diff options
author | Ola Aunrønning <olaa@verizonmedia.com> | 2022-03-04 14:27:06 +0100 |
---|---|---|
committer | Ola Aunrønning <olaa@verizonmedia.com> | 2022-03-04 14:27:06 +0100 |
commit | 810de0a30b9dc658769deb21c5579f88afdbd528 (patch) | |
tree | ffc2bbc9667718b9f2cf89a5f833e704be9daa6b /controller-api/src/main/java/com | |
parent | ff570e8ff3f6e08f7851289efe292b4aa1acedfc (diff) |
Fetch audit log and pending membership requests for athenz role
Athenz synchronizer accepts tenant name
ZMSClient membership requests can be rejected
Diffstat (limited to 'controller-api/src/main/java/com')
6 files changed, 34 insertions, 36 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AccessControlService.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AccessControlService.java index b270c27092f..1dd6eb543ef 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AccessControlService.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AccessControlService.java @@ -3,6 +3,7 @@ package com.yahoo.vespa.hosted.controller.api.integration.athenz; import com.yahoo.config.provision.TenantName; +import com.yahoo.vespa.athenz.api.AthenzRoleInformation; import com.yahoo.vespa.athenz.api.AthenzUser; import com.yahoo.vespa.athenz.api.OAuthCredentials; @@ -16,10 +17,9 @@ import java.util.Collection; */ public interface AccessControlService { boolean approveDataPlaneAccess(AthenzUser user, Instant expiry); - boolean approveSshAccess(TenantName tenantName, Instant expiry, OAuthCredentials oAuthCredentials); + boolean decideSshAccess(TenantName tenantName, Instant expiry, OAuthCredentials oAuthCredentials, boolean approve); boolean requestSshAccess(TenantName tenantName); - boolean hasPendingAccessRequests(TenantName tenantName); - boolean hasPreapprovedAccess(TenantName tenantName); + AthenzRoleInformation getAccessRoleInformation(TenantName tenantName); void setPreapprovedAccess(TenantName tenantName, boolean preapproved); Collection<AthenzUser> listMembers(); } diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java index 6b91f49af8e..415a087d990 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java @@ -7,6 +7,7 @@ import com.yahoo.vespa.athenz.api.AthenzDomain; import com.yahoo.vespa.athenz.api.AthenzGroup; import com.yahoo.vespa.athenz.api.AthenzIdentity; import com.yahoo.vespa.athenz.api.AthenzRole; +import com.yahoo.vespa.athenz.api.AthenzRoleInformation; import com.yahoo.vespa.athenz.api.AthenzUser; import com.yahoo.vespa.athenz.api.OAuthCredentials; import com.yahoo.vespa.athenz.client.zms.ZmsClient; @@ -45,7 +46,7 @@ public class AthenzAccessControlService implements AccessControlService { } Map<AthenzIdentity, String> users = zmsClient.listPendingRoleApprovals(dataPlaneAccessRole); if (users.containsKey(user)) { - zmsClient.approvePendingRoleMembership(dataPlaneAccessRole, user, expiry, Optional.empty(), Optional.empty()); + zmsClient.decidePendingRoleMembership(dataPlaneAccessRole, user, expiry, Optional.empty(), Optional.empty(), true); return true; } return false; @@ -64,19 +65,19 @@ public class AthenzAccessControlService implements AccessControlService { * @return Whether the ssh access role has any pending role membership requests */ @Override - public boolean hasPendingAccessRequests(TenantName tenantName) { + public AthenzRoleInformation getAccessRoleInformation(TenantName tenantName) { var role = sshRole(tenantName); if (!vespaZmsClient.listRoles(role.domain()).contains(role)) - return false; - var pendingApprovals = vespaZmsClient.listPendingRoleApprovals(role); - return pendingApprovals.containsKey(vespaTeam); + vespaZmsClient.createRole(role, Map.of()); + + return vespaZmsClient.getFullRoleInformation(role); } /** * @return true if access has been granted - false if already member */ @Override - public boolean approveSshAccess(TenantName tenantName, Instant expiry, OAuthCredentials oAuthCredentials) { + public boolean decideSshAccess(TenantName tenantName, Instant expiry, OAuthCredentials oAuthCredentials, boolean approve) { var role = sshRole(tenantName); if (!vespaZmsClient.listRoles(role.domain()).contains(role)) @@ -85,11 +86,13 @@ public class AthenzAccessControlService implements AccessControlService { if (vespaZmsClient.getMembership(role, vespaTeam)) return false; - if (!hasPendingAccessRequests(tenantName)) { - vespaZmsClient.addRoleMember(role, vespaTeam, Optional.empty()); - } - vespaZmsClient.approvePendingRoleMembership(role, vespaTeam, expiry, Optional.empty(), Optional.of(oAuthCredentials)); - athenzInstanceSynchronizer.synchronizeInstances(); + var roleInformation = vespaZmsClient.getFullRoleInformation(role); + if (roleInformation.getPendingRequest().isEmpty()) + return false; + var reason = roleInformation.getPendingRequest().get().getReason(); + + vespaZmsClient.decidePendingRoleMembership(role, vespaTeam, expiry, Optional.of(reason), Optional.of(oAuthCredentials), approve); + athenzInstanceSynchronizer.synchronizeInstances(tenantName); return true; } @@ -110,15 +113,6 @@ public class AthenzAccessControlService implements AccessControlService { return true; } - public boolean hasPreapprovedAccess(TenantName tenantName) { - var role = sshRole(tenantName); - - if (!vespaZmsClient.listRoles(role.domain()).contains(role)) - return true; // true by default - - return !vespaZmsClient.isSelfServeRole(role); - } - public void setPreapprovedAccess(TenantName tenantName, boolean preapprovedAccess) { var role = sshRole(tenantName); diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzInstanceSynchronizer.