diff options
author | Ola Aunrønning <olaa@verizonmedia.com> | 2022-03-14 12:09:25 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-03-14 12:09:25 +0100 |
commit | 6de52d5329f1f9e6187b357e995ed82b59ce3022 (patch) | |
tree | d6c5f3803fc86a7d6702f513bd2183c97dacf178 /controller-api/src/main/java | |
parent | b9527d7d92a6b553430cd48b6a9e934d7f88d1c5 (diff) | |
parent | def6d57968bad732ba7f9445bb83f8f1883d9de7 (diff) |
Merge pull request #21672 from vespa-engine/olaa/get-managed-access-status
Infer managed access through assertion existence
Diffstat (limited to 'controller-api/src/main/java')
3 files changed, 29 insertions, 6 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AccessControlService.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AccessControlService.java index 1dd6eb543ef..f7876f9cddd 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AccessControlService.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AccessControlService.java @@ -21,5 +21,6 @@ public interface AccessControlService { boolean requestSshAccess(TenantName tenantName); AthenzRoleInformation getAccessRoleInformation(TenantName tenantName); void setPreapprovedAccess(TenantName tenantName, boolean preapproved); + boolean getPreapprovedAccess(TenantName tenantName); Collection<AthenzUser> listMembers(); } diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java index 11cace3b10e..317229f9e9a 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java @@ -3,6 +3,7 @@ package com.yahoo.vespa.hosted.controller.api.integration.athenz; import com.yahoo.config.provision.TenantName; +import com.yahoo.vespa.athenz.api.AthenzAssertion; import com.yahoo.vespa.athenz.api.AthenzDomain; import com.yahoo.vespa.athenz.api.AthenzGroup; import com.yahoo.vespa.athenz.api.AthenzIdentity; @@ -23,6 +24,7 @@ public class AthenzAccessControlService implements AccessControlService { private static final String ALLOWED_OPERATOR_GROUPNAME = "vespa-team"; private static final String DATAPLANE_ACCESS_ROLENAME = "operator-data-plane"; private final String TENANT_DOMAIN_PREFIX = "vespa.tenant"; + private final String ACCESS_APPROVAL_POLICY = "vespa-access-requester"; private final ZmsClient zmsClient; private final AthenzRole dataPlaneAccessRole; private final AthenzGroup vespaTeam; @@ -129,18 +131,26 @@ public class AthenzAccessControlService implements AccessControlService { vespaZmsClient.ifPresentOrElse( zms -> { var role = sshRole(tenantName); - - var policyName = "vespa-access-requester"; - var action = "update_members"; - var approverRole = new AthenzRole(role.domain(), "vespa-access-approver"); + var assertion = getApprovalAssertion(role); if (preapprovedAccess) { - zms.addPolicyRule(role.domain(), policyName, action, role.toResourceName(), approverRole); + zms.addPolicyRule(role.domain(), ACCESS_APPROVAL_POLICY, assertion.action(), assertion.resource(), assertion.role()); } else { - zms.deletePolicyRule(role.domain(), policyName, action, role.toResourceName(), approverRole); + zms.deletePolicyRule(role.domain(), ACCESS_APPROVAL_POLICY, assertion.action(), assertion.resource(), assertion.role()); } },() -> { throw new UnsupportedOperationException("Only allowed in systems running Vespa Athenz instance"); }); } + public boolean getPreapprovedAccess(TenantName tenantName) { + return vespaZmsClient.map( + zms -> { + var role = sshRole(tenantName); + var approvalAssertion = getApprovalAssertion(role); + return zms.getPolicy(role.domain(), ACCESS_APPROVAL_POLICY) + .map(policy -> policy.assertions().stream().anyMatch(assertion -> assertion.satisfies(approvalAssertion))) + .orElse(false); + }).orElseThrow(() -> new UnsupportedOperationException("Only allowed in systems running Vespa Athenz instance") ); + } + private AthenzRole sshRole(TenantName tenantName) { return new AthenzRole(getTenantDomain(tenantName), "ssh_access"); } @@ -152,4 +162,11 @@ public class AthenzAccessControlService implements AccessControlService { public boolean isVespaTeamMember(AthenzUser user) { return zmsClient.getGroupMembership(vespaTeam, user); } + + private AthenzAssertion getApprovalAssertion(AthenzRole accessRole) { + var approverRole = new AthenzRole(accessRole.domain(), "vespa-access-approver"); + return AthenzAssertion.newBuilder(approverRole, accessRole.toResourceName(), "update_members") + .effect(AthenzAssertion.Effect.ALLOW) + .build(); + } } diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/MockAccessControlService.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/MockAccessControlService.java index c14ca2bdc80..95ebe3380d4 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/MockAccessControlService.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/MockAccessControlService.java @@ -54,6 +54,11 @@ public class MockAccessControlService implements AccessControlService { } + @Override + public boolean getPreapprovedAccess(TenantName tenant) { + return false; + } + public void addPendingMember(AthenzUser user) { pendingMembers.add(user); } |