Update Admin role on Drupal

In order to apply propagate this change to existing websites (https://gitlab.cern.ch/paas-tools/okd4-install/-/merge_requests/1550) we need to run an operation over all websites.

Note: We can't just delete and recreate since users have already added their own e-groups to the current Administrator role

Procedure for changing 1 site:

• 1. first add drupal-supporters using https://gitlab.cern.ch/drupal/paas/drupal-operations/-/blob/master/scripts/removeGroupFromDrupalAdmins.sh?ref_type=heads
• 2. after remove drupal-admins, web-team-developers using https://gitlab.cern.ch/drupal/paas/drupal-operations/-/blob/master/scripts/addGroupToDrupalAdmins.sh?ref_type=heads

Steps:

• Validate scripts work for 1 website in staging
• Adapt scripts as needed to apply in batch to all websites (1 line oc command seems to suffice to run scripts for all projects)
• Run in all staging cluster and validate everything works as expected
• Document procedure so we can run in production

assigned to @cpetala

changed title from Recreate Admin role on Drupal to Fix Admin role on Drupal

changed title from Fix Admin role on Drupal to Update Admin role on Drupal

added To do label

removed To do label

added In progress label

1rst Step:

The scripts provided in the description of this issue were executed in drupal-stg cluster against my project 'test-cp' as follows:

[cpetala@lxplus809 scripts]$ ./removeGroupFromDrupalAdmins.sh -g drupal-admins -p test-cp
Successfully removed drupal-admins to applicationID 08dc74ec-0794-4ab4-80f4-8b00b7e3defd

[cpetala@lxplus809 scripts]$ ./removeGroupFromDrupalAdmins.sh -g web-team-developers -p test-cp
Successfully removed web-team-developers to applicationID 08dc74ec-0794-4ab4-80f4-8b00b7e3defd

