Merge pull request #32732 from ggovi/condcore-conddb-tag-authorizatio…

…n-0-113X Added support of Authorization for Tag access
cms-sw · Jan 28, 2021 · 020447a · 020447a
2 parents fb36cb5 + ce9f9a9
commit 020447a
Show file tree

Hide file tree

Showing 25 changed files with 650 additions and 201 deletions.
diff --git a/CondCore/CondDB/interface/Auth.h b/CondCore/CondDB/interface/Auth.h
@@ -30,6 +30,16 @@ namespace cond {
     static constexpr unsigned int COND_AUTHENTICATION_KEY_SIZE = 30;
     static constexpr unsigned int COND_DB_KEY_SIZE = 30;
 
+    static constexpr size_t COND_SESSION_HASH_SIZE = 16;
+
+    static constexpr int COND_SESSION_HASH_CODE = 4;
+    static constexpr int COND_DBKEY_CREDENTIAL_CODE = 1;
+
+    static constexpr int COND_DBTAG_LOCK_ACCESS_CODE = 8;
+    static constexpr int COND_DBTAG_WRITE_ACCESS_CODE = 2;
+    static constexpr int COND_DBTAG_READ_ACCESS_CODE = 1;
+    static constexpr int COND_DBTAG_NO_PROTECTION_CODE = 0;
+
     static constexpr const char* const COND_AUTH_PATH_PROPERTY = "AuthenticationFile";
   }  // namespace auth
 

diff --git a/CondCore/CondDB/interface/ConnectionPool.h b/CondCore/CondDB/interface/ConnectionPool.h
@@ -63,6 +63,7 @@ namespace cond {
     private:
       std::string m_authPath = std::string("");
       int m_authSys = 0;
+      std::string m_authenticationService = std::string("");
       coral::MsgLevel m_messageLevel = coral::Error;
       CoralMsgReporter* m_msgReporter = nullptr;
       bool m_loggingEnabled = false;

diff --git a/CondCore/CondDB/interface/DecodingKey.h b/CondCore/CondDB/interface/DecodingKey.h
@@ -30,6 +30,7 @@ namespace cond {
 
     class DecodingKey {
     public:
+      static constexpr const char* const KEY_FMT_VERSION = "2.0";
       static constexpr const char* const FILE_NAME = "db.key";
       static constexpr const char* const FILE_PATH = ".cms_cond/db.key";
       static constexpr size_t DEFAULT_KEY_SIZE = 100;
@@ -49,6 +50,8 @@ namespace cond {
 
       void flush();
 
+      const std::string& version() const;
+
       const std::string& principalName() const;
 
       const std::string& principalKey() const;
@@ -69,6 +72,8 @@ namespace cond {
     private:
       std::string m_fileName;
 
+      std::string m_version;
+
       bool m_mode;
 
       std::string m_pwd;
@@ -89,7 +94,16 @@ inline cond::auth::KeyGenerator::KeyGenerator() : m_iteration(0) {}
 inline cond::auth::ServiceCredentials::ServiceCredentials() : connectionString(""), userName(""), password("") {}
 
 inline cond::auth::DecodingKey::DecodingKey()
-    : m_fileName(""), m_mode(true), m_pwd(""), m_principalName(""), m_principalKey(""), m_owner(""), m_services() {}
+    : m_fileName(""),
+      m_version(""),
+      m_mode(true),
+      m_pwd(""),
+      m_principalName(""),
+      m_principalKey(""),
+      m_owner(""),
+      m_services() {}
+
+inline const std::string& cond::auth::DecodingKey::version() const { return m_version; }
 
 inline const std::string& cond::auth::DecodingKey::principalName() const { return m_principalName; }
 

diff --git a/CondCore/CondDB/interface/IOVEditor.h b/CondCore/CondDB/interface/IOVEditor.h
@@ -45,6 +45,9 @@ namespace cond {
       //
       IOVEditor& operator=(const IOVEditor& rhs);
 
+      //
+      ~IOVEditor();
+
       // loads to tag to edit
       void load(const std::string& tag);
 
@@ -66,9 +69,6 @@ namespace cond {
       cond::Time_t lastValidatedTime() const;
       void setLastValidatedTime(cond::Time_t time);
 
-      // flag (hack) for the validation
-      void setValidationMode();
-
       // register a new insertion.
       // if checkType==true, the payload corresponding to the specified id is verified to be the same type as the iov payloadObjectType
       void insert(cond::Time_t since, const cond::Hash& payloadHash, bool checkType = false);
@@ -86,6 +86,10 @@ namespace cond {
       bool flush(const std::string& logText);
       bool flush(const std::string& logText, bool forceInsertion);
 
