Add support for posixgroup feature creation based on repo GID

coact-facility-overage-daemon.sh

@@ -5,6 +5,6 @@ export SDF_COACT_URI=coact.slac.stanford.edu:443/graphql-service
 
 while [ 1 ]; do
     date
-    ./venv/bin/python3  ./sdf_click.py coact overage --password-file ./etc/.secrets/password --windows 5 --windows 15 --windows 60 --windows 180 --windows 1440 --verbose --influxdb-url=https://influxdb.slac.stanford.edu:443
+    ./venv/bin/python3  ./sdf_click.py coact overage --password-file ./etc/.secrets/password --grouper-password-file ./etc/.secrets/grouper_password --windows 5 --windows 15 --windows 60 --windows 180 --windows 1440 --verbose --influxdb-url=https://influxdb.slac.stanford.edu:443
     sleep 300
 done

coact-reporegistration-daemon.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 
 while [ 1 ]; do
-    SDF_COACT_URI=coact.slac.stanford.edu/graphql-service ./venv/bin/python3 ./sdf_click.py coactd reporegistration --username=sdf-bot --password-file=etc/.secrets/password -vv
+    SDF_COACT_URI=coact.slac.stanford.edu/graphql-service ./venv/bin/python3 ./sdf_click.py coactd reporegistration --username=sdf-bot --password-file=etc/.secrets/password --grouper-password-file ./etc/.secrets/grouper_password -vv
     sleep 1
 done

coact-userregistration-daemon.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 
 while [ 1 ]; do
-    SDF_COACT_URI=coact.slac.stanford.edu:443/graphql-service ./venv/bin/python3 ./sdf_click.py coactd userregistration --username sdf-bot --password-file ./etc/.secrets/password -vv
+    SDF_COACT_URI=coact.slac.stanford.edu:443/graphql-service ./venv/bin/python3 ./sdf_click.py coactd userregistration --username sdf-bot --password-file ./etc/.secrets/password --grouper-password-file ./etc/.secrets/grouper_password -vv
     sleep 5
 done

modules/coactd.py

@@ -154,12 +154,13 @@ class Registration(GraphQlSubscriber, AnsibleRunner):
         }
     """
 
-    def __init__(self, username: str, password_file: str, client_name: str, dry_run: bool = False):
+    def __init__(self, username: str, password_file: str, client_name: str, dry_run: bool = False, grouper_password_file: str = None):
         self.logger = logger
         self.username = username
         self.password_file = password_file
         self.client_name = client_name
         self.dry_run = dry_run
+        self.grouper_password_file = grouper_password_file
 
     def run(self):
         """Main entry point - connect and process subscription requests."""
@@ -531,8 +532,50 @@ def do_new_repo(
         if repo_allocation_end_delta is None:
             repo_allocation_end_delta = pdl.duration(years=5)
 
+        # For CryoEM repos (ct* / ce*), create a POSIX group via Grouper
+        repo_gid = None
+        grouper_name = ""
+        uses_grouper = (
+            facility.lower() == 'cryoem'
+            and (repo.lower().startswith('ct') or repo.lower().startswith('ce'))
+        )
+        if uses_grouper:
+            grouper_name = f"sdf-{facility.lower()}-{repo.lower()}"
+            try:
+                if not self.grouper_password_file:
+                    raise ValueError("Grouper password file must be provided for CryoEM ct/ce repos")
+                grouper_kwargs = dict(
+                    grouper_name=grouper_name,
+                    state="present",
+                    grouper_description=f"POSIX group for {facility} {repo} repository access",
+                    grouper_password_file=self.grouper_password_file
+                )
+                grouper_runner = self.run_playbook("coact/grouper.yml", **grouper_kwargs)
+                repo_gid, __dict__ = self.extract_grouper_values(
+                    grouper_runner,
+                    default_group_name=grouper_name
+                )
+                self.logger.info(
+                    f"Retrieved grouper values for {facility}:{repo}: gid={repo_gid}"
+                )
+                if repo_gid is not None:
+                    self.logger.info(f"Retrieved repo GID for {facility}:{repo}: {repo_gid}")
+                else:
+                    self.logger.warning(f"No GID found in grouper playbook results for {facility}:{repo}")
+                    raise RuntimeError("Unable to fetch gid from grouper.")
+            except Exception as e:
+                self.logger.warning(f"Failed to create grouper POSIX group for {facility}:{repo}: {e}")
+                raise
+
         # run the facility tasks for this repo
-        runner = self.run_playbook("coact/add_repo.yaml", facility=facility, repo=repo)
+        self.run_playbook(
+            "coact/add_repo.yaml",
+            facility=facility, 
+            repo=repo,
+            repo_principal=principal,
+            gidNumber=repo_gid,
+            groupName=grouper_name
+        )
 
         leaders = [principal]
         users = [principal]
@@ -558,18 +601,105 @@ def do_new_repo(
         repo_upserted = self.back_channel.execute(REPO_UPSERT_GQL, repo_create_req)
         repo_id = repo_upserted['repoUpsert']['Id']
 
