Merge pull request #18326 from vespa-engine/mortent/approve-allowed-only

Only approve allowed operators

2 files changed, 18 insertions, 0 deletions

diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java
index 233759f47a7..0be32165916 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java
@@ -3,6 +3,7 @@
 package com.yahoo.vespa.hosted.controller.api.integration.athenz;
 
 import com.yahoo.vespa.athenz.api.AthenzDomain;
+import com.yahoo.vespa.athenz.api.AthenzGroup;
 import com.yahoo.vespa.athenz.api.AthenzRole;
 import com.yahoo.vespa.athenz.api.AthenzUser;
 import com.yahoo.vespa.athenz.client.zms.ZmsClient;
@@ -14,18 +15,25 @@ import java.util.stream.Collectors;
 
 public class AthenzAccessControlService implements AccessControlService {
 
+    private static final String ALLOWED_OPERATOR_GROUPNAME = "vespa-team";
     private static final String DATAPLANE_ACCESS_ROLENAME = "operator-data-plane";
     private final ZmsClient zmsClient;
     private final AthenzRole dataPlaneAccessRole;
+    private final AthenzGroup vespaTeam;
 
 
     public AthenzAccessControlService(ZmsClient zmsClient, AthenzDomain domain) {
         this.zmsClient = zmsClient;
         this.dataPlaneAccessRole = new AthenzRole(domain, DATAPLANE_ACCESS_ROLENAME);
+        this.vespaTeam = new AthenzGroup(domain, ALLOWED_OPERATOR_GROUPNAME);
     }
 
     @Override
     public boolean approveDataPlaneAccess(AthenzUser user, Instant expiry) {
+        // Can only approve team members, other members must be manually approved
+        if(!isVespaTeamMember(user)) {
+            throw new IllegalArgumentException(String.format("User %s requires manual approval, please contact Vespa team", user.getName()));
+        }
         List<AthenzUser> users = zmsClient.listPendingRoleApprovals(dataPlaneAccessRole);
         if (users.contains(user)) {
             zmsClient.approvePendingRoleMembership(dataPlaneAccessRole, user, expiry);
@@ -42,4 +50,8 @@ public class AthenzAccessControlService implements AccessControlService {
                 .map(AthenzUser.class::cast)
                 .collect(Collectors.toList());
     }
+
+    public boolean isVespaTeamMember(AthenzUser user) {
+        return zmsClient.getGroupMembership(vespaTeam, user);
+    }
 }
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java
index deeecf217e7..ed84a9b0a76 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java
@@ -2,6 +2,7 @@
 package com.yahoo.vespa.hosted.controller.api.integration.athenz;
 
 import com.yahoo.vespa.athenz.api.AthenzDomain;
+import com.yahoo.vespa.athenz.api.AthenzGroup;
 import com.yahoo.vespa.athenz.api.AthenzIdentity;
 import com.yahoo.vespa.athenz.api.AthenzResourceName;
 import com.yahoo.vespa.athenz.api.AthenzRole;
@@ -98,6 +99,11 @@ public class ZmsClientMock implements ZmsClient {
     }
 
     @Override
+    public boolean getGroupMembership(AthenzGroup group, AthenzIdentity identity) {
+        return false;
+    }
+
+    @Override
     public List<AthenzDomain> getDomainList(String prefix) {
         log("getDomainList()");
         return new ArrayList<>(athenz.domains.keySet());