Remove use of flags for tenant specific iam roles

author: Morten Tokle <mortent@verizonmedia.com> 2021-06-01 14:24:40 +0200
committer: Morten Tokle <mortent@verizonmedia.com> 2021-06-01 14:24:40 +0200
commit: 298ff55faac1e51af3ffbb53e139569b82ed8eb4 (patch)
tree: fdf361b96e9cb8e29c1509020c228281d9c91c7e
parent: ad0bd43f50719672848f3cb3859fad0d28a9820d (diff)
4 files changed, 7 insertions, 23 deletions
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
index 4ce0a9c9dbb..08ccfe33cd5 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/container/xml/ContainerModelBuilder.java
@@ -219,7 +219,7 @@ public class ContainerModelBuilder extends ConfigModelBuilder<ContainerModel> {
         if(deployState.isHosted()) {
             cluster.addPlatformBundle(PlatformBundles.absoluteBundlePath("jdisc-cloud-aws"));
         }
-        if (deployState.featureFlags().tenantIamRole()) {
+        if (deployState.zone().system().isPublic()) {
             BindingPattern bindingPattern = SystemBindingPattern.fromHttpPath("/validate-secret-store");
             Handler<AbstractConfigProducer<?>> handler = new Handler<>(
                     new ComponentModel("com.yahoo.jdisc.cloud.aws.AwsParameterStoreValidationHandler", null, "jdisc-cloud-aws", null));
diff --git a/configserver/src/main/java/com/yahoo/vespa/config/server/deploy/ModelContextImpl.java b/configserver/src/main/java/com/yahoo/vespa/config/server/deploy/ModelContextImpl.java
index d2fb5fd6f4b..d110370e72b 100644
--- a/configserver/src/main/java/com/yahoo/vespa/config/server/deploy/ModelContextImpl.java
+++ b/configserver/src/main/java/com/yahoo/vespa/config/server/deploy/ModelContextImpl.java
@@ -171,7 +171,6 @@ public class ModelContextImpl implements ModelContext {
         private final boolean enableFeedBlockInDistributor;
         private final ToIntFunction<ClusterSpec.Type> metricsProxyMaxHeapSizeInMb;
         private final List<String> allowedAthenzProxyIdentities;
-        private final boolean tenantIamRole;
         private final int maxActivationInhibitedOutOfSyncGroups;
         private final ToIntFunction<ClusterSpec.Type> jvmOmitStackTraceInFastThrow;
         private final boolean enableCustomAclMapping;
@@ -194,7 +193,6 @@ public class ModelContextImpl implements ModelContext {
             this.enableFeedBlockInDistributor = flagValue(source, appId, Flags.ENABLE_FEED_BLOCK_IN_DISTRIBUTOR);
             this.metricsProxyMaxHeapSizeInMb = type -> Flags.METRICS_PROXY_MAX_HEAP_SIZE_IN_MB.bindTo(source).with(CLUSTER_TYPE, type.name()).value();
             this.allowedAthenzProxyIdentities = flagValue(source, appId, Flags.ALLOWED_ATHENZ_PROXY_IDENTITIES);
-            this.tenantIamRole = flagValue(source, appId.tenant(), Flags.TENANT_IAM_ROLE);
             this.maxActivationInhibitedOutOfSyncGroups = flagValue(source, appId, Flags.MAX_ACTIVATION_INHIBITED_OUT_OF_SYNC_GROUPS);
             this.jvmOmitStackTraceInFastThrow = type -> flagValueAsInt(source, appId, type, PermanentFlags.JVM_OMIT_STACK_TRACE_IN_FAST_THROW);
             this.enableCustomAclMapping = flagValue(source, appId, Flags.ENABLE_CUSTOM_ACL_MAPPING);
@@ -217,7 +215,6 @@ public class ModelContextImpl implements ModelContext {
         @Override public boolean enableFeedBlockInDistributor() { return enableFeedBlockInDistributor; }
         @Override public int metricsProxyMaxHeapSizeInMb(ClusterSpec.Type type) { return metricsProxyMaxHeapSizeInMb.applyAsInt(type); }
         @Override public List<String> allowedAthenzProxyIdentities() { return allowedAthenzProxyIdentities; }
-        @Override public boolean tenantIamRole() { return tenantIamRole; }
         @Override public int maxActivationInhibitedOutOfSyncGroups() { return maxActivationInhibitedOutOfSyncGroups; }
         @Override public String jvmOmitStackTraceInFastThrowOption(ClusterSpec.Type type) {
             return translateJvmOmitStackTraceInFastThrowIntToString(jvmOmitStackTraceInFastThrow, type);
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/TenantController.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/TenantController.java
index 4b102ef3077..1ff68ae641a 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/TenantController.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/TenantController.java
@@ -42,14 +42,11 @@ public class TenantController {
     private final Controller controller;
     private final CuratorDb curator;
     private final AccessControl accessControl;
-    private final BooleanFlag provisionTenantRoles;
-
 
