diff options
author | Ola Aunrønning <olaa@verizonmedia.com> | 2022-02-17 11:16:20 +0100 |
---|---|---|
committer | Ola Aunrønning <olaa@verizonmedia.com> | 2022-02-17 11:16:20 +0100 |
commit | 34e6b29949cdcecbd2f421dec70239ec62dee5a0 (patch) | |
tree | 83a9ca9c8ccf91c0b55ca36d19de45ac23d70c64 /controller-api | |
parent | 8ed6b4614210da06a249bd510f14a9905590ec2f (diff) |
Consider role existence
Diffstat (limited to 'controller-api')
-rw-r--r-- | controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java index f157f88967a..b01f6bb5208 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java @@ -63,6 +63,8 @@ public class AthenzAccessControlService implements AccessControlService { @Override public boolean hasPendingAccessRequests(TenantName tenantName) { var role = sshRole(tenantName); + if (!vespaZmsClient.listRoles(role.domain()).contains(role)) + return false; var pendingApprovals = vespaZmsClient.listPendingRoleApprovals(role); return pendingApprovals.containsKey(vespaTeam); } @@ -73,6 +75,10 @@ public class AthenzAccessControlService implements AccessControlService { @Override public boolean approveSshAccess(TenantName tenantName, Instant expiry) { var role = sshRole(tenantName); + + if (!vespaZmsClient.listRoles(role.domain()).contains(role)) + vespaZmsClient.createRole(role, Map.of()); + if (vespaZmsClient.getMembership(role, vespaTeam)) return false; @@ -90,8 +96,13 @@ public class AthenzAccessControlService implements AccessControlService { @Override public boolean requestSshAccess(TenantName tenantName) { var role = sshRole(tenantName); + + if (!vespaZmsClient.listRoles(role.domain()).contains(role)) + vespaZmsClient.createRole(role, Map.of()); + if (vespaZmsClient.getMembership(role, vespaTeam)) return false; + vespaZmsClient.addRoleMember(role, vespaTeam, Optional.empty()); return true; } |