diff options
author | Bjørn Christian Seime <bjorncs@oath.com> | 2018-02-13 17:21:31 +0100 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@oath.com> | 2018-02-13 17:21:31 +0100 |
commit | 7a3d23a264ab4f3c9325b8bd6cff14caf32f1cbb (patch) | |
tree | 99ce988f99c5dff97de2b965f876b861b2bd971d | |
parent | 7ee1cd259c8817d8f9f89fcb4d7741fe54fd24da (diff) |
Introduce ZmsClient.hasHostedOperatorAccess()
4 files changed, 29 insertions, 4 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClient.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClient.java index a8e5db4f952..e8bc16ca271 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClient.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClient.java @@ -26,6 +26,8 @@ public interface ZmsClient { boolean hasTenantAdminAccess(AthenzIdentity athenzIdentity, AthenzDomain tenantDomain); + boolean hasHostedOperatorAccess(AthenzIdentity identity); + // Used before vespa tenancy is established for the domain. boolean isDomainAdmin(AthenzIdentity athenzIdentity, AthenzDomain domain); diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/ZmsClientImpl.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/ZmsClientImpl.java index 8b62a93f8d9..f77e16f67ce 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/ZmsClientImpl.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/ZmsClientImpl.java @@ -102,6 +102,11 @@ public class ZmsClientImpl implements ZmsClient { return hasAccess(TenantAction._modify_.name(), tenantResourceString(tenantDomain), identity); } + @Override + public boolean hasHostedOperatorAccess(AthenzIdentity identity) { + return getOrThrow(() -> hasAccess("modify", service.getDomain() + ":hosted-vespa", identity)); + } + /** * Used when creating tenancies. As there are no tenancy policies at this point, * we cannot use {@link #hasTenantAdminAccess(AthenzIdentity, AthenzDomain)} diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/mock/AthenzDbMock.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/mock/AthenzDbMock.java index 0524cf18568..0a360184da9 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/mock/AthenzDbMock.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/mock/AthenzDbMock.java @@ -1,13 +1,15 @@ // Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.hosted.controller.athenz.mock; -import com.yahoo.vespa.hosted.controller.api.identifiers.ApplicationId; import com.yahoo.vespa.athenz.api.AthenzDomain; -import com.yahoo.vespa.hosted.controller.api.integration.athenz.ApplicationAction; import com.yahoo.vespa.athenz.api.AthenzIdentity; +import com.yahoo.vespa.hosted.controller.api.identifiers.ApplicationId; +import com.yahoo.vespa.hosted.controller.api.integration.athenz.ApplicationAction; +import java.util.ArrayList; import java.util.HashMap; import java.util.HashSet; +import java.util.List; import java.util.Map; import java.util.Set; @@ -17,12 +19,18 @@ import java.util.Set; public class AthenzDbMock { public final Map<AthenzDomain, Domain> domains = new HashMap<>(); + public final List<AthenzIdentity> hostedOperators = new ArrayList<>(); public AthenzDbMock addDomain(Domain domain) { domains.put(domain.name, domain); return this; } + public AthenzDbMock addHostedOperator(AthenzIdentity athenzIdentity) { + hostedOperators.add(athenzIdentity); + return this; + } + public static class Domain { public final AthenzDomain name; diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/mock/ZmsClientMock.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/mock/ZmsClientMock.java index ba8bfc2405e..3ee2655108a 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/mock/ZmsClientMock.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/mock/ZmsClientMock.java @@ -68,17 +68,23 @@ public class ZmsClientMock implements ZmsClient { if (application == null) { throw zmsException(400, "Application '%s' not found", applicationName); } - return domain.admins.contains(identity) || application.acl.get(action).contains(identity); + return isHostedOperator(identity) || domain.admins.contains(identity) || application.acl.get(action).contains(identity); } @Override public boolean hasTenantAdminAccess(AthenzIdentity identity, AthenzDomain tenantDomain) { log("hasTenantAdminAccess(principal='%s', tenantDomain='%s')", identity, tenantDomain); - return isDomainAdmin(identity, tenantDomain) || + return isHostedOperator(identity) || isDomainAdmin(identity, tenantDomain) || getDomainOrThrow(tenantDomain, true).tenantAdmins.contains(identity); } @Override + public boolean hasHostedOperatorAccess(AthenzIdentity identity) { + log("hasHostedOperatorAccess(identity='%s')", identity); + return isHostedOperator(identity); + } + + @Override public boolean isDomainAdmin(AthenzIdentity identity, AthenzDomain domain) { log("isDomainAdmin(principal='%s', domain='%s')", identity, domain); return getDomainOrThrow(domain, false).admins.contains(identity); @@ -109,6 +115,10 @@ public class ZmsClientMock implements ZmsClient { return domain; } + private boolean isHostedOperator(AthenzIdentity identity) { + return athenz.hostedOperators.contains(identity); + } + private static ZmsException zmsException(int code, String message, Object... args) { return new ZmsException(code, String.format(message, args)); } |