1 // Copyright (C) The Arvados Authors. All rights reserved.
3 // SPDX-License-Identifier: AGPL-3.0
19 "git.curoverse.com/arvados.git/sdk/go/arvados"
22 // const remoteGroupParentName string = "Externally synchronized groups"
24 type resourceList interface {
26 GetItems() []interface{}
29 // GroupInfo tracks previous and current members of a particular Group
30 type GroupInfo struct {
32 PreviousMembers map[string]bool
33 CurrentMembers map[string]bool
36 // GetUserID returns the correct user id value depending on the selector
37 func GetUserID(u arvados.User, idSelector string) (string, error) {
42 return u.Username, nil
44 return "", fmt.Errorf("cannot identify user by %q selector", idSelector)
48 // UserList implements resourceList interface
49 type UserList struct {
53 // Len returns the amount of items this list holds
54 func (l UserList) Len() int {
58 // GetItems returns the list of items
59 func (l UserList) GetItems() (out []interface{}) {
60 for _, item := range l.Items {
61 out = append(out, item)
66 // GroupList implements resourceList interface
67 type GroupList struct {
71 // Len returns the amount of items this list holds
72 func (l GroupList) Len() int {
76 // GetItems returns the list of items
77 func (l GroupList) GetItems() (out []interface{}) {
78 for _, item := range l.Items {
79 out = append(out, item)
84 // Link is an arvados#link record
86 UUID string `json:"uuid,omiempty"`
87 OwnerUUID string `json:"owner_uuid,omitempty"`
88 Name string `json:"name,omitempty"`
89 LinkClass string `json:"link_class,omitempty"`
90 HeadUUID string `json:"head_uuid,omitempty"`
91 HeadKind string `json:"head_kind,omitempty"`
92 TailUUID string `json:"tail_uuid,omitempty"`
93 TailKind string `json:"tail_kind,omitempty"`
96 // LinkList implements resourceList interface
97 type LinkList struct {
98 Items []Link `json:"items"`
101 // Len returns the amount of items this list holds
102 func (l LinkList) Len() int {
106 // GetItems returns the list of items
107 func (l LinkList) GetItems() (out []interface{}) {
108 for _, item := range l.Items {
109 out = append(out, item)
115 if err := doMain(); err != nil {
116 log.Fatalf("%v", err)
120 // ConfigParams holds configuration data for this tool
121 type ConfigParams struct {
125 ParentGroupUUID string
126 ParentGroupName string
128 Client *arvados.Client
131 // ParseFlags parses and validates command line arguments
132 func ParseFlags(config *ConfigParams) error {
133 // Acceptable attributes to identify a user on the CSV file
134 userIDOpts := map[string]bool{
135 "email": true, // default
138 flags := flag.NewFlagSet("arv-sync-groups", flag.ExitOnError)
139 srcPath := flags.String(
142 "Local file path containing a CSV format: GroupName,UserID")
143 userID := flags.String(
146 "Attribute by which every user is identified. Valid values are: email and username.")
147 verbose := flags.Bool(
150 "Log informational messages. Off by default.")
151 parentGroupUUID := flags.String(
154 "Use given group UUID as a parent for the remote groups. Should be owned by the system user. If not specified, a group named '"+config.ParentGroupName+"' will be used (and created if nonexistant).")
156 // Parse args; omit the first arg which is the command name
157 flags.Parse(os.Args[1:])
161 return fmt.Errorf("please provide a path to an input file")
163 if !userIDOpts[*userID] {
165 for opt := range userIDOpts {
166 options = append(options, opt)
168 return fmt.Errorf("user ID must be one of: %s", strings.Join(options, ", "))
171 config.Path = *srcPath
172 config.ParentGroupUUID = *parentGroupUUID
173 config.UserID = *userID
174 config.Verbose = *verbose
179 // SetParentGroup finds/create parent group of all remote groups
180 func SetParentGroup(cfg *ConfigParams) error {
181 var parentGroup arvados.Group
182 if cfg.ParentGroupUUID == "" {
183 // UUID not provided, search for preexisting parent group
185 params := arvados.ResourceListParams{
186 Filters: []arvados.Filter{{
189 Operand: cfg.ParentGroupName,
193 Operand: cfg.SysUserUUID,
196 if err := cfg.Client.RequestAndDecode(&gl, "GET", "/arvados/v1/groups", nil, params); err != nil {
197 return fmt.Errorf("error searching for parent group: %s", err)
199 if len(gl.Items) == 0 {
200 // Default parent group not existant, create one.
202 log.Println("Default parent group not found, creating...")
