diff options
author | Bjørn Christian Seime <bjorncs@oath.com> | 2018-07-05 17:21:20 +0200 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@oath.com> | 2018-07-05 17:21:20 +0200 |
commit | be4d31b70c0cb186b87aae95fa2ccb392d39b9cc (patch) | |
tree | 06f14a4a5dd9162899ab8e27832e0ee21afb78f6 /controller-server | |
parent | 20d413cee8e3c7553101187f6778d214fe8c7708 (diff) |
Remove ZtsClient in controller-api/controller-server
- Replace old ZtsClient with new one from vespa-athenz module
- Add getControllerIdentity() to AthenzClientFactory
- Remove dependency on athenz-zts-java-client
Diffstat (limited to 'controller-server')
6 files changed, 85 insertions, 98 deletions
diff --git a/controller-server/pom.xml b/controller-server/pom.xml index 93204845fbe..66fefd6f2fe 100644 --- a/controller-server/pom.xml +++ b/controller-server/pom.xml @@ -174,31 +174,6 @@ </exclusions> </dependency> - <dependency> - <groupId>com.yahoo.athenz</groupId> - <artifactId>athenz-zts-java-client</artifactId> - <scope>compile</scope> - <exclusions> - <exclusion> - <groupId>org.slf4j</groupId> - <artifactId>slf4j-api</artifactId> - </exclusion> - <!--Exclude all Jackson bundles provided by JDisc --> - <exclusion> - <groupId>com.fasterxml.jackson.core</groupId> - <artifactId>jackson-core</artifactId> - </exclusion> - <exclusion> - <groupId>com.fasterxml.jackson.core</groupId> - <artifactId>jackson-databind</artifactId> - </exclusion> - <exclusion> - <groupId>com.fasterxml.jackson.core</groupId> - <artifactId>jackson-annotations</artifactId> - </exclusion> - </exclusions> - </dependency> - <!-- test --> <dependency> diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/TenantController.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/TenantController.java index bd746a2fa8d..228ca01e764 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/TenantController.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/TenantController.java @@ -5,6 +5,7 @@ import com.yahoo.config.provision.TenantName; import com.yahoo.vespa.athenz.api.AthenzDomain; import com.yahoo.vespa.athenz.api.AthenzUser; import com.yahoo.vespa.athenz.api.NToken; +import com.yahoo.vespa.athenz.client.zts.ZtsClient; import com.yahoo.vespa.curator.Lock; import com.yahoo.vespa.hosted.controller.api.identifiers.UserId; import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzClientFactory; @@ -69,12 +70,13 @@ public class TenantController { /** Returns a list of all tenants accessible by the given user */ public List<Tenant> asList(UserId user) { AthenzUser athenzUser = AthenzUser.fromUserId(user.id()); - Set<AthenzDomain> userDomains = new HashSet<>(athenzClientFactory.createZtsClientWithServicePrincipal() - .getTenantDomainsForUser(athenzUser)); - return asList().stream() - .filter(tenant -> isUser(tenant, user) || - userDomains.stream().anyMatch(domain -> inDomain(tenant, domain))) - .collect(Collectors.toList()); + try (ZtsClient ztsClient = athenzClientFactory.createZtsClientWithServicePrincipal()) { + Set<AthenzDomain> userDomains = new HashSet<>(ztsClient.getTenantDomains(athenzClientFactory.getControllerIdentity(), athenzUser, "admin")); + return asList().stream() + .filter(tenant -> isUser(tenant, user) || + userDomains.stream().anyMatch(domain -> inDomain(tenant, domain))) + .collect(Collectors.toList()); + } } /** Create an user tenant with given username */ diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzClientFactoryImpl.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzClientFactoryImpl.java index 159a4f11619..633c0470080 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzClientFactoryImpl.