diff options
author | Ola Aunrønning <olaa@verizonmedia.com> | 2021-09-02 14:55:54 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-09-02 14:55:54 +0200 |
commit | 2487f854a2d7c3a7dc5a0c008c56c98d81ef5008 (patch) | |
tree | f0dcae4806cf44b8a02d6d26e8c817167f3ae42d | |
parent | 5c0039ac6a573cb0299c63cc4e39a2a7d5a834a0 (diff) | |
parent | e5cc08ddc51e399c91bf39ec7f2fd8380d86cd0a (diff) |
Merge pull request #18950 from vespa-engine/olaa/auth0-role-maintainer
Create UserManagementMaintainer
6 files changed, 125 insertions, 1 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/stubs/MockUserManagement.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/stubs/MockUserManagement.java index dfdd273b6f5..5313139ff7d 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/stubs/MockUserManagement.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/stubs/MockUserManagement.java @@ -6,6 +6,7 @@ import com.yahoo.vespa.hosted.controller.api.integration.user.UserId; import com.yahoo.vespa.hosted.controller.api.integration.user.UserManagement; import com.yahoo.vespa.hosted.controller.api.role.Role; +import java.util.ArrayList; import java.util.Collection; import java.util.Collections; import java.util.HashMap; @@ -79,4 +80,9 @@ public class MockUserManagement implements UserManagement { public List<Role> listRoles(UserId userId) { return List.of(); } + + @Override + public List<Role> listRoles() { + return new ArrayList<>(memberships.keySet()); + } } diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/user/UserManagement.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/user/UserManagement.java index bfb617a75b6..722acc065d9 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/user/UserManagement.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/user/UserManagement.java @@ -36,4 +36,7 @@ public interface UserManagement { /** Returns all roles of which the given user is part, or throws if the user does not exist */ List<Role> listRoles(UserId user); + + /** Returns all roles */ + List<Role> listRoles(); } diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/maintenance/ControllerMaintenance.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/maintenance/ControllerMaintenance.java index 924116e04c0..3b7cf313b37 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/maintenance/ControllerMaintenance.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/maintenance/ControllerMaintenance.java @@ -8,6 +8,7 @@ import com.yahoo.config.provision.SystemName; import com.yahoo.config.provision.zone.ZoneApi; import com.yahoo.jdisc.Metric; import com.yahoo.vespa.hosted.controller.Controller; +import com.yahoo.vespa.hosted.controller.api.integration.user.UserManagement; import java.time.Duration; import java.time.temporal.TemporalUnit; @@ -35,7 +36,7 @@ public class ControllerMaintenance extends AbstractComponent { @Inject @SuppressWarnings("unused") // instantiated by Dependency Injection - public ControllerMaintenance(Controller controller, Metric metric) { + public ControllerMaintenance(Controller controller, Metric metric, UserManagement userManagement) { Intervals intervals = new Intervals(controller.system()); upgrader = new Upgrader(controller, intervals.defaultInterval); maintainers.add(upgrader); @@ -73,6 +74,7 @@ public class ControllerMaintenance extends AbstractComponent { maintainers.add(new VcmrMaintainer(controller, intervals.vcmrMaintainer)); maintainers.add(new CloudTrialExpirer(controller, intervals.defaultInterval)); maintainers.add(new RetriggerMaintainer(controller, intervals.retriggerMaintainer)); + maintainers.add(new UserManagementMaintainer(controller, intervals.userManagementMaintainer, userManagement)); } public Upgrader upgrader() { return upgrader; } @@ -129,6 +131,7 @@ public class ControllerMaintenance extends AbstractComponent { private final Duration changeRequestMaintainer; private final Duration vcmrMaintainer; private final Duration retriggerMaintainer; + private final Duration userManagementMaintainer; public Intervals(SystemName system) { this.system = Objects.requireNonNull(system); @@ -162,6 +165,7 @@ public class ControllerMaintenance extends AbstractComponent { this.changeRequestMaintainer = duration(1, HOURS); this.vcmrMaintainer = duration(1, HOURS); this.retriggerMaintainer = duration(1, MINUTES); + this.userManagementMaintainer = duration(12, HOURS); } private Duration duration(long amount, TemporalUnit unit) { diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/maintenance/UserManagementMaintainer.