EH: CS-2059: Add role user_list check to verify_userset_deletion()

EH: CS-2060: Post-startup integrity scan: log warnings for dangling role references

Author: ernst-bablick

source/common/msg_common.h

@@ -1142,4 +1142,7 @@
 #define MSG_GDI_USAGE_srolel_OPT          "[-srolel]"
 #define MSG_GDI_UTEXT_srolel_OPT          _MESSAGE(60757, _("show all role names"))
 
+#define MSG_ROLE_INTEGRITY_USERSET_SS  _MESSAGE(60758, _("startup integrity: role " SFQ " references userset " SFQ " which does not exist"))
+#define MSG_ROLE_INTEGRITY_PARENT_SS   _MESSAGE(60759, _("startup integrity: role " SFQ " references parent role " SFQ " which does not exist"))
+
 // clang-format on

source/daemons/qmaster/setup_qmaster.cc

@@ -59,6 +59,8 @@
 
 #include "sgeobj/parse.h"
 #include "sgeobj/cull/sge_all_listsL.h"
+#include "sgeobj/ocs_DataStore.h"
+#include "sgeobj/ocs_Role.h"
 #include "sgeobj/ocs_Session.h"
 #include "sgeobj/sge_host.h"
 #include "sgeobj/sge_utility.h"
@@ -72,7 +74,6 @@
 #include "sgeobj/sge_manop.h"
 #include "sgeobj/sge_centry.h"
 #include "sgeobj/sge_conf.h"
-#include "sgeobj/ocs_DataStore.h"
 
 #include "gdi/ocs_gdi_ClientBase.h"
 
@@ -1203,6 +1204,16 @@ setup_qmaster() {
                                                                    master_project_list, master_userset_list, master_rqs_list,
                                                                    master_cqueue_list, master_pe_list, master_host_list);
 
+   // post-load integrity scan: warn about dangling role references (does not abort startup)
+   {
+      lList *integrity_answers = nullptr;
+      ocs::Role::check_integrity(*ocs::DataStore::get_master_list(SGE_TYPE_RL),
+                                 *ocs::DataStore::get_master_list(SGE_TYPE_USERSET),
+                                 &integrity_answers);
+      answer_list_output(&integrity_answers);
+      lFreeList(&integrity_answers);
+   }
+
    DRETURN(0);
 }
 

source/daemons/qmaster/sge_userset_qmaster.cc

@@ -37,6 +37,7 @@
 #include "uti/sge_rmon_macros.h"
 
 #include "sgeobj/sge_userset.h"
+#include "sgeobj/ocs_Role.h"
 #include "sgeobj/sge_conf.h"
 #include "sgeobj/sge_answer.h"
 #include "sgeobj/sge_qinstance.h"
@@ -364,6 +365,7 @@ verify_userset_deletion(lList **alpp, const char *userset_name) {
    const lList *master_pe_list = *ocs::DataStore::get_master_list(SGE_TYPE_PE);
    const lList *master_project_list = *ocs::DataStore::get_master_list(SGE_TYPE_PROJECT);
    const lList *master_ehost_list = *ocs::DataStore::get_master_list(SGE_TYPE_EXECHOST);
+   const lList *master_role_list = *ocs::DataStore::get_master_list(SGE_TYPE_RL);
 
 
    /*
@@ -427,6 +429,15 @@ verify_userset_deletion(lList **alpp, const char *userset_name) {
       }
    }
 
+   // refuse deletion if any role still references this userset in its user_list
+   for_each_ep_lv(role_ep, master_role_list) {
+      if (lGetElemStr(lGetList(role_ep, RL_user_list), US_name, userset_name)) {
+         ERROR(MSG_SGETEXT_USERSETSTILLREFERENCED_SSSS, userset_name, MSG_OBJ_USERLIST, MSG_OBJ_ROLE, lGetString(role_ep, RL_name));
+         answer_list_add(alpp, SGE_EVENT, STATUS_EUNKNOWN, ANSWER_QUALITY_ERROR);
+         ret = STATUS_EUNKNOWN;
+      }
+   }
+
    /* global configuration */
    user_lists = mconf_get_user_lists();
    if (lGetElemStr(user_lists, US_name, userset_name)) {

source/libs/sgeobj/ocs_Role.cc

@@ -24,7 +24,9 @@
 #include "cull/cull_list.h"
 
 #include "sgeobj/sge_answer.h"
+#include "sgeobj/sge_userset.h"
 #include "sgeobj/sge_utility.h"
+#include "sgeobj/cull/sge_str_ST_L.h"
 #include "sgeobj/ocs_Role.h"
 
 #include "msg_common.h"
@@ -36,7 +38,7 @@ ocs::Role::locate(const lList *role_list, const char *name) {
 }
 
 bool
-ocs::Role::validate(lListElem *role, lList **answer_list, bool startup) {
+ocs::Role::validate(const lListElem *role, lList **answer_list, bool startup) {
    DENTER(TOP_LAYER);
 
    if (const char *name = lGetString(role, RL_name);
@@ -47,6 +49,35 @@ ocs::Role::validate(lListElem *role, lList **answer_list, bool startup) {
    DRETURN(true);
 }
 
+void
+ocs::Role::check_integrity(const lList *role_list, const lList *userset_list, lList **answer_list) {
+   DENTER(TOP_LAYER);
+
+   for_each_ep_lv(role, role_list) {
+      const char *role_name = lGetString(role, RL_name);
+
+      // check each user_list entry against the master userset list
+      for_each_ep_lv(user_ep, lGetList(role, RL_user_list)) {
+         const char *userset_name = lGetString(user_ep, US_name);
+         if (!lGetElemStr(userset_list, US_name, userset_name)) {
+            WARNING(MSG_ROLE_INTEGRITY_USERSET_SS, role_name, userset_name);
+            answer_list_add(answer_list, SGE_EVENT, STATUS_EUNKNOWN, ANSWER_QUALITY_WARNING);
+         }
+      }
+
+      // check each parent_role_list entry against the master role list
+      for_each_ep_lv(parent_ep, lGetList(role, RL_parent_role_list)) {
+         const char *parent_name = lGetString(parent_ep, ST_name);
+         if (!lGetElemStr(role_list, RL_name, parent_name)) {
+            WARNING(MSG_ROLE_INTEGRITY_PARENT_SS, role_name, parent_name);
+            answer_list_add(answer_list, SGE_EVENT, STATUS_EUNKNOWN, ANSWER_QUALITY_WARNING);
+         }
+      }
+   }
+
+   DRETURN_VOID;
+}
+
 lListElem *
 ocs::Role::create_template() {
    DENTER(TOP_LAYER);

source/libs/sgeobj/ocs_Role.h

@@ -42,7 +42,15 @@ namespace ocs {
        * @param startup      True when called during qmaster startup (relaxes some checks).
        * @return             True if the role is valid.
        */
-      static bool validate(lListElem *role, lList **answer_list, bool startup);
+      static bool validate(const lListElem *role, lList **answer_list, bool startup);
+
+      /**
+       * Post-startup integrity scan for dangling role references.
+       * Logs a WARNING for each RL_user_list entry whose userset does not exist in
+       * userset_list and each RL_parent_role_list entry whose parent role does not
+       * exist in role_list. Does not abort startup.
+       */
+      static void check_integrity(const lList *role_list, const lList *userset_list, lList **answer_list);
 
       /**
        * Create a Role template element with default attribute values.