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzClientFactoryImpl.java @@ -8,16 +8,19 @@ import com.yahoo.athenz.auth.impl.SimplePrincipal; import com.yahoo.athenz.auth.token.PrincipalToken; import com.yahoo.athenz.auth.util.Crypto; import com.yahoo.athenz.zms.ZMSClient; -import com.yahoo.athenz.zts.ZTSClient; import com.yahoo.container.jdisc.secretstore.SecretStore; +import com.yahoo.vespa.athenz.api.AthenzIdentity; +import com.yahoo.vespa.athenz.api.AthenzService; import com.yahoo.vespa.athenz.api.NToken; +import com.yahoo.vespa.athenz.client.zts.DefaultZtsClient; +import com.yahoo.vespa.athenz.client.zts.ZtsClient; import com.yahoo.vespa.athenz.identity.ServiceIdentityProvider; import com.yahoo.vespa.athenz.utils.AthenzIdentities; import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzClientFactory; import com.yahoo.vespa.hosted.controller.api.integration.athenz.ZmsClient; -import com.yahoo.vespa.hosted.controller.api.integration.athenz.ZtsClient; import com.yahoo.vespa.hosted.controller.athenz.config.AthenzConfig; +import java.net.URI; import java.security.PrivateKey; /** @@ -38,6 +41,11 @@ public class AthenzClientFactoryImpl implements AthenzClientFactory { this.athenzPrincipalAuthority = new AthenzPrincipalAuthority(config.principalHeaderName()); } + @Override + public AthenzIdentity getControllerIdentity() { + return identityProvider.identity(); + } + /** * @return A ZMS client instance with the service identity as principal. */ @@ -51,7 +59,7 @@ public class AthenzClientFactoryImpl implements AthenzClientFactory { */ @Override public ZtsClient createZtsClientWithServicePrincipal() { - return new ZtsClientImpl(new ZTSClient(config.ztsUrl(), identityProvider.getIdentitySslContext()), config); + return new DefaultZtsClient(URI.create(config.ztsUrl()), identityProvider); } /** diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/ZtsClientImpl.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/ZtsClientImpl.java deleted file mode 100644 index c3ed8f0a99f..00000000000 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/ZtsClientImpl.java +++ /dev/null @@ -1,59 +0,0 @@ -// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. -package com.yahoo.vespa.hosted.controller.athenz.impl; - -import com.yahoo.athenz.zts.TenantDomains; -import com.yahoo.athenz.zts.ZTSClient; -import com.yahoo.athenz.zts.ZTSClientException; -import com.yahoo.log.LogLevel; -import com.yahoo.vespa.athenz.api.AthenzDomain; -import com.yahoo.vespa.athenz.api.AthenzIdentity; -import com.yahoo.vespa.athenz.api.AthenzService; -import com.yahoo.vespa.hosted.controller.api.integration.athenz.ZtsClient; -import com.yahoo.vespa.hosted.controller.api.integration.athenz.ZtsException; -import com.yahoo.vespa.hosted.controller.athenz.config.AthenzConfig; - -import java.util.List; -import java.util.function.Supplier; -import java.util.logging.Logger; - -import static java.util.stream.Collectors.toList; - -/** - * @author bjorncs - */ -public class ZtsClientImpl implements ZtsClient { - - private static final Logger log = Logger.getLogger(ZtsClientImpl.class.getName()); - - private final ZTSClient ztsClient; - private final AthenzService service; - - public ZtsClientImpl(ZTSClient ztsClient, AthenzConfig config) { - this.ztsClient = ztsClient; - this.service = new AthenzService(config.domain(), config.service().name()); - } - - @Override - public List<AthenzDomain> getTenantDomainsForUser(AthenzIdentity identity) { - return getOrThrow(() -> { - log.log(LogLevel.DEBUG, String.format( - "getTenantDomains(domain=%s, identity=%s, rolename=admin, service=%s)", - service.getDomain().getName(), identity.getFullName(), service.getFullName())); - TenantDomains domains = ztsClient.getTenantDomains( - service.getDomain().getName(), identity.getFullName(), "admin", service.getName()); - return domains.getTenantDomainNames().stream() - .map(AthenzDomain::new) - .collect(toList()); - }); - } - - private static <T> T getOrThrow(Supplier<T> wrappedCode) { - try { - return wrappedCode.get(); - } catch (ZTSClientException e) { - log.warning("Error from Athenz: " + e.getMessage()); - throw new ZtsException(e.getCode(), e); - } - } - -} diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/mock/AthenzClientFactoryMock.