Merge pull request #16781 from vespa-engine/mortent/maintain-roles

Add new methods to RoleService, create maintainer for maintaining roles
author: Morten Tokle <mortent@verizonmedia.com> 2021-03-04 13:12:11 +0100
committer: GitHub <noreply@github.com> 2021-03-04 13:12:11 +0100
commit: 65b1933e6b2c1b5a2b2c678490590c2ad1af3cc2 (patch)
tree: 5feeb17071cdc6588bf7f13bed4e3106568b3359
parent: c599cb94339acd099b878976a46db8a48c71a5ea (diff)
parent: 0964cd8a731d2628f03199fc2478140f1f84760f (diff)
4 files changed, 58 insertions, 0 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/aws/NoopRoleService.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/aws/NoopRoleService.java
index dceb56d14c1..d967ad3dca4 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/aws/NoopRoleService.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/aws/NoopRoleService.java
@@ -4,6 +4,8 @@ package com.yahoo.vespa.hosted.controller.api.integration.aws;
 import com.yahoo.config.provision.ApplicationId;
 import com.yahoo.config.provision.TenantName;
 
+import java.util.Collections;
+import java.util.List;
 import java.util.Optional;
 
 /**
@@ -17,7 +19,16 @@ public class NoopRoleService implements RoleService {
     }
 
     @Override
+    public void deleteTenantRole(TenantName tenant) { }
+
+    @Override
     public String createTenantPolicy(TenantName tenant, String policyName, String awsId, String role) {
         return "";
     }
+
+    @Override
+    public void deleteTenantPolicy(TenantName tenant, String policyName) { }
+
+    @Override
+    public void maintainRoles(List<TenantName> tenants) { }
 }
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/aws/RoleService.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/aws/RoleService.java
index 3c04546f479..4219ad35612 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/aws/RoleService.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/aws/RoleService.java
@@ -4,6 +4,7 @@ package com.yahoo.vespa.hosted.controller.api.integration.aws;
 import com.yahoo.config.provision.ApplicationId;
 import com.yahoo.config.provision.TenantName;
 
+import java.util.List;
 import java.util.Optional;
 
 /**
@@ -13,6 +14,14 @@ public interface RoleService {
 
     Optional<TenantRoles> createTenantRole(TenantName tenant);
 
+    void deleteTenantRole(TenantName tenant);
+
     String createTenantPolicy(TenantName tenant, String policyName, String awsId, String role);
 
+    void deleteTenantPolicy(TenantName tenant, String policyName);
+
+    /*
+     * Maintain roles for the tenants in the system. Create missing roles, update trust.
+     */
+    void maintainRoles(List<TenantName> tenants);
 }
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/maintenance/ControllerMaintenance.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/maintenance/ControllerMaintenance.java
index 9f9a0f6d56f..d9a233eb475 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/maintenance/ControllerMaintenance.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/maintenance/ControllerMaintenance.java
@@ -66,6 +66,7 @@ public class ControllerMaintenance extends AbstractComponent {
         maintainers.add(new EndpointCertificateMaintainer(controller, intervals.endpointCertificateMaintainer));
         maintainers.add(new TrafficShareUpdater(controller, intervals.trafficFractionUpdater));
         maintainers.add(new ArchiveUriUpdater(controller, intervals.archiveUriUpdater));
+        maintainers.add(new TenantRoleMaintainer(controller, intervals.tenantRoleMaintainer));
     }
 
     public Upgrader upgrader() { return upgrader; }
@@ -117,6 +118,7 @@ public class ControllerMaintenance extends AbstractComponent {
         private final Duration endpointCertificateMaintainer;
         private final Duration trafficFractionUpdater;
         private final Duration archiveUriUpdater;
+        private final Duration tenantRoleMaintainer;
 
         public Intervals(SystemName system) {
             this.system = Objects.requireNonNull(system);
@@ -145,6 +147,7 @@ public class ControllerMaintenance extends AbstractComponent {
             this.endpointCertificateMaintainer = duration(12, HOURS);
             this.trafficFractionUpdater = duration(5, MINUTES);
             this.archiveUriUpdater = duration(5, MINUTES);
+            this.tenantRoleMaintainer = duration(5, MINUTES);
         }
 
         private Duration duration(long amount, TemporalUnit unit) {
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/maintenance/TenantRoleMaintainer.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/maintenance/TenantRoleMaintainer.java
new file mode 100644
index 00000000000..e8b50a6b604
--- /dev/null
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/maintenance/TenantRoleMaintainer.java
@@ -0,0 +1,35 @@
+// Copyright Verizon Media. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+
+package com.yahoo.vespa.hosted.controller.maintenance;
+
+import com.yahoo.vespa.flags.BooleanFlag;
+import com.yahoo.vespa.flags.FetchVector;
+import com.yahoo.vespa.flags.Flags;
+import com.yahoo.vespa.hosted.controller.Controller;
+import com.yahoo.vespa.hosted.controller.tenant.Tenant;
+
+import java.time.Duration;
+import java.util.stream.Collectors;
+
+public class TenantRoleMaintainer extends ControllerMaintainer {
+
+    private final BooleanFlag provisionTenantRoles;
+
+    public TenantRoleMaintainer(Controller controller, Duration tenantRoleMaintainer) {
+        super(controller, tenantRoleMaintainer);
+        provisionTenantRoles = Flags.PROVISION_TENANT_ROLES.bindTo(controller.flagSource());
+    }
+
+    @Override
+    protected boolean maintain() {
+        var roleService = controller().serviceRegistry().roleService();
+        var tenants = controller().tenants().asList();
+        var tenantsWithRoles = tenants.stream()
+                .map(Tenant::name)
+                // Only maintain a subset of the tenants
+                .filter(name -> provisionTenantRoles.with(FetchVector.Dimension.TENANT_ID, name.value()).value())
+                .collect(Collectors.toList());
+        roleService.maintainRoles(tenantsWithRoles);
+        return true;
+    }
+}
author	Morten Tokle <mortent@verizonmedia.com>	2021-03-04 13:12:11 +0100
committer	GitHub <noreply@github.com>	2021-03-04 13:12:11 +0100
commit	65b1933e6b2c1b5a2b2c678490590c2ad1af3cc2 (patch)
tree	5feeb17071cdc6588bf7f13bed4e3106568b3359
parent	c599cb94339acd099b878976a46db8a48c71a5ea (diff)
parent	0964cd8a731d2628f03199fc2478140f1f84760f (diff)