Merge pull request #26806 from vespa-engine/olaa/splunk-role

Add splunk role config

4 files changed, 40 insertions, 10 deletions

diff --git a/config-model/src/main/java/com/yahoo/vespa/model/admin/LogForwarder.java b/config-model/src/main/java/com/yahoo/vespa/model/admin/LogForwarder.java
index 6284c0bc625..beb96ab8cc8 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/admin/LogForwarder.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/admin/LogForwarder.java
@@ -14,24 +14,30 @@ public class LogForwarder extends AbstractService implements LogforwarderConfig.
         public final String clientName;
         public final String splunkHome;
         public final Integer phoneHomeInterval;
+        public final String role;
 
-        private Config(String ds, String cn, String sh, Integer phi) {
+        private Config(String ds, String cn, String sh, Integer phi, String role) {
             this.deploymentServer = ds;
             this.clientName = cn;
             this.splunkHome = sh;
             this.phoneHomeInterval = phi;
+            this.role = role;
         }
         public Config withDeploymentServer(String ds) {
-            return new Config(ds, clientName, splunkHome, phoneHomeInterval);
+            return new Config(ds, clientName, splunkHome, phoneHomeInterval, role);
         }
         public Config withClientName(String cn) {
-            return new Config(deploymentServer, cn, splunkHome, phoneHomeInterval);
+            return new Config(deploymentServer, cn, splunkHome, phoneHomeInterval, role);
         }
         public Config withSplunkHome(String sh) {
-            return new Config(deploymentServer, clientName, sh, phoneHomeInterval);
+            return new Config(deploymentServer, clientName, sh, phoneHomeInterval, role);
         }
         public Config withPhoneHomeInterval(Integer phi) {
-            return new Config(deploymentServer, clientName, splunkHome, phi);
+            return new Config(deploymentServer, clientName, splunkHome, phi, role);
+        }
+
+        public Config withRole(String role) {
+            return new Config(deploymentServer, clientName, splunkHome, phoneHomeInterval, role);
         }
     }
 
@@ -49,7 +55,7 @@ public class LogForwarder extends AbstractService implements LogforwarderConfig.
     }
 
     public static Config cfg() {
-        return new Config(null, null, null, null);
+        return new Config(null, null, null, null, null);
     }
 
     // LogForwarder does not need any ports.
@@ -79,6 +85,9 @@ public class LogForwarder extends AbstractService implements LogforwarderConfig.
         if (config.phoneHomeInterval != null) {
             builder.phoneHomeInterval(config.phoneHomeInterval);
         }
+        if (config.role != null) {
+            builder.role(config.role);
+        }
     }
 
     @Override
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/builder/xml/dom/DomAdminBuilderBase.java b/config-model/src/main/java/com/yahoo/vespa/model/builder/xml/dom/DomAdminBuilderBase.java
index 9280f0ceb9a..df998e75268 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/builder/xml/dom/DomAdminBuilderBase.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/builder/xml/dom/DomAdminBuilderBase.java
@@ -21,9 +21,11 @@ import com.yahoo.vespa.model.admin.monitoring.builder.Metrics;
 import com.yahoo.vespa.model.admin.monitoring.builder.PredefinedMetricSets;
 import com.yahoo.vespa.model.admin.monitoring.builder.xml.MetricsBuilder;
 import org.w3c.dom.Element;
+
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Optional;
+import java.util.regex.Pattern;
 
 /**
  * A base class for admin model builders, to support common functionality across versions.
@@ -98,7 +100,7 @@ public abstract class DomAdminBuilderBase extends VespaDomBuilder.DomConfigProdu
         return Optional.empty();
     }
 