204 groupData := map[string]string{
205 "name": cfg.ParentGroupName,
206 "owner_uuid": cfg.SysUserUUID,
208 if err := CreateGroup(cfg, &parentGroup, groupData); err != nil {
209 return fmt.Errorf("error creating system user owned group named %q: %s", groupData["name"], err)
211 } else if len(gl.Items) == 1 {
212 // Default parent group found.
213 parentGroup = gl.Items[0]
215 // This should never happen, as there's an unique index for
216 // (owner_uuid, name) on groups.
217 return fmt.Errorf("bug: found %d groups owned by system user and named %q", len(gl.Items), cfg.ParentGroupName)
219 cfg.ParentGroupUUID = parentGroup.UUID
221 // UUID provided. Check if exists and if it's owned by system user
222 if err := GetGroup(cfg, &parentGroup, cfg.ParentGroupUUID); err != nil {
223 return fmt.Errorf("error searching for parent group with UUID %q: %s", cfg.ParentGroupUUID, err)
225 if parentGroup.OwnerUUID != cfg.SysUserUUID {
226 return fmt.Errorf("parent group %q (%s) must be owned by system user", parentGroup.Name, cfg.ParentGroupUUID)
232 // GetConfig sets up a ConfigParams struct
233 func GetConfig() (config ConfigParams, err error) {
234 config.ParentGroupName = "Externally synchronized groups"
237 err = ParseFlags(&config)
242 // Arvados Client setup
243 config.Client = arvados.NewClientFromEnv()
245 // Check current user permissions & get System user's UUID
246 u, err := config.Client.CurrentUser()
248 return config, fmt.Errorf("error getting the current user: %s", err)
250 if !u.IsActive || !u.IsAdmin {
251 return config, fmt.Errorf("current user (%s) is not an active admin user", u.UUID)
253 config.SysUserUUID = u.UUID[:12] + "000000000000000"
255 // Set up remote groups' parent
256 if err = SetParentGroup(&config); err != nil {
263 func doMain() error {
264 // Parse & validate arguments, set up arvados client.
265 cfg, err := GetConfig()
270 // Try opening the input file early, just in case there's a problem.
271 f, err := os.Open(cfg.Path)
273 return fmt.Errorf("%s", err)
277 log.Printf("Group sync starting. Using %q as users id and parent group UUID %q", cfg.UserID, cfg.ParentGroupUUID)
279 // Get the complete user list to minimize API Server requests
280 allUsers := make(map[string]arvados.User)
281 userIDToUUID := make(map[string]string) // Index by email or username
282 results, err := GetAll(cfg.Client, "users", arvados.ResourceListParams{}, &UserList{})
284 return fmt.Errorf("error getting user list: %s", err)
286 log.Printf("Found %d users", len(results))
287 for _, item := range results {
288 u := item.(arvados.User)
290 uID, err := GetUserID(u, cfg.UserID)
294 userIDToUUID[uID] = u.UUID
296 log.Printf("Seen user %q (%s)", u.Username, u.Email)
300 // Get remote groups and their members
301 remoteGroups, groupNameToUUID, err := GetRemoteGroups(&cfg, allUsers)
305 log.Printf("Found %d remote groups", len(remoteGroups))
307 membershipsRemoved := 0
310 groupsCreated, membershipsAdded, membershipsSkipped, err := ProcessFile(&cfg, f, userIDToUUID, groupNameToUUID, remoteGroups, allUsers)
315 // Remove previous members not listed on this run
316 for groupUUID := range remoteGroups {
317 gi := remoteGroups[groupUUID]
318 evictedMembers := subtract(gi.PreviousMembers, gi.CurrentMembers)
319 groupName := gi.Group.Name
320 if len(evictedMembers) > 0 {
321 log.Printf("Removing %d users from group %q", len(evictedMembers), groupName)
323 for evictedUser := range evictedMembers {
324 if err := RemoveMemberFromGroup(&cfg, allUsers[userIDToUUID[evictedUser]], gi.Group); err != nil {
330 log.Printf("Groups created: %d. Memberships added: %d, removed: %d, skipped: %d", groupsCreated, membershipsAdded, membershipsRemoved, membershipsSkipped)
335 // ProcessFile reads the CSV file and process every record
336 func ProcessFile(cfg *ConfigParams, f *os.File, userIDToUUID map[string]string, groupNameToUUID map[string]string, remoteGroups map[string]*GroupInfo, allUsers map[string]arvados.User) (groupsCreated, membersAdded, membersSkipped int, err error) {
337 csvReader := csv.NewReader(f)
339 record, e := csvReader.Read()
344 err = fmt.Errorf("error reading %q: %s", cfg.Path, err)
347 groupName := strings.TrimSpace(record[0])
348 groupMember := strings.TrimSpace(record[1]) // User ID (username or email)
349 if groupName == "" || groupMember == "" {
350 log.Printf("Warning: CSV record has at least one empty field (%s, %s). Skipping", groupName, groupMember)
354 if _, found := userIDToUUID[groupMember]; !found {
355 // User not present on the system, skip.
