sweep: #8256 feat: multiVO by IAM group

Author: marianne013

src/DIRAC/ConfigurationSystem/Client/VOMS2CSSynchronizer.py

@@ -594,7 +594,7 @@ def syncCSWithVOMS(self):
 
         # Try to fill in the DiracX section
         if self.useIAM:
-            iam_subs = self.iamSrv.getUsersSub()
+            iam_subs = self.iamSrv.getUsersSub(self.vo)
             diracx_vo_config = {"DiracX": {"CsSync": {"VOs": {self.vo: {"UserSubjects": iam_subs}}}}}
             iam_sub_cfg = CFG()
             iam_sub_cfg.loadFromDict(diracx_vo_config)

src/DIRAC/Core/Security/IAMService.py

@@ -144,14 +144,15 @@ def getUsers(self):
         result = S_OK({"Users": users, "Errors": errors})
         return result
 
-    def getUsersSub(self) -> dict[str, str]:
+    def getUsersSub(self, vo=None) -> dict[str, str]:
         """
         Return the mapping based on IAM sub:
         {nickname : sub}
         """
         iam_users_raw = self._getIamUserDump()
         diracx_user_section = {}
         for user_info in iam_users_raw:
+            userGroups = [grp["display"] for grp in user_info.get("groups", [])]
             # The nickname is available in the list of attributes
             # (if configured so)
             # in the form {'name': 'nickname', 'value': 'chaen'}
@@ -165,8 +166,8 @@ def getUsersSub(self) -> dict[str, str]:
             except (KeyError, IndexError):
                 nickname = user_info["userName"]
             sub = user_info["id"]
-
-            diracx_user_section[nickname] = sub
+            if not vo or vo in userGroups:
+                diracx_user_section[nickname] = sub
         # reorder it
         diracx_user_section = dict(sorted(diracx_user_section.items()))