fix: slightly different permission scheme

src/DIRAC/FrameworkSystem/Client/ComponentInstaller.py

@@ -69,7 +69,6 @@
 from DIRAC.ConfigurationSystem.Client import PathFinder
 from DIRAC.ConfigurationSystem.Client.CSAPI import CSAPI
 from DIRAC.ConfigurationSystem.Client.Helpers import (
-    CSGlobals,
     cfgInstallPath,
     cfgInstallSection,
     cfgPath,
@@ -85,6 +84,7 @@
     PRODUCTION_MANAGEMENT,
     PROXY_MANAGEMENT,
     SERVICE_ADMINISTRATOR,
+    SITE_MANAGER,
     TRUSTED_HOST,
 )
 from DIRAC.Core.Utilities.Extensions import (
@@ -432,6 +432,8 @@ def _getCentralCfg(self, installCfg):
         defaultHostProperties = [
             TRUSTED_HOST,
             CS_ADMINISTRATOR,
+            SERVICE_ADMINISTRATOR,
+            SITE_MANAGER,
             JOB_ADMINISTRATOR,
             FULL_DELEGATION,
             PROXY_MANAGEMENT,

src/DIRAC/FrameworkSystem/ConfigTemplate.cfg

@@ -167,6 +167,7 @@ Services
       componentExists = authenticated
       getComponents = authenticated
       hostExists = authenticated
+      installationExists = authenticated
       getHosts = authenticated
       installationExists = authenticated
       getInstallations = authenticated
@@ -184,6 +185,7 @@ Services
       componentExists = authenticated
       getComponents = authenticated
       hostExists = authenticated
+      installationExists = authenticated
       getHosts = authenticated
       installationExists = authenticated
       getInstallations = authenticated

tests/CI/install_client.sh

@@ -61,7 +61,7 @@ echo -e "*** $(date -u) **** Client INSTALLATION START ****\n"
 installDIRAC
 
 echo -e "*** $(date -u)  Getting a non privileged user\n" |& tee -a clientTestOutputs.txt
-dirac-proxy-init -C "${SERVERINSTALLDIR}/user/client.pem" -K "${SERVERINSTALLDIR}/user/client.key" "${DEBUG}" |& tee -a clientTestOutputs.txt
+dirac-proxy-init "${DEBUG}" |& tee -a clientTestOutputs.txt
 
 #-------------------------------------------------------------------------------#
 echo -e "*** $(date -u) **** Submit a job ****\n"

tests/Jenkins/dirac-cfg-update-server.py

@@ -548,7 +548,7 @@
 
 csAPI.setOption(
     "Registry/Hosts/server/Properties",
-    "TrustedHost,CSAdministrator,JobAdministrator,FullDelegation,ProxyManagement,Operator,ProductionManagement,GenericPilot",
+    "TrustedHost,SiteManager,CSAdministrator,ServiceAdministrator,JobAdministrator,FullDelegation,ProxyManagement,Operator,ProductionManagement,GenericPilot",
 )
 
 # Setting Systems/WorkloadManagement/Executors/Optimizers/JobScheduling/RescheduleDelays

tests/Jenkins/dirac_ci.sh

@@ -144,9 +144,9 @@ installSite() {
   # will be wrong on the client
   ln -s "${SERVERINSTALLDIR}/diracos/etc/grid-security/certificates/ca.cert.pem" "${SERVERINSTALLDIR}/diracos/etc/grid-security/certificates/$caHash.0"
 
-  # Copy the user cert and key to the correct directory
-  cp /ca/certs/client.pem "${SERVERINSTALLDIR}/user/"
-  cp /ca/certs/client.key "${SERVERINSTALLDIR}/user/"
+  # # Copy the user cert and key to the correct directory
+  # cp /ca/certs/client.pem "${SERVERINSTALLDIR}/user/"
+  # cp /ca/certs/client.key "${SERVERINSTALLDIR}/user/"
 
   rm -rf "${SERVERINSTALLDIR}/etc"
   ln -s "${SERVERINSTALLDIR}/diracos/etc" "${SERVERINSTALLDIR}/etc"
@@ -231,10 +231,10 @@ fullInstallDIRAC() {
     cat "${SERVERINSTALLDIR}/diracos/etc/Production.cfg"
   fi
 
-  if ! diracCredentials; then
-    echo "ERROR: diracCredentials failed" >&2
-    exit 1
-  fi
+  # if ! diracCredentials; then
+  #   echo "ERROR: diracCredentials failed" >&2
+  #   exit 1
+  # fi
 
