diff options
author | Morten Tokle <mortent@verizonmedia.com> | 2021-06-21 08:20:35 +0200 |
---|---|---|
committer | Morten Tokle <mortent@verizonmedia.com> | 2021-06-21 08:54:01 +0200 |
commit | 2f5549df2cae55109dbb5a52beeb9c414cb8bd09 (patch) | |
tree | 6fddf76fdeba52ce82b21b7cabbab43e9d445391 /controller-api | |
parent | 04ae3583cb45466bd87e0b23032951740e0ed090 (diff) |
Only approve allowed operators
Diffstat (limited to 'controller-api')
2 files changed, 18 insertions, 0 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java index 233759f47a7..0be32165916 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java @@ -3,6 +3,7 @@ package com.yahoo.vespa.hosted.controller.api.integration.athenz; import com.yahoo.vespa.athenz.api.AthenzDomain; +import com.yahoo.vespa.athenz.api.AthenzGroup; import com.yahoo.vespa.athenz.api.AthenzRole; import com.yahoo.vespa.athenz.api.AthenzUser; import com.yahoo.vespa.athenz.client.zms.ZmsClient; @@ -14,18 +15,25 @@ import java.util.stream.Collectors; public class AthenzAccessControlService implements AccessControlService { + private static final String ALLOWED_OPERATOR_GROUPNAME = "vespa-team"; private static final String DATAPLANE_ACCESS_ROLENAME = "operator-data-plane"; private final ZmsClient zmsClient; private final AthenzRole dataPlaneAccessRole; + private final AthenzGroup vespaTeam; public AthenzAccessControlService(ZmsClient zmsClient, AthenzDomain domain) { this.zmsClient = zmsClient; this.dataPlaneAccessRole = new AthenzRole(domain, DATAPLANE_ACCESS_ROLENAME); + this.vespaTeam = new AthenzGroup(domain, ALLOWED_OPERATOR_GROUPNAME); } @Override public boolean approveDataPlaneAccess(AthenzUser user, Instant expiry) { + // Can only approve team members, other members must be manually approved + if(!isVespaTeamMember(user)) { + throw new IllegalArgumentException(String.format("User %s requires manual approval, please contact Vespa team", user.getName())); + } List<AthenzUser> users = zmsClient.listPendingRoleApprovals(dataPlaneAccessRole); if (users.contains(user)) { zmsClient.approvePendingRoleMembership(dataPlaneAccessRole, user, expiry); @@ -42,4 +50,8 @@ public class AthenzAccessControlService implements AccessControlService { .map(AthenzUser.class::cast) .collect(Collectors.toList()); } + + public boolean isVespaTeamMember(AthenzUser user) { + return zmsClient.getGroupMembership(vespaTeam, user); + } } diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java index deeecf217e7..ed84a9b0a76 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java @@ -2,6 +2,7 @@ package com.yahoo.vespa.hosted.controller.api.integration.athenz; import com.yahoo.vespa.athenz.api.AthenzDomain; +import com.yahoo.vespa.athenz.api.AthenzGroup; import com.yahoo.vespa.athenz.api.AthenzIdentity; import com.yahoo.vespa.athenz.api.AthenzResourceName; import com.yahoo.vespa.athenz.api.AthenzRole; @@ -98,6 +99,11 @@ public class ZmsClientMock implements ZmsClient { } @Override + public boolean getGroupMembership(AthenzGroup group, AthenzIdentity identity) { + return false; + } + + @Override public List<AthenzDomain> getDomainList(String prefix) { log("getDomainList()"); return new ArrayList<>(athenz.domains.keySet()); |