+      bool isLocked() const;
+      void lock();
+      void unlock();
+
     private:
       bool flush(const std::string& logText, const boost::posix_time::ptime& operationTime, bool forceInsertion);
       void checkTransaction(const std::string& ctx);

diff --git a/CondCore/CondDB/plugins/RelationalAuthenticationService.cc b/CondCore/CondDB/plugins/RelationalAuthenticationService.cc
@@ -86,5 +86,9 @@ cond::RelationalAuthenticationService::RelationalAuthenticationService::credenti
   return *creds;
 }
 
+std::string cond::RelationalAuthenticationService::RelationalAuthenticationService::principalName() {
+  return m_db.keyPrincipalName();
+}
+
 DEFINE_CORALSERVICE(cond::RelationalAuthenticationService::RelationalAuthenticationService,
                     "COND/Services/RelationalAuthenticationService");
diff --git a/CondCore/CondDB/plugins/RelationalAuthenticationService.h b/CondCore/CondDB/plugins/RelationalAuthenticationService.h
@@ -2,6 +2,7 @@
 #define COND_XMLAUTHENTITACTIONSERVICE_H
 
 #include "CondCore/CondDB/interface/CredentialStore.h"
+#include "CondCore/CondDB/src/IDbAuthentication.h"
 //
 #include "RelationalAccess/IAuthenticationService.h"
 #include "CoralKernel/Service.h"
@@ -23,7 +24,9 @@ namespace cond {
 
     /**
      */
-    class RelationalAuthenticationService : public coral::Service, virtual public coral::IAuthenticationService {
+    class RelationalAuthenticationService : public coral::Service,
+                                            virtual public coral::IAuthenticationService,
+                                            virtual public persistency::IDbAuthentication {
     public:
       /// Standard Constructor
       explicit RelationalAuthenticationService(const std::string& name);
@@ -49,6 +52,8 @@ namespace cond {
       const coral::IAuthenticationCredentials& credentials(const std::string& connectionString,
                                                            const std::string& role) const override;
 
+      std::string principalName() override;
+
     private:
       /// The input file with the data
       std::string m_authenticationPath;

diff --git a/CondCore/CondDB/src/ConnectionPool.cc b/CondCore/CondDB/src/ConnectionPool.cc
@@ -1,5 +1,6 @@
 #include "CondCore/CondDB/interface/ConnectionPool.h"
 #include "DbConnectionString.h"
+#include "IDbAuthentication.h"
 #include "SessionImpl.h"
 #include "IOVSchema.h"
 #include "CoralMsgReporter.h"
@@ -10,6 +11,7 @@
 #include "FWCore/ParameterSet/interface/ParameterSet.h"
 // coral includes
 #include "RelationalAccess/ConnectionService.h"
+#include "RelationalAccess/IAuthenticationService.h"
 #include "RelationalAccess/IWebCacheControl.h"
 #include "RelationalAccess/ISessionProxy.h"
 #include "RelationalAccess/IConnectionServiceConfiguration.h"
@@ -78,7 +80,7 @@ namespace cond {
       m_msgReporter->setOutputLevel(m_messageLevel);
 
       // authentication
-      std::string authServiceName("CORAL/Services/EnvironmentAuthenticationService");
+      m_authenticationService = std::string("CORAL/Services/EnvironmentAuthenticationService");
       std::string authPath = m_authPath;
       // authentication
       if (authPath.empty()) {
@@ -114,12 +116,12 @@ namespace cond {
         servName = "COND/Services/XMLAuthenticationService";
       }
       if (!authPath.empty()) {
-        authServiceName = servName;
+        m_authenticationService = servName;
         coral::Context::instance().PropertyManager().property(cond::auth::COND_AUTH_PATH_PROPERTY)->set(authPath);
-        coral::Context::instance().loadComponent(authServiceName, m_pluginManager);
+        coral::Context::instance().loadComponent(m_authenticationService, m_pluginManager);
       }
 
-      coralConfig.setAuthenticationService(authServiceName);
+      coralConfig.setAuthenticationService(m_authenticationService);
     }
 
     void ConnectionPool::configure() {
@@ -152,7 +154,19 @@ namespace cond {
                                           bool writeCapable) {
       std::shared_ptr<coral::ISessionProxy> coralSession =
           createCoralSession(connectionString, transactionId, writeCapable);
-      return Session(std::make_shared<SessionImpl>(coralSession, connectionString));
+
+      std::string principalName("");
+      if (!m_authenticationService.empty()) {
+        // need to hard-code somewhere the target name...
+        if (m_authenticationService == "COND/Services/RelationalAuthenticationService") {
+          coral::IHandle<coral::IAuthenticationService> authSvc =
+              coral::Context::instance().query<coral::IAuthenticationService>(m_authenticationService);
+          IDbAuthentication* dbAuth = dynamic_cast<IDbAuthentication*>(authSvc.get());
+          principalName = dbAuth->principalName();
+        }
+      }
+
+      return Session(std::make_shared<SessionImpl>(coralSession, connectionString, principalName));
     }
 
     Session ConnectionPool::createSession(const std::string& connectionString, bool writeCapable) {