356 log.Printf("Warning: there's no user with %s %q on the system, skipping.", cfg.UserID, groupMember)
360 if _, found := groupNameToUUID[groupName]; !found {
361 // Group doesn't exist, create it before continuing
363 log.Printf("Remote group %q not found, creating...", groupName)
365 var newGroup arvados.Group
366 groupData := map[string]string{
368 "owner_uuid": cfg.ParentGroupUUID,
369 "group_class": "role",
371 if e := CreateGroup(cfg, &newGroup, groupData); e != nil {
372 err = fmt.Errorf("error creating group named %q: %s", groupName, err)
375 // Update cached group data
376 groupNameToUUID[groupName] = newGroup.UUID
377 remoteGroups[newGroup.UUID] = &GroupInfo{
379 PreviousMembers: make(map[string]bool), // Empty set
380 CurrentMembers: make(map[string]bool), // Empty set
384 // Both group & user exist, check if user is a member
385 groupUUID := groupNameToUUID[groupName]
386 gi := remoteGroups[groupUUID]
387 if !gi.PreviousMembers[groupMember] && !gi.CurrentMembers[groupMember] {
389 log.Printf("Adding %q to group %q", groupMember, groupName)
391 // User wasn't a member, but should be.
392 if e := AddMemberToGroup(cfg, allUsers[userIDToUUID[groupMember]], gi.Group); e != nil {
398 gi.CurrentMembers[groupMember] = true
403 // GetAll : Adds all objects of type 'resource' to the 'allItems' list
404 func GetAll(c *arvados.Client, res string, params arvados.ResourceListParams, page resourceList) (allItems []interface{}, err error) {
405 // Use the maximum page size the server allows
407 params.Limit = &limit
409 params.Order = "uuid"
411 if err = GetResourceList(c, &page, res, params); err != nil {
414 // Have we finished paging?
418 for _, i := range page.GetItems() {
419 allItems = append(allItems, i)
421 params.Offset += page.Len()
426 func subtract(setA map[string]bool, setB map[string]bool) map[string]bool {
427 result := make(map[string]bool)
428 for element := range setA {
430 result[element] = true
436 func jsonReader(rscName string, ob interface{}) io.Reader {
437 j, err := json.Marshal(ob)
442 v[rscName] = []string{string(j)}
443 return bytes.NewBufferString(v.Encode())
446 // GetRemoteGroups fetches all remote groups with their members
447 func GetRemoteGroups(cfg *ConfigParams, allUsers map[string]arvados.User) (remoteGroups map[string]*GroupInfo, groupNameToUUID map[string]string, err error) {
448 remoteGroups = make(map[string]*GroupInfo)
449 groupNameToUUID = make(map[string]string) // Index by group name
451 params := arvados.ResourceListParams{
452 Filters: []arvados.Filter{{
455 Operand: cfg.ParentGroupUUID,
458 results, err := GetAll(cfg.Client, "groups", params, &GroupList{})
460 return remoteGroups, groupNameToUUID, fmt.Errorf("error getting remote groups: %s", err)
462 for _, item := range results {
463 group := item.(arvados.Group)
464 // Group -> User filter
465 g2uFilter := arvados.ResourceListParams{
466 Filters: []arvados.Filter{{
469 Operand: cfg.SysUserUUID,
473 Operand: "permission",
485 Operand: "arvados#user",
488 // User -> Group filter
489 u2gFilter := arvados.ResourceListParams{
490 Filters: []arvados.Filter{{
493 Operand: cfg.SysUserUUID,
497 Operand: "permission",
501 Operand: "can_write",
509 Operand: "arvados#user",
512 g2uLinks, err := GetAll(cfg.Client, "links", g2uFilter, &LinkList{})
514 return remoteGroups, groupNameToUUID, fmt.Errorf("error getting member (can_read) links for group %q: %s", group.Name, err)
516 u2gLinks, err := GetAll(cfg.Client, "links", u2gFilter, &LinkList{})
518 return remoteGroups, groupNameToUUID, fmt.Errorf("error getting member (can_write) links for group %q: %s", group.Name, err)
520 // Build a list of user ids (email or username) belonging to this group
521 membersSet := make(map[string]bool)
522 u2gLinkSet := make(map[string]bool)
523 for _, l := range u2gLinks {
524 linkedMemberUUID := l.(Link).TailUUID
525 u2gLinkSet[linkedMemberUUID] = true
527 for _, item := range g2uLinks {
529 // We may have received an old link pointing to a removed account.