   #just add a site
   if ! diracAddSite; then
@@ -243,7 +243,8 @@ fullInstallDIRAC() {
   fi
 
   echo "==> Restarting Configuration Server"
-  dirac-restart-component Configuration Server ${DEBUG}
+  dirac-restart-component Configuration Server -o /DIRAC/Security/UseServerCertificate=True ${DEBUG}
+  # dirac-restart-component Tornado Tornado -o /DIRAC/Security/UseServerCertificate=True ${DEBUG}
 
   #Install the Framework
   findDatabases 'FrameworkSystem'
@@ -253,7 +254,6 @@ fullInstallDIRAC() {
     exit 1
   fi
 
-  dirac-restart-component Tornado Tornado ${DEBUG}
 
   findServices 'FrameworkSystem'
   grep -v 'Tornado' services > disetServices
@@ -288,14 +288,14 @@ fullInstallDIRAC() {
   cat "${SERVERINSTALLDIR}/etc/Production.cfg"
 
   echo "==> Restarting Framework services"
-  dirac-restart-component Framework '*' ${DEBUG}
-  dirac-restart-component Tornado Tornado ${DEBUG}
+  dirac-restart-component Framework '*' -o /DIRAC/Security/UseServerCertificate=True ${DEBUG}
+  # dirac-restart-component Tornado Tornado -o /DIRAC/Security/UseServerCertificate=True ${DEBUG}
 
   #Now all the rest
 
   # slave CS
   if [[ "${TEST_HTTPS:-Yes}" = "No" ]]; then
-    if ! dirac-install-component Configuration TornadoConfiguration "${DEBUG}"; then
+    if ! dirac-install-component Configuration TornadoConfiguration -o /DIRAC/Security/UseServerCertificate=True "${DEBUG}"; then
       echo 'ERROR: dirac-install-component failed' >&2
       exit 1
     fi
@@ -309,16 +309,10 @@ fullInstallDIRAC() {
     exit 1
   fi
 
-  #upload proxies
-  if ! diracProxies; then
-    echo "ERROR: diracProxies failed" >&2
-    exit 1
-  fi
-
   #fix the DBs (for the FileCatalog and MultiVOFileCatalog)
   diracDFCDB
   diracMVDFCDB
-  python "${TESTCODE}/DIRAC/tests/Jenkins/dirac-cfg-update-dbs.py" "${DEBUG}"
+  python "${TESTCODE}/DIRAC/tests/Jenkins/dirac-cfg-update-dbs.py" -o /DIRAC/Security/UseServerCertificate=True "${DEBUG}"
 
   # services (not looking for FrameworkSystem already installed)
   findServices 'exclude' 'FrameworkSystem'
@@ -341,66 +335,66 @@ fullInstallDIRAC() {
 
   # install an additional FileCatalog service for multi VO metadata tests
   if [[ "${TEST_HTTPS:-Yes}" = "No" ]]; then
-    echo "==> calling dirac-install-component DataManagement MultiVOFileCatalog -m FileCatalog -p Port=9198 -p Database=MultiVOFileCatalogDB ${DEBUG}"
-    if ! dirac-install-component DataManagement MultiVOFileCatalog -m FileCatalog -p Port=9198 -p Database=MultiVOFileCatalogDB "${DEBUG}"; then
+    echo "==> calling dirac-install-component DataManagement MultiVOFileCatalog -m FileCatalog -p Port=9198 -p Database=MultiVOFileCatalogDB -o /DIRAC/Security/UseServerCertificate=True ${DEBUG}"
+    if ! dirac-install-component DataManagement MultiVOFileCatalog -m FileCatalog -p Port=9198 -p Database=MultiVOFileCatalogDB -o /DIRAC/Security/UseServerCertificate=True "${DEBUG}"; then
         echo 'ERROR: dirac-install-component failed' >&2
         exit 1
     fi
   else
-    echo "==> calling dirac-install-component DataManagement TornadoMultiVOFileCatalog -m TornadoFileCatalog -p Port=9198 -p Protocol=https -p Database=MultiVOFileCatalogDB ${DEBUG}"
-    if ! dirac-install-component DataManagement TornadoMultiVOFileCatalog -m TornadoFileCatalog -p Port=9198 -p Protocol=https -p Database=MultiVOFileCatalogDB "${DEBUG}"; then
+    echo "==> calling dirac-install-component DataManagement TornadoMultiVOFileCatalog -m TornadoFileCatalog -p Port=9198 -p Protocol=https -p Database=MultiVOFileCatalogDB -o /DIRAC/Security/UseServerCertificate=True ${DEBUG}"
+    if ! dirac-install-component DataManagement TornadoMultiVOFileCatalog -m TornadoFileCatalog -p Port=9198 -p Protocol=https -p Database=MultiVOFileCatalogDB -o /DIRAC/Security/UseServerCertificate=True "${DEBUG}"; then
         echo 'ERROR: dirac-install-component failed' >&2
         exit 1
     fi
     echo "==> Restarting Tornado Tornado"
     dirac-restart-component Tornado Tornado ${DEBUG}
   fi
   #fix the DFC services options
-  python "${TESTCODE}/DIRAC/tests/Jenkins/dirac-cfg-update-services.py" "${DEBUG}"
+  python "${TESTCODE}/DIRAC/tests/Jenkins/dirac-cfg-update-services.py" -o /DIRAC/Security/UseServerCertificate=True "${DEBUG}"
 
