+  create_resources('vosupport::virtual_setuphome',$poolaccounts, {homeroot => '/pool/grid'})
 }

templates/grid-vo-env.csh.erb

@@ -11,6 +11,6 @@
 #
 
 set mycshtmpfile=`mktemp /tmp/gridvoenv.XXXXXX`
-bash -c "export ISCSHELL=yes ; source /usr/libexec/grid-vo-env.sh" >> $mycshtmpfile
+bash -c "export ISCSHELL=yes ; source /etc/profile.d/grid-vo-env.sh" >> $mycshtmpfile
 source $mycshtmpfile
 rm -f $mycshtmpfile

templates/gridenv-vo.sh.erb

@@ -1,4 +1,4 @@
 
     # specific settings for <%=voname%>
-    gridenv_set         "VO_<%=voname.upcase.gsub('.','_')%>_DIR" "<%=vo_sw_dir%>"
+    gridenv_set         "VO_<%=voname.upcase.gsub('.','_')%>_SW_DIR" "<%=vo_sw_dir%>"
     gridenv_set         "VO_<%=voname.upcase.gsub('.','_')%>_DEFAULT_SE" "<%=vo_default_se%>"

templates/gridmapfile.erb

@@ -1,6 +1,5 @@
 <% #vomappingdata contains a hash 'role' => { group, prefix, services (an array), static (true/false), voname } -%>
-<% @vomappingdata.keys.sort.each do |role| -%>
-<% if @vomappingdata[role]['voname']==@voname && @vomappingdata[role]['services'].rindex(@enable_mappings_for_service)!=nil -%>
+<% #Since first match is taken into account, we need to sort mapping entries by most specific first, i.e. we sort by group DESC then role DESC, and put wildcard entries last -%>
+<% @vomappingdata.keys.select{|role| @vomappingdata[role]['voname']==@voname && @vomappingdata[role]['services'].rindex(@enable_mappings_for_service)!=nil }.sort{ |x,y| (x.rindex('*').to_i <=> y.rindex('*').to_i).nonzero? || y.partition(/role=/i) <=> x.partition(/role=/i)  }.each do |role| -%>
 "<%= role -%>" <% if !@vomappingdata[role]['static'] -%>.<% end -%><%= @vomappingdata[role]['prefix'] %>
-<% end -%>
 <% end -%>

templates/groupmapfile.erb

@@ -1,6 +1,5 @@
 <% #vomappingdata contains a hash 'role' => { group, prefix, services (an array), static (true/false), voname } -%>
-<% @vomappingdata.keys.sort.each do |role| -%>
-<% if @vomappingdata[role]['voname']==@voname && @vomappingdata[role]['services'].rindex(@enable_mappings_for_service)!=nil -%>
+<% #Since first match is taken into account, we need to sort mapping entries by most specific first, i.e. we sort by group DESC then role DESC, and put wildcard entries last -%>
+<% @vomappingdata.keys.select{|role| @vomappingdata[role]['voname']==@voname && @vomappingdata[role]['services'].rindex(@enable_mappings_for_service)!=nil }.sort{ |x,y| (x.rindex('*').to_i <=> y.rindex('*').to_i).nonzero? || y.partition(/role=/i) <=> x.partition(/role=/i)  }.each do |role| -%>
 "<%= role -%>" <%= @vomappingdata[role]['group'] %>
-<% end -%>
 <% end -%>

templates/lcgdm-mkgridmap.conf.erb

@@ -0,0 +1,16 @@
+<% #vomappingdata contains a hash 'role' => { group, prefix, services (an array), static (true/false), voname } -%>
+<% #poolaccounts contains a hash 'voname' => { digits, homeroot, number, start, voname } -%>
+<% #vomsservers contains a hash 'voname' => an array of vomsservers -%>
+<% if @unprivilegedmkgridmap ==false -%>
+<% @vomappingdata.keys.sort.each do |role| -%>
+<% if @vomappingdata[role]['voname']==@voname && @vomappingdata[role]['services'].rindex(@gridservice)!=nil -%>
+<% @vomsservers[@voname].sort.each do |vomsserver| -%>
+group <%= vomsserver -%><%= role -%> <%= @voname %>
+<% end -%>
+<% end -%>
+<% end -%>
+<% else -%>
+<% @vomsservers[@voname].sort.each do |vomsserver| -%>
+group <%= vomsserver -%>/<%= @voname %> <%= @voname %>
+<% end -%>
+<% end -%>

templates/lcgdm-mkgridmap.conf_footer.erb

@@ -0,0 +1 @@
+gmf_local <%= @localmapfile %>