530 if _, found := allUsers[link.HeadUUID]; !found {
533 // The matching User -> Group link may not exist if the link
534 // creation failed on a previous run. If that's the case, don't
535 // include this account on the "previous members" list.
536 if _, found := u2gLinkSet[link.HeadUUID]; !found {
539 memberID, err := GetUserID(allUsers[link.HeadUUID], cfg.UserID)
541 return remoteGroups, groupNameToUUID, err
543 membersSet[memberID] = true
545 remoteGroups[group.UUID] = &GroupInfo{
547 PreviousMembers: membersSet,
548 CurrentMembers: make(map[string]bool), // Empty set
550 groupNameToUUID[group.Name] = group.UUID
552 return remoteGroups, groupNameToUUID, nil
555 // RemoveMemberFromGroup remove all links related to the membership
556 func RemoveMemberFromGroup(cfg *ConfigParams, user arvados.User, group arvados.Group) error {
558 log.Printf("Getting group membership links for user %q (%s) on group %q (%s)", user.Email, user.UUID, group.Name, group.UUID)
560 var links []interface{}
561 // Search for all group<->user links (both ways)
562 for _, filterset := range [][]arvados.Filter{
567 Operand: "permission",
581 Operand: "permission",
592 l, err := GetAll(cfg.Client, "links", arvados.ResourceListParams{Filters: filterset}, &LinkList{})
594 userID, _ := GetUserID(user, cfg.UserID)
595 return fmt.Errorf("error getting links needed to remove user %q from group %q: %s", userID, group.Name, err)
597 for _, link := range l {
598 links = append(links, link)
601 for _, item := range links {
604 log.Printf("Removing %q permission link for %q on group %q", link.Name, user.Email, group.Name)
606 if err := DeleteLink(cfg, link.UUID); err != nil {
607 userID, _ := GetUserID(user, cfg.UserID)
608 return fmt.Errorf("error removing user %q from group %q: %s", userID, group.Name, err)
614 // AddMemberToGroup create membership links
615 func AddMemberToGroup(cfg *ConfigParams, user arvados.User, group arvados.Group) error {
617 linkData := map[string]string{
618 "owner_uuid": cfg.SysUserUUID,
619 "link_class": "permission",
621 "tail_uuid": group.UUID,
622 "head_uuid": user.UUID,
624 if err := CreateLink(cfg, &newLink, linkData); err != nil {
625 userID, _ := GetUserID(user, cfg.UserID)
626 return fmt.Errorf("error adding group %q -> user %q read permission: %s", userID, user.Email, err)
628 linkData = map[string]string{
629 "owner_uuid": cfg.SysUserUUID,
630 "link_class": "permission",
632 "tail_uuid": user.UUID,
633 "head_uuid": group.UUID,
635 if err := CreateLink(cfg, &newLink, linkData); err != nil {
636 userID, _ := GetUserID(user, cfg.UserID)
637 return fmt.Errorf("error adding user %q -> group %q write permission: %s", userID, group.Name, err)
642 // CreateGroup creates a group with groupData parameters, assigns it to dst
643 func CreateGroup(cfg *ConfigParams, dst *arvados.Group, groupData map[string]string) error {
644 return cfg.Client.RequestAndDecode(dst, "POST", "/arvados/v1/groups", jsonReader("group", groupData), nil)
647 // GetGroup fetches a group by its UUID
648 func GetGroup(cfg *ConfigParams, dst *arvados.Group, groupUUID string) error {
649 return cfg.Client.RequestAndDecode(&dst, "GET", "/arvados/v1/groups/"+groupUUID, nil, nil)
652 // CreateLink creates a link with linkData parameters, assigns it to dst
653 func CreateLink(cfg *ConfigParams, dst *Link, linkData map[string]string) error {
654 return cfg.Client.RequestAndDecode(dst, "POST", "/arvados/v1/links", jsonReader("link", linkData), nil)
657 // DeleteLink deletes a link by its UUID
658 func DeleteLink(cfg *ConfigParams, linkUUID string) error {
660 return fmt.Errorf("cannot delete link with invalid UUID: %q", linkUUID)
662 return cfg.Client.RequestAndDecode(&Link{}, "DELETE", "/arvados/v1/links/"+linkUUID, nil, nil)
665 // GetResourceList fetches res list using params
666 func GetResourceList(c *arvados.Client, dst *resourceList, res string, params interface{}) error {
667 return c.RequestAndDecode(dst, "GET", "/arvados/v1/"+res, nil, params)