   #fix the SandboxStore and other stuff
-  python "${TESTCODE}/DIRAC/tests/Jenkins/dirac-cfg-update-server.py" "${DEBUG}"
+  python "${TESTCODE}/DIRAC/tests/Jenkins/dirac-cfg-update-server.py" -o /DIRAC/Security/UseServerCertificate=True "${DEBUG}"
 
   echo "==> Restarting Tornado Tornado"
-  dirac-restart-component Tornado Tornado ${DEBUG}
+  # dirac-restart-component Tornado Tornado -o /DIRAC/Security/UseServerCertificate=True ${DEBUG}
 
   if [[ "${TEST_HTTPS:-Yes}" = "No" ]]; then
     echo "==> Restarting WorkloadManagement SandboxStore"
-    dirac-restart-component WorkloadManagement SandboxStore ${DEBUG}
+    dirac-restart-component WorkloadManagement SandboxStore -o /DIRAC/Security/UseServerCertificate=True ${DEBUG}
     echo "==> Restarting DataManagement FileCatalog"
-    dirac-restart-component DataManagement FileCatalog ${DEBUG}
+    dirac-restart-component DataManagement FileCatalog -o /DIRAC/Security/UseServerCertificate=True ${DEBUG}
     echo "==> Restarting DataManagement MultiVOFileCatalog"
-    dirac-restart-component DataManagement MultiVOFileCatalog ${DEBUG}
+    dirac-restart-component DataManagement MultiVOFileCatalog -o /DIRAC/Security/UseServerCertificate=True ${DEBUG}
     echo "==> Restarting ResourceStatus *"
-    dirac-restart-component ResourceStatus ResourceStatus ${DEBUG}
-    dirac-restart-component ResourceStatus ResourceManagement ${DEBUG}
-    dirac-restart-component ResourceStatus Publisher ${DEBUG}
+    dirac-restart-component ResourceStatus ResourceStatus -o /DIRAC/Security/UseServerCertificate=True ${DEBUG}
+    dirac-restart-component ResourceStatus ResourceManagement -o /DIRAC/Security/UseServerCertificate=True ${DEBUG}
+    dirac-restart-component ResourceStatus Publisher -o /DIRAC/Security/UseServerCertificate=True ${DEBUG}
   fi
 
   echo "==> Restarting WorkloadManagement Matcher"
-  dirac-restart-component WorkloadManagement Matcher ${DEBUG}
+  dirac-restart-component WorkloadManagement Matcher -o /DIRAC/Security/UseServerCertificate=True ${DEBUG}
 
   echo "==> Restarting Configuration Server"
-  dirac-restart-component Configuration Server ${DEBUG}
+  dirac-restart-component Configuration Server -o /DIRAC/Security/UseServerCertificate=True ${DEBUG}
 
   echo "==> Restarting DataManagement StorageElement(s)"
-  dirac-restart-component DataManagement SE-1 ${DEBUG}
-  dirac-restart-component DataManagement SE-2 ${DEBUG}
+  dirac-restart-component DataManagement SE-1 -o /DIRAC/Security/UseServerCertificate=True ${DEBUG}
+  dirac-restart-component DataManagement SE-2 -o /DIRAC/Security/UseServerCertificate=True ${DEBUG}
 
