feat: add PilotScopes

Author: aldbr

src/DIRAC/WorkloadManagementSystem/Agent/SiteDirector.py

@@ -32,6 +32,8 @@
 from DIRAC.ResourceStatusSystem.Client.ResourceStatus import ResourceStatus
 from DIRAC.ResourceStatusSystem.Client.SiteStatus import SiteStatus
 from DIRAC.WorkloadManagementSystem.Client import PilotStatus
+from DIRAC.WorkloadManagementSystem.Client.PilotScopes import PILOT_SCOPES
+
 from DIRAC.WorkloadManagementSystem.Client.MatcherClient import MatcherClient
 from DIRAC.WorkloadManagementSystem.Client.ServerUtils import getPilotAgentsDB
 from DIRAC.WorkloadManagementSystem.private.ConfigHelper import findGenericPilotCredentials
@@ -476,7 +478,7 @@ def __getPilotToken(self, audience: str, scope: list[str] = None):
             return S_ERROR("Audience is not defined")
 
         if not scope:
-            scope = ["compute.cancel", "compute.create", "compute.read", "compute.cancel"]
+            scope = PILOT_SCOPES
 
         return gTokenManager.getToken(userGroup=self.pilotGroup, requiredTimeLeft=600, scope=scope, audience=audience)
 

src/DIRAC/WorkloadManagementSystem/Client/PilotScopes.py

@@ -0,0 +1,17 @@
+"""
+This module contains constants and lists for the possible scopes to interact with pilots on CEs.
+"""
+
+# Based on: https://github.com/WLCG-AuthZ-WG/common-jwt-profile/blob/master/profile.md#capability-based-authorization-scope
+
+#: To submit pilots:
+CREATE = "compute.create"
+#: To cancel pilots:
+CANCEL = "compute.cancel"
+#: To modify attributes of submitted pilots:
+MODIFY = "compute.modify"
+#: To read information about submitted pilots:
+READ = "compute.read"
+
+#: Possible pilot scopes:
+PILOT_SCOPES = [CANCEL, CREATE, MODIFY, READ]

src/DIRAC/WorkloadManagementSystem/Service/WMSUtilities.py

@@ -10,6 +10,7 @@
 from DIRAC.FrameworkSystem.Client.ProxyManagerClient import gProxyManager
 from DIRAC.FrameworkSystem.Client.TokenManagerClient import gTokenManager
 from DIRAC.Resources.Computing.ComputingElementFactory import ComputingElementFactory
+from DIRAC.WorkloadManagementSystem.Client.PilotScopes import PILOT_SCOPES
 
 
 # List of files to be inserted/retrieved into/from pilot Output Sandbox
@@ -77,7 +78,7 @@ def setPilotCredentials(ce, pilotDict):
     if "Token" in ce.ceParameters.get("Tag", []):
         result = gTokenManager.getToken(
             userGroup=pilotDict["OwnerGroup"],
-            scope=["compute.cancel", "compute.create", "compute.modify", "compute.read"],
+            scope=PILOT_SCOPES,
             audience=ce.audienceName,
             requiredTimeLeft=150,
         )