     public TenantController(Controller controller, CuratorDb curator, AccessControl accessControl, FlagSource flagSource) {
         this.controller = Objects.requireNonNull(controller, "controller must be non-null");
         this.curator = Objects.requireNonNull(curator, "curator must be non-null");
         this.accessControl = accessControl;
-        this.provisionTenantRoles = Flags.PROVISION_TENANT_ROLES.bindTo(flagSource);
 
 
         // Update serialization format of all tenants
@@ -116,15 +113,11 @@ public class TenantController {
             TenantId.validate(tenantSpec.tenant().value());
             curator.writeTenant(accessControl.createTenant(tenantSpec, controller.clock().instant(), credentials, asList()));
 
-            // Provision tenant role if enabled
-            if (provisionTenantRoles.with(FetchVector.Dimension.TENANT_ID, tenantSpec.tenant().value()).value()) {
-                try {
-                    controller.serviceRegistry().roleService().createTenantRole(tenantSpec.tenant());
-                } catch (Exception e) {
-                    throw new RuntimeException("Unable to create tenant role for tenant: " + tenantSpec.tenant());
-                }
+            try {
+                controller.serviceRegistry().roleService().createTenantRole(tenantSpec.tenant());
+            } catch (Exception e) {
+                throw new RuntimeException("Unable to create tenant role for tenant: " + tenantSpec.tenant());
             }
-
         }
     }
 
diff --git a/flags/src/main/java/com/yahoo/vespa/flags/Flags.java b/flags/src/main/java/com/yahoo/vespa/flags/Flags.java
index 45297d64781..c1750c73c2b 100644
--- a/flags/src/main/java/com/yahoo/vespa/flags/Flags.java
+++ b/flags/src/main/java/com/yahoo/vespa/flags/Flags.java
@@ -107,16 +107,10 @@ public class Flags {
             "Takes effect at redeployment",
             ZONE_ID, APPLICATION_ID);
 
-    public static final UnboundBooleanFlag PROVISION_TENANT_ROLES = defineFeatureFlag(
-            "provision-tenant-roles", false,
-            List.of("tokle"), "2020-12-02", "2021-06-01",
-            "Whether tenant roles should be provisioned",
-            "Takes effect on next deployment (controller)",
-            TENANT_ID);
-
+    // TODO: Remove when models referring to this are gone in all systems
     public static final UnboundBooleanFlag TENANT_IAM_ROLE = defineFeatureFlag(
             "application-iam-roles", false,
-            List.of("tokle"), "2020-12-02", "2021-06-01",
+            List.of("tokle"), "2020-12-02", "2021-08-01",
             "Allow separate iam roles when provisioning/assigning hosts",
             "Takes effect immediately on new hosts, on next redeploy for applications",
             TENANT_ID);
author	Morten Tokle <mortent@verizonmedia.com>	2021-06-01 14:24:40 +0200
committer	Morten Tokle <mortent@verizonmedia.com>	2021-06-01 14:24:40 +0200
commit	298ff55faac1e51af3ffbb53e139569b82ed8eb4 (patch)
tree	fdf361b96e9cb8e29c1509020c228281d9c91c7e
parent	ad0bd43f50719672848f3cb3859fad0d28a9820d (diff)