[cpetala@lxplus809 scripts]$ ./addGroupToDrupalAdmins.sh -g drupal-supporters -p test-cp
Error binding group to admin role, error code: 400

~~~~Retry for add scrip~~~~
[cpetala@lxplus809 scripts]$ ./removeGroupFromDrupalAdmins.sh -g drupal-supporters -p test-cp
Successfully removed drupal-supporters to applicationID 08dc74ec-0794-4ab4-80f4-8b00b7e3defd
[cpetala@lxplus809 scripts]$ ./addGroupToDrupalAdmins.sh -g drupal-supporters -p test-cp
Successfully binded drupal-supporters to applicationID 08dc74ec-0794-4ab4-80f4-8b00b7e3defd

Observations:

1. The following line had to be added in the script for the succesfull execution:

KUBECONFIG=~/.kube/config

2. When the script 'addGroupToDrupalAdmins.sh' was executed for the group ' drupal-supporters' (that was already binded in my project), the error was "Error binding group to admin role, error code: 400". After removing and re-adding the group 'drupal-supporters' to my test project test-cp, the output was as expected.

2nd step

Modification of the scripts in order to be executed for all projects of a cluster that return a value .items[0].status.id when executing the following:

[cpetala@lxplus809 scripts]$ oc get applicationregistration -n test-cp -o json | jq -r '.items[0].status.id'
08dc74ec-0794-4ab4-80f4-8b00b7e3defd

removeGroupFromDrupalAdmins_cluster

addGroupToDrupalAdmins_cluster

Would it be possible for someone to evaluate my approach so far on this issue, as well as the updated scrips provided here as attachments before the execution of Step2 in drupal-stg?

Thank you!

@crdeoliv @fborgesa @vasvi

Hi Christina, good to have validated the scripts work. No need to remove before due to already existing. Just ignore the error, check if it's code 400 and message starts with Duplicate entry

https://authorization-service-api.web.cern.ch/swagger/index.html allows you validate API calls as well.

Regarding step 2, what I would propose instead is you fetch all projects and pipe that to xargs

oc get projects -l okd.cern.ch/user-project="true" -A -o json --no-headers | jq -r '.items[] | .metadata.name' | xargs -I{} sh my-wrapper-script.sh {}

And the wrapper-script should just receive project name and call the commands you've prepared above.

./addGroupToDrupalAdmins.sh -g drupal-supporters -p ${PROJECT}
./removeGroupFromDrupalAdmins.sh -g web-team-developers -p ${PROJECT}
./removeGroupFromDrupalAdmins.sh -g drupal-admins -p ${PROJECT}

Thanks @crdeoliv ! So my-wrapper-script.sh will be the following:

[cpetala@lxplus808 scripts]$ cat my-wrapper-script.sh

#!/bin/bash

# Check if project name argument is provided
if [ -z "$1" ]; then
    echo "Usage: $0 <project_name>"
    exit 1
fi

PROJECT="$1"

# Call the necessary commands with the project name
./addGroupToDrupalAdmins.sh -g drupal-supporters -p "$PROJECT"
./removeGroupFromDrupalAdmins.sh -g web-team-developers -p "$PROJECT"
./removeGroupFromDrupalAdmins.sh -g drupal-admins -p "$PROJECT"

The combined command you provided and the script, iterate over each project and executes the specified actions as we can see from a dry run execution I performed in staging-cluster (_to perform the dry-run I have commented out the actual sections of the scripts that perform the addition/deletion and I am just printing the message " About to.....":

$ oc get projects -l okd.cern.ch/user-project="true" -A -o json --no-headers | jq -r '.items[] | .metadata.name' | xargs -I{} sh my-wrapper-script.sh {}

I have also verified that the error that occurs when adding an already existing group to a project is the one you said:

[cpetala@lxplus808 scripts]$ ./addGroupToDrupalAdmins.sh -g drupal-supporters -p test-cp

About to Add group drupal-supporters to 08dc74ec-5758-4678-825b-3a989a91b077 (administrator) in 08dc74ec-0794-4ab4-80f4-8b00b7e3defd
 {"message":"Duplicate entry '08dc74ec-5758-4678-825b-3a989a91b077-08d99561-5de2-427d-873b-59e' for key 'assignments.PRIMARY'","stackTrace":null,"innerExceptions":[]}400
Error binding group to admin role, error code: HTTP/1.1 400 Bad Request
content-type: application/json
date: Wed, 05 Jun 2024 09:43:00 GMT
server: Kestrel
access-control-allow-headers: *
access-control-allow-methods: *
access-control-allow-origin: *
transfer-encoding: chunked
api-supported-versions: 1.0, 2.0
set-cookie: 33902edb208b3a1412807cddc9ed314f=da855852a08c691cf36bf13a5bafa8bb; path=/; HttpOnly; Secure; SameSite=None

Looks good! So it's just missing ignoring the error if its a duplicate entry (and perhaps when removing as well if either group is not there)

@fborgesa @vasvi what do you think if from this we create a cron that runs everyday to re-add the drupal-supporters group?

We still need this op to cleanup first.

as a way to enforce it?

Honestly I agree, would be a simple way to keep us being able to have the necessary access for support.

Hi @crdeoliv,

I have modified the addGroupToDrupalAdmins.sh script as follows:

1. CURL Request:

• We make a POST request to the specified URL to add the group to the role in the application. The -i option includes the HTTP response headers in the output, which is redirected to /tmp/report.txt. The -w "%{http_code}" option captures the HTTP status code of the response and stores it in the SUCCESS variable.

2. Check for "Duplicate" in Response: We search for the word "Duplicate" in the /tmp/report.txt file. If "Duplicate" is found, the specific part of the line containing it is extracted and stored in the DUPLICATE variable.
3. Conditional Check: if [[ $SUCCESS != 200 ]]

• If the SUCCESS code is not 200, a nested conditional checks if the DUPLICATE variable is empty ( the word "Duplicate" was not found in the response). If DUPLICATE is empty, it prints a success message and exits with a status of 1. If it is a duplicate value (already existing group) it prints nothing and finally if we get another error code it prints a message to check the error code in /tmp/report.txt file.

You can find the final scripts attached here:

removeGroupFromDrupalAdmins

addGroupToDrupalAdmins

my-wrapper-script

@vasvi @fborgesa

Could you open a MR? It's easier to review the changes. Merci!

created branch 15-update-admin-role-on-drupal to address this issue

mentioned in merge request !26 (merged)

mentioned in commit 4cbbd065

mentioned in commit d3df509a

Merge request !26 (merged) has been approved and the scripts have been executed in both staging and prod clusters succesfully. In short, a wrapper script modifyGroups-wrapper.sh was created that calls and executes the addGroupToDrupalAdmins.sh and removeGroupFromDrupalAdmins.shscripts. Example usage of the wrapper script:

oc get projects -l okd.cern.ch/user-project="true" -A -o json --no-headers | jq -r '.items[] | .metadata.name' | xargs -I{} sh modifyGroups-wrapper.sh {}

Note: Failed projects in prod had deleted administrator role and are the following:

• https://application-portal.web.cern.ch/manage/08dc0231-9275-49df-82be-2271ad4cb3bf/roles
• https://application-portal.web.cern.ch/manage/08dc0233-647d-4445-8c7a-bc74fc9071ba/roles

@crdeoliv should we mark this issue as completed and close it out, or are there still pending tasks (eg cron that runs everyday to re-add the drupal-supporters group)?

mentioned in issue #16

closed