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/maintenance/UserManagementMaintainer.java new file mode 100644 index 00000000000..6b509e82dba --- /dev/null +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/maintenance/UserManagementMaintainer.java @@ -0,0 +1,64 @@ +// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. +package com.yahoo.vespa.hosted.controller.maintenance; + +import com.yahoo.config.provision.SystemName; +import com.yahoo.vespa.hosted.controller.Application; +import com.yahoo.vespa.hosted.controller.Controller; +import com.yahoo.vespa.hosted.controller.api.integration.user.Roles; +import com.yahoo.vespa.hosted.controller.api.integration.user.UserManagement; +import com.yahoo.vespa.hosted.controller.api.role.Role; + +import java.time.Duration; +import java.util.List; +import java.util.logging.Logger; +import java.util.stream.Collectors; + +/** + * Maintains user management resources. + * For now, ensures there's no discrepnacy between expected tenant/application roles and Auth0 roles + * + * @author olaa + */ +public class UserManagementMaintainer extends ControllerMaintainer { + + private final UserManagement userManagement; + + private static final Logger logger = Logger.getLogger(UserManagementMaintainer.class.getName()); + + public UserManagementMaintainer(Controller controller, Duration interval, UserManagement userManagement) { + super(controller, interval, UserManagementMaintainer.class.getSimpleName(), SystemName.allOf(SystemName::isPublic)); + this.userManagement = userManagement; + + } + + @Override + protected double maintain() { + findLeftoverRoles().forEach(role -> { + /* + Log discrepancy now + TODO: userManagement.deleteRole(role); + */ + logger.warning(String.format("Found unexpected role %s - Please investigate", role.toString())); + }); + return 1.0; + } + + // protected for testing + protected List<Role> findLeftoverRoles() { + var tenantRoles = controller().tenants().asList() + .stream() + .flatMap(tenant -> Roles.tenantRoles(tenant.name()).stream()) + .collect(Collectors.toList()); + + var applicationRoles = controller().applications().asList() + .stream() + .map(Application::id) + .flatMap(applicationId -> Roles.applicationRoles(applicationId.tenant(), applicationId.application()).stream()) + .collect(Collectors.toList()); + + return userManagement.listRoles().stream() + .filter(role -> !tenantRoles.contains(role) && !applicationRoles.contains(role)) + .collect(Collectors.toList()); + } + +} diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/maintenance/UserManagementMaintainerTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/maintenance/UserManagementMaintainerTest.java new file mode 100644 index 00000000000..08be2266b2e --- /dev/null +++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/maintenance/UserManagementMaintainerTest.java @@ -0,0 +1,44 @@ +package com.yahoo.vespa.hosted.controller.maintenance; + +import com.yahoo.config.provision.ApplicationName; +import com.yahoo.config.provision.TenantName; +import com.yahoo.vespa.hosted.controller.ControllerTester; +import com.yahoo.vespa.hosted.controller.api.integration.stubs.MockUserManagement; +import com.yahoo.vespa.hosted.controller.api.integration.user.Roles; +import com.yahoo.vespa.hosted.controller.api.integration.user.UserManagement; +import org.junit.Test; + +import java.time.Duration; + +import static org.junit.Assert.*; + +/** + * @author olaa + */ +public class UserManagementMaintainerTest { + + private final ControllerTester tester = new ControllerTester(); + private final UserManagement userManagement = new MockUserManagement(); + private final UserManagementMaintainer userManagementMaintainer = new UserManagementMaintainer(tester.controller(), Duration.ofMinutes(1), userManagement); + + private final TenantName tenant = TenantName.from("tenant1"); + private final ApplicationName app = ApplicationName.from("app1"); + private final TenantName deletedTenant = TenantName.from("deleted-tenant"); + + @Test + public void finds_superfluous_roles() { + tester.createTenant(tenant.value()); + tester.createApplication(tenant.value(), app.value()); + + Roles.tenantRoles(tenant).forEach(userManagement::createRole); + Roles.applicationRoles(tenant, app).forEach(userManagement::createRole); + Roles.tenantRoles(deletedTenant).forEach(userManagement::createRole); + + var expectedRoles = Roles.tenantRoles(deletedTenant); + var actualRoles = userManagementMaintainer.findLeftoverRoles(); + + assertEquals(expectedRoles.size(), actualRoles.size()); + assertTrue(expectedRoles.containsAll(actualRoles) && actualRoles.containsAll(expectedRoles)); + } + +}
\ No newline at end of file diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/controller/responses/maintenance.json b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/controller/responses/maintenance.json index be51312186b..2edf1867fd3 100644 --- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/controller/responses/maintenance.json +++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/controller/responses/maintenance.json @@ -100,6 +100,9 @@ "name": "Upgrader" }, { + "name": "UserManagementMaintainer" + }, + { "name": "VcmrMaintainer" }, { |