-        feature_req = {'repo': {'Id': repo_id}}
+        # Create a parameterized feature upsert mutation
         FEATURE_UPSERT_GQL = gql("""
-            mutation repoUpsert($repo: RepoInput! ) {
-                repoUpsertFeature(repo: $repo, feature: { name: "slurm", state: true, options: [] }) {
+            mutation repoUpsert($repo: RepoInput!, $feature: RepoFeatureInput!) {
+                repoUpsertFeature(repo: $repo, feature: $feature) {
                     Id
                 }
             }
         """)
-        feature_upserted = self.back_channel.execute(FEATURE_UPSERT_GQL, feature_req)
+
+        # Create slurm feature
+        slurm_feature_req = {
+            'repo': {'Id': repo_id},
+            'feature': {'name': 'slurm', 'state': True, 'options': []}
+        }
+        self.back_channel.execute(FEATURE_UPSERT_GQL, slurm_feature_req)
+
+        # Create posixgroup feature if GID was obtained from grouper
+        if repo_gid is not None:
+            posixgroup_options = [json.dumps({
+                "name": grouper_name,
+                "gidNumber": int(repo_gid)
+            })]
+
+            posixgroup_feature_req = {
+                'repo': {'Id': repo_id},
+                'feature': {
+                    'name': 'posixgroup',
+                    'state': True,
+                    'options': posixgroup_options
+                }
+            }
+
+            try:
+                self.back_channel.execute(FEATURE_UPSERT_GQL, posixgroup_feature_req)
+                self.logger.info(f"Created posixgroup feature for {facility}:{repo} with GID {repo_gid}")
+            except Exception as e:
+                self.logger.warning(f"Failed to create posixgroup feature for {facility}:{repo}: {e}")
 
         return True
 
+    def extract_grouper_values(self, runner: ansible_runner.runner.Runner, default_group_name: str = ""):
+        """Extract gid and group name from grouper playbook events.
+
+        Ansible callbacks can emit task results in different shapes depending on
+        task type (`s3df_grouper`, `debug`, `set_fact`). This method scans all
+        events and picks the first non-empty gid and group name found.
+        """
+
+        def _clean(v):
+            if v is None:
+                return None
+            if isinstance(v, str):
+                v = v.strip()
+                return v if v else None
+            return str(v)
+
+        gid = None
+        group_name = _clean(default_group_name)
+
+        for event_data in self.playbook_events(runner):
+            res = event_data.get('res', None)
+            if not isinstance(res, dict):
+                continue
+
+            facts = res.get('ansible_facts', {})
+            facts = facts if isinstance(facts, dict) else {}
+            msg = res.get('msg', None)
+            msg = msg if isinstance(msg, dict) else {}
+
+            candidates_gid = [
+                res.get('gid', None),
+                facts.get('gid', None),
+                msg.get('gid', None),
+                (res.get('group', {}) if isinstance(res.get('group', {}), dict) else {}).get('idIndex', None),
+            ]
+            candidates_group_name = [
+                res.get('group_name', None),
+                facts.get('group_name', None),
+                msg.get('group_name', None),
+                (res.get('group', {}) if isinstance(res.get('group', {}), dict) else {}).get('name', None),
+            ]
+
+            for candidate in candidates_gid:
+                cleaned = _clean(candidate)
+                if cleaned is not None:
+                    gid = cleaned
+                    break
+
+            for candidate in candidates_group_name:
+                cleaned = _clean(candidate)
+                if cleaned is not None:
+                    group_name = cleaned
+                    break
+
+            if gid is not None and group_name is not None:
+                break
+
+        return gid, group_name or ""
+
     def upsert_repo_compute_allocation(
         self,
         repo_id: str,
@@ -906,8 +1036,14 @@ def do_feature(self, repo, facility, dry_run: bool = False) -> bool:
 @coactd.command(name='reporegistration')
 @common_options
 @registration_options
+@click.option(
+    '--grouper-password-file',
+    default=None,
+    type=click.Path(exists=True),
+    help='Path to file containing the Grouper service account password'
+)
 @click.pass_context
-def repo_registration(ctx, verbose, username, password_file, client_name, dry_run):
+def repo_registration(ctx, verbose, username, password_file, client_name, dry_run, grouper_password_file):
     """Workflow for repository maintenance.
 
     Handles NewRepo, RepoMembership, RepoRemoveUser, RepoChangeComputeRequirement,
@@ -920,7 +1056,8 @@ def repo_registration(ctx, verbose, username, password_file, client_name, dry_ru
         username=username,
         password_file=password_file,
         client_name=client_name or 'sdf-bot-RepoRegistration',
-        dry_run=dry_run
+        dry_run=dry_run,
+        grouper_password_file=grouper_password_file
     )
     handler.run()
 

pyproject.toml

@@ -10,7 +10,7 @@ requires-python = ">=3.12,<3.13"
 dependencies = [
     "cliff==3.10.1",
     "click>=8.0.0",
-    "gql[all]>=3.4.1",
+    "gql[all]>=3.4.1,<4",
     "ansible-runner==2.3.1",
     "Jinja2>=3.1.2",
     "pendulum>=3.2.0",