-    void addLogForwarders(ModelElement logForwardingElement, Admin admin) {
+    void addLogForwarders(ModelElement logForwardingElement, Admin admin, DeployState deployState) {
         if (logForwardingElement == null) return;
         boolean alsoForAdminCluster = logForwardingElement.booleanAttribute("include-admin");
         for (ModelElement e : logForwardingElement.children("splunk")) {
@@ -106,7 +108,8 @@ public abstract class DomAdminBuilderBase extends VespaDomBuilder.DomConfigProdu
 		    .withSplunkHome(e.stringAttribute("splunk-home"))
 		    .withDeploymentServer(e.stringAttribute("deployment-server"))
 		    .withClientName(e.stringAttribute("client-name"))
-            .withPhoneHomeInterval(e.integerAttribute("phone-home-interval"));
+            .withPhoneHomeInterval(e.integerAttribute("phone-home-interval"))
+            .withRole(parseLogforwarderRole(e.stringAttribute("role"), deployState));
             admin.setLogForwarderConfig(cfg, alsoForAdminCluster);
         }
     }
@@ -130,4 +133,22 @@ public abstract class DomAdminBuilderBase extends VespaDomBuilder.DomConfigProdu
         }
     }
 
+    private String parseLogforwarderRole(String role, DeployState deployState) {
+        if (role == null)
+            return null;
+        if (deployState.zone().system().isPublic())
+            throw new IllegalArgumentException("Logforwarder role not supported in public systems");
+
+        // Currently only support athenz roles on format athenz://<domain>/role/<role>
+        var rolePattern = Pattern.compile("(?<scheme>athenz)://" +
+                "(?<domain>[a-zA-Z0-9_][a-zA-Z0-9_.-]*[a-zA-Z0-9_])" +
+                "/role/" +
+                "(?<role>[a-zA-Z0-9_][a-zA-Z0-9_.-]*[a-zA-Z0-9_])");
+        var matcher = rolePattern.matcher(role);
+        if (!matcher.matches()) {
+            throw new IllegalArgumentException("Invalid role path " + role);
+        }
+        return matcher.group("domain") + ":role." + matcher.group("role");
+    }
+
 }
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/builder/xml/dom/DomAdminV2Builder.java b/config-model/src/main/java/com/yahoo/vespa/model/builder/xml/dom/DomAdminV2Builder.java
index 7a7092b04dd..152f7e03a4c 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/builder/xml/dom/DomAdminV2Builder.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/builder/xml/dom/DomAdminV2Builder.java
@@ -47,7 +47,7 @@ public class DomAdminV2Builder extends DomAdminBuilderBase {
         if ( ! admin.multitenant())
             admin.setClusterControllers(addConfiguredClusterControllers(deployState, admin, adminE), deployState);
 
-        addLogForwarders(new ModelElement(adminE).child("logforwarding"), admin);
+        addLogForwarders(new ModelElement(adminE).child("logforwarding"), admin, deployState);
         addLoggingSpecs(new ModelElement(adminE).child("logging"), admin);
     }
 
diff --git a/config-model/src/main/java/com/yahoo/vespa/model/builder/xml/dom/DomAdminV4Builder.java b/config-model/src/main/java/com/yahoo/vespa/model/builder/xml/dom/DomAdminV4Builder.java
index 80000e54b1b..4990ddc9a53 100644
--- a/config-model/src/main/java/com/yahoo/vespa/model/builder/xml/dom/DomAdminV4Builder.java
+++ b/config-model/src/main/java/com/yahoo/vespa/model/builder/xml/dom/DomAdminV4Builder.java
@@ -55,7 +55,7 @@ public class DomAdminV4Builder extends DomAdminBuilderBase {
         assignSlobroks(deployState, requestedSlobroks.orElse(NodesSpecification.nonDedicated(3, context)), admin);
         assignLogserver(deployState, requestedLogservers.orElse(createNodesSpecificationForLogserver()), admin);
 
-        addLogForwarders(adminElement.child("logforwarding"), admin);
+        addLogForwarders(adminElement.child("logforwarding"), admin, deployState);
         addLoggingSpecs(adminElement.child("logging"), admin);
     }