Use ArchiveAccess instead of directly accessing AWS IAM role

author: Eirik Nygaard <eirik.nygaard@yahooinc.com> 2022-05-24 15:45:46 +0200
committer: Eirik Nygaard <eirik.nygaard@yahooinc.com> 2022-05-25 09:44:24 +0200
commit: 340bdc4f860e934f1a3eb11084661c13900bdb28 (patch)
tree: 9ef962234315ec43f78e5d896eb5d25a04bbc8df /controller-api
parent: 3f3507a56dfafe8e3eea8500ce36584642c71434 (diff)
3 files changed, 13 insertions, 19 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/archive/ArchiveService.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/archive/ArchiveService.java
index 389d815249d..46e7fb48553 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/archive/ArchiveService.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/archive/ArchiveService.java
@@ -3,6 +3,7 @@ package com.yahoo.vespa.hosted.controller.api.integration.archive;
 
 import com.yahoo.config.provision.TenantName;
 import com.yahoo.config.provision.zone.ZoneId;
+import com.yahoo.vespa.hosted.controller.tenant.ArchiveAccess;
 
 import java.net.URI;
 import java.util.Map;
@@ -18,9 +19,7 @@ public interface ArchiveService {
 
     ArchiveBucket createArchiveBucketFor(ZoneId zoneId);
 
-    void updateBucketPolicy(ZoneId zoneId, ArchiveBucket bucket, Map<TenantName, String> authorizeIamRoleByTenantName);
-
-    void updateKeyPolicy(ZoneId zoneId, String keyArn, Set<String> tenantAuthorizedIamRoles);
+    void updatePolicies(ZoneId zoneId, Set<ArchiveBucket> buckets, Map<TenantName,ArchiveAccess> authorizeAccessByTenantName);
 
     boolean canAddTenantToBucket(ZoneId zoneId, ArchiveBucket bucket);
 
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/archive/MockArchiveService.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/archive/MockArchiveService.java
index 1db003f8067..a2847439ce7 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/archive/MockArchiveService.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/archive/MockArchiveService.java
@@ -3,9 +3,11 @@ package com.yahoo.vespa.hosted.controller.api.integration.archive;
 
 import com.yahoo.config.provision.TenantName;
 import com.yahoo.config.provision.zone.ZoneId;
+import com.yahoo.vespa.hosted.controller.tenant.ArchiveAccess;
 
 import java.net.URI;
 import java.util.HashMap;
+import java.util.HashSet;
 import java.util.Map;
 import java.util.Set;
 import java.util.TreeMap;
@@ -16,8 +18,10 @@ import java.util.TreeMap;
  */
 public class MockArchiveService implements ArchiveService {
 
-    public Map<ArchiveBucket, Map<TenantName, String>> authorizedIamRolesForBucket = new HashMap<>();
-    public Map<String, Set<String>> authorizedIamRolesForKey = new TreeMap<>();
+
+    public Set<ArchiveBucket> archiveBuckets = new HashSet<>();
+    public Map<TenantName, ArchiveAccess> authorizeAccessByTenantName = new HashMap<>();
+
 
     @Override
     public ArchiveBucket createArchiveBucketFor(ZoneId zoneId) {
@@ -25,13 +29,9 @@ public class MockArchiveService implements ArchiveService {
     }
 
     @Override
-    public void updateBucketPolicy(ZoneId zoneId, ArchiveBucket bucket, Map<TenantName, String> authorizeIamRoleByTenantName) {
-        authorizedIamRolesForBucket.put(bucket, authorizeIamRoleByTenantName);
-    }
-
-    @Override
-    public void updateKeyPolicy(ZoneId zoneId, String keyArn, Set<String> tenantAuthorizedIamRoles) {
-        authorizedIamRolesForKey.put(keyArn, tenantAuthorizedIamRoles);
+    public void updatePolicies(ZoneId zoneId, Set<ArchiveBucket> buckets, Map<TenantName, ArchiveAccess> authorizeAccessByTenantName) {
+        this.archiveBuckets = new HashSet<>(buckets);
+        this.authorizeAccessByTenantName = new HashMap<>(authorizeAccessByTenantName);
     }
 
     @Override
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/tenant/CloudTenant.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/tenant/CloudTenant.java
index 953468a28a7..54924b9c456 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/tenant/CloudTenant.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/tenant/CloudTenant.java
@@ -57,11 +57,6 @@ public class CloudTenant extends Tenant {
         return info;
     }
 
-    /** An iam role which is allowed to access the S3 (log, dump) archive) */
-    public Optional<String> archiveAccessRole() {
-        return archiveAccess.awsRole();
-    }
-
     /** Returns the set of developer keys and their corresponding developers for this tenant. */
     public BiMap<PublicKey, Principal> developerKeys() { return developerKeys; }
 
@@ -71,10 +66,10 @@ public class CloudTenant extends Tenant {
     }
 
     /**
-     * Returns archive access archive bucket access string
+     * Role or member that is allowed to access archive bucket (log, dump)
      *
      * For AWS is this the IAM role
-     * For GCP it is a Google Workspace group
+     * For GCP it is a GCP member
      */
     public ArchiveAccess archiveAccess() {
         return archiveAccess;
author	Eirik Nygaard <eirik.nygaard@yahooinc.com>	2022-05-24 15:45:46 +0200
committer	Eirik Nygaard <eirik.nygaard@yahooinc.com>	2022-05-25 09:44:24 +0200
commit	340bdc4f860e934f1a3eb11084661c13900bdb28 (patch)
tree	9ef962234315ec43f78e5d896eb5d25a04bbc8df /controller-api
parent	3f3507a56dfafe8e3eea8500ce36584642c71434 (diff)