   # populate RSS
   echo "==> Populating RSS DB"
-  dirac-rss-sync --element Site --defaultStatus Banned -o LogLevel=VERBOSE
-  dirac-rss-sync --element Resource --defaultStatus Banned -o LogLevel=VERBOSE
+  dirac-rss-sync --element Site --defaultStatus Banned -o LogLevel=VERBOSE -o /DIRAC/Security/UseServerCertificate=True 
+  dirac-rss-sync --element Resource --defaultStatus Banned -o LogLevel=VERBOSE -o /DIRAC/Security/UseServerCertificate=True 
   # init RSS
   echo "==> Initializing status of sites and resources in RSS"
-  dirac-rss-sync --init --defaultStatus Banned -o LogLevel=VERBOSE
+  dirac-rss-sync --init --defaultStatus Banned -o LogLevel=VERBOSE -o /DIRAC/Security/UseServerCertificate=True 
   # Setting by hand
-  dirac-rss-set-status --element Resource --name ProductionSandboxSE --status Active --reason "Why not?"
-  dirac-rss-set-status --element Resource --name jenkins.cern.ch --status Active --reason "Why not?"
-  dirac-rss-set-status --element Resource --name JENKINS-FTS3 --status Active --reason "Why not?"
-  dirac-rss-set-status --element Resource --name FileCatalog --status Active --reason "Why not?"
-  dirac-rss-set-status --element Site --name DIRAC.Jenkins.ch --status Active --reason "Why not?"
-  dirac-admin-allow-se SE-1 SE-2 S3-DIRECT S3-INDIRECT --All
+  dirac-rss-set-status --element Resource --name ProductionSandboxSE --status Active --reason "Why not?" -o /DIRAC/Security/UseServerCertificate=True 
+  dirac-rss-set-status --element Resource --name jenkins.cern.ch --status Active --reason "Why not?" -o /DIRAC/Security/UseServerCertificate=True 
+  dirac-rss-set-status --element Resource --name JENKINS-FTS3 --status Active --reason "Why not?" -o /DIRAC/Security/UseServerCertificate=True 
+  dirac-rss-set-status --element Resource --name FileCatalog --status Active --reason "Why not?" -o /DIRAC/Security/UseServerCertificate=True 
+  dirac-rss-set-status --element Site --name DIRAC.Jenkins.ch --status Active --reason "Why not?" -o /DIRAC/Security/UseServerCertificate=True 
+  dirac-admin-allow-se SE-1 SE-2 S3-DIRECT S3-INDIRECT --All -o /DIRAC/Security/UseServerCertificate=True 
 
   #agents
   findAgents
@@ -418,20 +412,20 @@ fullInstallDIRAC() {
 
   if [[ "${TEST_HTTPS:-Yes}" = "No" ]]; then
     echo "==> Restarting WorkloadManagement JobManager"
-    dirac-restart-component WorkloadManagement JobManager ${DEBUG}
+    dirac-restart-component WorkloadManagement JobManager -o /DIRAC/Security/UseServerCertificate=True ${DEBUG}
   else
     echo "==> Restarting Tornado Tornado"
-    dirac-restart-component Tornado Tornado ${DEBUG}
+    dirac-restart-component Tornado Tornado -o /DIRAC/Security/UseServerCertificate=True ${DEBUG}
     fi
 
   echo 'Content of etc/Production.cfg:'
   cat "${SERVERINSTALLDIR}/etc/Production.cfg"
 
   echo "==> Restarting Configuration Server"
-  dirac-restart-component Configuration Server ${DEBUG}
+  dirac-restart-component Configuration Server -o /DIRAC/Security/UseServerCertificate=True ${DEBUG}
 
   echo "==> Restarting Tornado Tornado"
-  dirac-restart-component Tornado Tornado ${DEBUG}
+  # dirac-restart-component Tornado Tornado -o /DIRAC/Security/UseServerCertificate=True ${DEBUG}
 
 }
 

tests/Jenkins/install.cfg

@@ -44,9 +44,9 @@ LocalInstallation
   Databases += ResourceStatusDB
   # List of Services to be installed - minimal list for a running base server
   Services = Configuration/Server
-  Services += Framework/TornadoComponentMonitoring
+  Services += Framework/ComponentMonitoring
   Services += Framework/SystemAdministrator
-  Services += ResourceStatus/TornadoResourceStatus
+  Services += ResourceStatus/ResourceStatus
   Database
   {
     User = VAR_DB_User