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzInstanceSynchronizer.java index fb2375d3ea2..3b9166d4363 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzInstanceSynchronizer.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzInstanceSynchronizer.java @@ -1,6 +1,8 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.hosted.controller.api.integration.athenz; +import com.yahoo.config.provision.TenantName; + /** * @author olaa * @@ -8,6 +10,6 @@ package com.yahoo.vespa.hosted.controller.api.integration.athenz; */ public interface AthenzInstanceSynchronizer { - void synchronizeInstances(); + void synchronizeInstances(TenantName tenant); } diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzInstanceSynchronizerMock.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzInstanceSynchronizerMock.java index 484fb3d6dd2..1f0403a0b44 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzInstanceSynchronizerMock.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzInstanceSynchronizerMock.java @@ -1,10 +1,12 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.hosted.controller.api.integration.athenz; +import com.yahoo.config.provision.TenantName; + /** * @author olaa */ public class AthenzInstanceSynchronizerMock implements AthenzInstanceSynchronizer { @Override - public void synchronizeInstances() {} + public void synchronizeInstances(TenantName tenant) {} } diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/MockAccessControlService.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/MockAccessControlService.java index 505ee97bdf5..c14ca2bdc80 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/MockAccessControlService.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/MockAccessControlService.java @@ -3,12 +3,16 @@ package com.yahoo.vespa.hosted.controller.api.integration.athenz; import com.yahoo.config.provision.TenantName; +import com.yahoo.vespa.athenz.api.AthenzDomain; +import com.yahoo.vespa.athenz.api.AthenzRoleInformation; import com.yahoo.vespa.athenz.api.AthenzUser; import com.yahoo.vespa.athenz.api.OAuthCredentials; import java.time.Instant; import java.util.Collection; import java.util.HashSet; +import java.util.List; +import java.util.Optional; import java.util.Set; public class MockAccessControlService implements AccessControlService { @@ -31,7 +35,7 @@ public class MockAccessControlService implements AccessControlService { } @Override - public boolean approveSshAccess(TenantName tenantName, Instant expiry, OAuthCredentials oAuthCredentials) { + public boolean decideSshAccess(TenantName tenantName, Instant expiry, OAuthCredentials oAuthCredentials, boolean approve) { return false; } @@ -41,13 +45,8 @@ public class MockAccessControlService implements AccessControlService { } @Override - public boolean hasPendingAccessRequests(TenantName tenantName) { - return false; - } - - @Override - public boolean hasPreapprovedAccess(TenantName tenantName) { - return false; + public AthenzRoleInformation getAccessRoleInformation(TenantName tenantName) { + return new AthenzRoleInformation(new AthenzDomain("test-domain"), "tenant-role", false, false, Optional.empty(), List.of()); } @Override diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java index 62a999bb7a6..5f567e8b84a 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java @@ -8,6 +8,7 @@ import com.yahoo.vespa.athenz.api.AthenzIdentity; import com.yahoo.vespa.athenz.api.AthenzPolicy; import com.yahoo.vespa.athenz.api.AthenzResourceName; import com.yahoo.vespa.athenz.api.AthenzRole; +import com.yahoo.vespa.athenz.api.AthenzRoleInformation; import com.yahoo.vespa.athenz.api.AthenzService; import com.yahoo.vespa.athenz.api.OAuthCredentials; import com.yahoo.vespa.athenz.client.zms.RoleAction; @@ -201,7 +202,7 @@ public class ZmsClientMock implements ZmsClient { } @Override - public void approvePendingRoleMembership(AthenzRole athenzRole, AthenzIdentity athenzIdentity, Instant expiry, Optional<String> reason, Optional<OAuthCredentials> oAuthCredentials) { + public void decidePendingRoleMembership(AthenzRole athenzRole, AthenzIdentity athenzIdentity, Instant expiry, Optional<String> reason, Optional<OAuthCredentials> oAuthCredentials, boolean approve) { } @Override @@ -256,8 +257,8 @@ public class ZmsClientMock implements ZmsClient { public void createSubdomain(AthenzDomain parent, String name) {} @Override - public boolean isSelfServeRole(AthenzRole role) { - return false; + public AthenzRoleInformation getFullRoleInformation(AthenzRole role) { + return new AthenzRoleInformation(role.domain(), role.roleName(), true, true, Optional.empty(), List.of()); } @Override |