diff options
author | Ola Aunrønning <olaa@verizonmedia.com> | 2022-02-10 14:46:57 +0100 |
---|---|---|
committer | Ola Aunrønning <olaa@verizonmedia.com> | 2022-02-10 14:46:57 +0100 |
commit | c419f94e2a0a6b2198a629b29a11b8f667ebd8a3 (patch) | |
tree | 38fe4a4fcd6c8b48e7f169b221c18d05a33e7710 /controller-api | |
parent | 83058612bf2156407f35d56ddf3618ed3c70ce72 (diff) |
Creates tenant domain if not exists
Diffstat (limited to 'controller-api')
2 files changed, 17 insertions, 4 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java index 906eaa9f506..f157f88967a 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java @@ -20,7 +20,7 @@ public class AthenzAccessControlService implements AccessControlService { private static final String ALLOWED_OPERATOR_GROUPNAME = "vespa-team"; private static final String DATAPLANE_ACCESS_ROLENAME = "operator-data-plane"; - private final String TENANT_DOMAIN_PREFIX = "vespa.tenant."; + private final String TENANT_DOMAIN_PREFIX = "vespa.tenant"; private final ZmsClient zmsClient; private final AthenzRole dataPlaneAccessRole; private final AthenzGroup vespaTeam; @@ -60,6 +60,7 @@ public class AthenzAccessControlService implements AccessControlService { /** * @return Whether the ssh access role has any pending role membership requests */ + @Override public boolean hasPendingAccessRequests(TenantName tenantName) { var role = sshRole(tenantName); var pendingApprovals = vespaZmsClient.listPendingRoleApprovals(role); @@ -69,6 +70,7 @@ public class AthenzAccessControlService implements AccessControlService { /** * @return true if access has been granted - false if already member */ + @Override public boolean approveSshAccess(TenantName tenantName, Instant expiry) { var role = sshRole(tenantName); if (vespaZmsClient.getMembership(role, vespaTeam)) @@ -85,6 +87,7 @@ public class AthenzAccessControlService implements AccessControlService { /** * @return true if access has been requested - false if already member */ + @Override public boolean requestSshAccess(TenantName tenantName) { var role = sshRole(tenantName); if (vespaZmsClient.getMembership(role, vespaTeam)) @@ -94,11 +97,17 @@ public class AthenzAccessControlService implements AccessControlService { } private AthenzRole sshRole(TenantName tenantName) { - return new AthenzRole(tenantDomain(tenantName), "ssh_access"); + return new AthenzRole(getOrCreateTenantDomain(tenantName), "ssh_access"); } - private AthenzDomain tenantDomain(TenantName tenantName) { - return new AthenzDomain(TENANT_DOMAIN_PREFIX + tenantName.value()); + private AthenzDomain getOrCreateTenantDomain(TenantName tenantName) { + var domain = new AthenzDomain(TENANT_DOMAIN_PREFIX + "." + tenantName.value()); + + if (vespaZmsClient.getDomainList(domain.getName()).isEmpty()) { + vespaZmsClient.createSubdomain(new AthenzDomain(TENANT_DOMAIN_PREFIX), tenantName.value()); + } + + return domain; } public boolean isVespaTeamMember(AthenzUser user) { diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java index 5a3f0825704..63212c9c200 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java @@ -255,6 +255,10 @@ public class ZmsClientMock implements ZmsClient { public void deleteRole(AthenzRole athenzRole) { athenz.domains.get(athenzRole.domain()).roles.removeIf(role -> role.name().equals(athenzRole.roleName())); } + + @Override + public void createSubdomain(AthenzDomain parent, String name) {} + @Override public void close() {} |