diff options
author | Morten Tokle <mortent@verizonmedia.com> | 2021-06-01 14:24:40 +0200 |
---|---|---|
committer | Morten Tokle <mortent@verizonmedia.com> | 2021-06-01 14:24:40 +0200 |
commit | 298ff55faac1e51af3ffbb53e139569b82ed8eb4 (patch) | |
tree | fdf361b96e9cb8e29c1509020c228281d9c91c7e | |
parent | ad0bd43f50719672848f3cb3859fad0d28a9820d (diff) |
Remove use of flags for tenant specific iam roles
4 files changed, 7 insertions, 23 deletions
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java index 4ce0a9c9dbb..08ccfe33cd5 100644 --- a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java +++ b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java @@ -219,7 +219,7 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> { if(deployState.isHosted()) { cluster.addPlatformBundle(PlatformBundles.absoluteBundlePath("jdisc-cloud-aws")); } - if (deployState.featureFlags().tenantIamRole()) { + if (deployState.zone().system().isPublic()) { BindingPattern bindingPattern = SystemBindingPattern.fromHttpPath("/validate-secret-store"); Handler<AbstractConfigProducer<?>> handler = new Handler<>( new ComponentModel("com.yahoo.jdisc.cloud.aws.AwsParameterStoreValidationHandler", null, "jdisc-cloud-aws", null)); diff --git a/configserver/src/main/java/com/yahoo/vespa/config/server/deploy/ModelContextImpl.java b/configserver/src/main/java/com/yahoo/vespa/config/server/deploy/ModelContextImpl.java index d2fb5fd6f4b..d110370e72b 100644 --- a/configserver/src/main/java/com/yahoo/vespa/config/server/deploy/ModelContextImpl.java +++ b/configserver/src/main/java/com/yahoo/vespa/config/server/deploy/ModelContextImpl.java @@ -171,7 +171,6 @@ public class ModelContextImpl implements ModelContext { private final boolean enableFeedBlockInDistributor; private final ToIntFunction<ClusterSpec.Type> metricsProxyMaxHeapSizeInMb; private final List<String> allowedAthenzProxyIdentities; - private final boolean tenantIamRole; private final int maxActivationInhibitedOutOfSyncGroups; private final ToIntFunction<ClusterSpec.Type> jvmOmitStackTraceInFastThrow; private final boolean enableCustomAclMapping; @@ -194,7 +193,6 @@ public class ModelContextImpl implements ModelContext { this.enableFeedBlockInDistributor = flagValue(source, appId, Flags.ENABLE_FEED_BLOCK_IN_DISTRIBUTOR); this.metricsProxyMaxHeapSizeInMb = type -> Flags.METRICS_PROXY_MAX_HEAP_SIZE_IN_MB.bindTo(source).with(CLUSTER_TYPE, type.name()).value(); this.allowedAthenzProxyIdentities = flagValue(source, appId, Flags.ALLOWED_ATHENZ_PROXY_IDENTITIES); - this.tenantIamRole = flagValue(source, appId.tenant(), Flags.TENANT_IAM_ROLE); this.maxActivationInhibitedOutOfSyncGroups = flagValue(source, appId, Flags.MAX_ACTIVATION_INHIBITED_OUT_OF_SYNC_GROUPS); this.jvmOmitStackTraceInFastThrow = type -> flagValueAsInt(source, appId, type, PermanentFlags.JVM_OMIT_STACK_TRACE_IN_FAST_THROW); this.enableCustomAclMapping = flagValue(source, appId, Flags.ENABLE_CUSTOM_ACL_MAPPING); @@ -217,7 +215,6 @@ public class ModelContextImpl implements ModelContext { @Override public boolean enableFeedBlockInDistributor() { return enableFeedBlockInDistributor; } @Override public int metricsProxyMaxHeapSizeInMb(ClusterSpec.Type type) { return metricsProxyMaxHeapSizeInMb.applyAsInt(type); } @Override public List<String> allowedAthenzProxyIdentities() { return allowedAthenzProxyIdentities; } - @Override public boolean tenantIamRole() { return tenantIamRole; } @Override public int maxActivationInhibitedOutOfSyncGroups() { return maxActivationInhibitedOutOfSyncGroups; } @Override public String jvmOmitStackTraceInFastThrowOption(ClusterSpec.Type type) { return translateJvmOmitStackTraceInFastThrowIntToString(jvmOmitStackTraceInFastThrow, type); diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/TenantController.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/TenantController.java index 4b102ef3077..1ff68ae641a 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/TenantController.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/TenantController.java @@ -42,14 +42,11 @@ public class TenantController { private final Controller controller; private final CuratorDb curator; private final AccessControl accessControl; - private final BooleanFlag provisionTenantRoles; - public TenantController(Controller controller, CuratorDb curator, AccessControl accessControl, FlagSource flagSource) { this.controller = Objects.requireNonNull(controller, "controller must be non-null"); this.curator = Objects.requireNonNull(curator, "curator must be non-null"); this.accessControl = accessControl; - this.provisionTenantRoles = Flags.PROVISION_TENANT_ROLES.bindTo(flagSource); // Update serialization format of all tenants @@ -116,15 +113,11 @@ public class TenantController { TenantId.validate(tenantSpec.tenant().value()); curator.writeTenant(accessControl.createTenant(tenantSpec, controller.clock().instant(), credentials, asList())); - // Provision tenant role if enabled - if (provisionTenantRoles.with(FetchVector.Dimension.TENANT_ID, tenantSpec.tenant().value()).value()) { - try { - controller.serviceRegistry().roleService().createTenantRole(tenantSpec.tenant()); - } catch (Exception e) { - throw new RuntimeException("Unable to create tenant role for tenant: " + tenantSpec.tenant()); - } + try { + controller.serviceRegistry().roleService().createTenantRole(tenantSpec.tenant()); + } catch (Exception e) { + throw new RuntimeException("Unable to create tenant role for tenant: " + tenantSpec.tenant()); } - } } diff --git a/flags/src/main/java/com/yahoo/vespa/flags/Flags.java b/flags/src/main/java/com/yahoo/vespa/flags/Flags.java index 45297d64781..c1750c73c2b 100644 --- a/flags/src/main/java/com/yahoo/vespa/flags/Flags.java +++ b/flags/src/main/java/com/yahoo/vespa/flags/Flags.java @@ -107,16 +107,10 @@ public class Flags { "Takes effect at redeployment", ZONE_ID, APPLICATION_ID); - public static final UnboundBooleanFlag PROVISION_TENANT_ROLES = defineFeatureFlag( - "provision-tenant-roles", false, - List.of("tokle"), "2020-12-02", "2021-06-01", - "Whether tenant roles should be provisioned", - "Takes effect on next deployment (controller)", - TENANT_ID); - + // TODO: Remove when models referring to this are gone in all systems public static final UnboundBooleanFlag TENANT_IAM_ROLE = defineFeatureFlag( "application-iam-roles", false, - List.of("tokle"), "2020-12-02", "2021-06-01", + List.of("tokle"), "2020-12-02", "2021-08-01", "Allow separate iam roles when provisioning/assigning hosts", "Takes effect immediately on new hosts, on next redeploy for applications", TENANT_ID); |