diff options
| author | Ola Aunrønning <olaa@verizonmedia.com> | 2022-03-17 14:08:59 +0100 |
|---|---|---|
| committer | Ola Aunrønning <olaa@verizonmedia.com> | 2022-03-17 14:08:59 +0100 |
| commit | dcd70dc2889c0463f55bf0bebdf5e78488021e5f (patch) | |
| tree | 7f06f51ea3ec19b2dff59f6cdea66ce52ce06527 | |
| parent | 90cdd84b93c368774fa8f30d726c4029ef0638ac (diff) | |
Membership decision includes 'approved' field. Only trigger athenz sync on approval
3 files changed, 17 insertions, 2 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java index 9a6a661d7e0..2e4f3f16218 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java @@ -92,7 +92,7 @@ public class AthenzAccessControlService implements AccessControlService { var reason = roleInformation.getPendingRequest().get().getReason(); zms.decidePendingRoleMembership(role, vespaTeam, expiry, Optional.of(reason), Optional.of(oAuthCredentials), approve); - athenzInstanceSynchronizer.synchronizeInstances(tenantName); + if (approve) athenzInstanceSynchronizer.synchronizeInstances(tenantName); return true; } ).orElseThrow(() -> new UnsupportedOperationException("Only allowed in systems running Vespa Athenz instance")); diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java index a6d18f3167c..136ae1df8ae 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java @@ -306,7 +306,7 @@ public class DefaultZmsClient extends ClientBase implements ZmsClient { public void decidePendingRoleMembership(AthenzRole athenzRole, AthenzIdentity athenzIdentity, Instant expiry, Optional<String> reason, Optional<OAuthCredentials> oAuthCredentials, boolean approve) { URI uri = zmsUrl.resolve(String.format("domain/%s/role/%s/member/%s/decision", athenzRole.domain().getName(), athenzRole.roleName(), athenzIdentity.getFullName())); - MembershipEntity membership = new MembershipEntity.RoleMembershipEntity(athenzIdentity.getFullName(), approve, athenzRole.roleName(), Long.toString(expiry.getEpochSecond())); + var membership = new MembershipEntity.RoleMembershipDecisionEntity(athenzIdentity.getFullName(), approve, athenzRole.roleName(), Long.toString(expiry.getEpochSecond()), approve); var requestBuilder = RequestBuilder.put() .setUri(uri) diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/bindings/MembershipEntity.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/bindings/MembershipEntity.java index d679433a23d..dcffe006112 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/bindings/MembershipEntity.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/bindings/MembershipEntity.java @@ -61,6 +61,21 @@ public class MembershipEntity { } + public static class RoleMembershipDecisionEntity extends RoleMembershipEntity { + public final boolean approved; + + @JsonCreator + public RoleMembershipDecisionEntity(@JsonProperty("memberName") String memberName, + @JsonProperty("isMember") boolean isMember, + @JsonProperty("roleName") String roleName, + @JsonProperty("expiration") String expiration, + @JsonProperty("approved") boolean approved) { + super(memberName, isMember, roleName, expiration); + this.approved = approved; + } + + } + public static class GroupMembershipEntity extends MembershipEntity { public final String groupName; |