remove all the CMS authz logic from the CouchDB validate functions

[amaltaro]

Fixes #11190

Status

ready

Description

This PR removes the couchapp validate functions in all of the WMCore design documents. In practice, it means we no longer evaluate the user CRIC group/roles to decide what that person can or cannot do.

Some operations are still reserved only for CouchDB admins, like write/update to design documents; create/delete database admins and members; create and delete databases. Further information in: https://docs.couchdb.org/en/stable/api/database/security.html

Is it backward compatible (if not, which system it affects?)

YES

Related PRs

Might be related to: dmwm/deployment#1088

External dependencies / deployment changes

CouchApps need to be refreshed on the CouchDB backend nodes. Practically speaking, this directory must be removed before CouchDB gets started: /data/srv/state/couchdb/stagingarea/couchapps/

Doesn't necessarily need CouchDB 3.x, but it's meant for that.

[cmsdmwmbot]

Jenkins results:

• Python3 Unit tests: succeeded
  • 2 tests no longer failing
  • 1 changes in unstable tests
• Python3 Pylint check: succeeded
• Pylint py3k check: succeeded
• Pycodestyle check: succeeded

Details at https://cmssdt.cern.ch/dmwm-jenkins/view/All/job/DMWM-WMCore-PR-test/13368/artifact/artifacts/PullRequestReport.html

[todor-ivanov]

Thanks @amaltaro As widely discussed in a private chat, this is change is now well understood and to me it looks pretty good.

[amaltaro]

I will tighten up authz in ReqMgr2 with this ticket: #6072
It should be done before things go to production.