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/mock/AthenzClientFactoryMock.java index f7939422170..6f829113016 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/mock/AthenzClientFactoryMock.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/mock/AthenzClientFactoryMock.java @@ -3,10 +3,12 @@ package com.yahoo.vespa.hosted.controller.athenz.mock; import com.google.inject.Inject; import com.yahoo.component.AbstractComponent; +import com.yahoo.vespa.athenz.api.AthenzIdentity; +import com.yahoo.vespa.athenz.api.AthenzService; import com.yahoo.vespa.athenz.api.NToken; +import com.yahoo.vespa.athenz.client.zts.ZtsClient; import com.yahoo.vespa.hosted.controller.api.integration.athenz.ZmsClient; import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzClientFactory; -import com.yahoo.vespa.hosted.controller.api.integration.athenz.ZtsClient; import java.util.logging.Level; import java.util.logging.Logger; @@ -34,6 +36,11 @@ public class AthenzClientFactoryMock extends AbstractComponent implements Athenz } @Override + public AthenzIdentity getControllerIdentity() { + return new AthenzService("vespa.hosting"); + } + + @Override public ZmsClient createZmsClientWithServicePrincipal() { log("createZmsClientWithServicePrincipal()"); return new ZmsClientMock(athenz); diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/mock/ZtsClientMock.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/mock/ZtsClientMock.java index 4aa1c2b93a5..8b3fb3ca47e 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/mock/ZtsClientMock.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/mock/ZtsClientMock.java @@ -3,8 +3,17 @@ package com.yahoo.vespa.hosted.controller.athenz.mock; import com.yahoo.vespa.athenz.api.AthenzDomain; import com.yahoo.vespa.athenz.api.AthenzIdentity; -import com.yahoo.vespa.hosted.controller.api.integration.athenz.ZtsClient; +import com.yahoo.vespa.athenz.api.AthenzRole; +import com.yahoo.vespa.athenz.api.AthenzService; +import com.yahoo.vespa.athenz.api.ZToken; +import com.yahoo.vespa.athenz.client.zts.Identity; +import com.yahoo.vespa.athenz.client.zts.InstanceIdentity; +import com.yahoo.vespa.athenz.client.zts.ZtsClient; +import com.yahoo.vespa.athenz.tls.Pkcs10Csr; +import java.security.KeyPair; +import java.security.cert.X509Certificate; +import java.time.Duration; import java.util.List; import java.util.logging.Level; import java.util.logging.Logger; @@ -24,12 +33,57 @@ public class ZtsClientMock implements ZtsClient { } @Override - public List<AthenzDomain> getTenantDomainsForUser(AthenzIdentity identity) { - log.log(Level.INFO, "getTenantDomainsForUser(principal='%s')", identity); + public List<AthenzDomain> getTenantDomains(AthenzIdentity providerIdentity, AthenzIdentity userIdentity, String roleName) { + log.log(Level.INFO, String.format("getTenantDomains(providerIdentity='%s', userIdentity='%s', roleName='%s')", + providerIdentity.getFullName(), userIdentity.getFullName(), roleName)); return athenz.domains.values().stream() - .filter(domain -> domain.tenantAdmins.contains(identity) || domain.admins.contains(identity)) + .filter(domain -> domain.tenantAdmins.contains(userIdentity) || domain.admins.contains(userIdentity)) .map(domain -> domain.name) .collect(toList()); } + @Override + public InstanceIdentity registerInstance(AthenzService providerIdentity, AthenzService instanceIdentity, String instanceId, String attestationData, boolean requestServiceToken, Pkcs10Csr csr) { + throw new UnsupportedOperationException(); + } + + @Override + public InstanceIdentity refreshInstance(AthenzService providerIdentity, AthenzService instanceIdentity, String instanceId, boolean requestServiceToken, Pkcs10Csr csr) { + throw new UnsupportedOperationException(); + } + + @Override + public Identity getServiceIdentity(AthenzService identity, String keyId, Pkcs10Csr csr) { + throw new UnsupportedOperationException(); + } + + @Override + public Identity getServiceIdentity(AthenzService identity, String keyId, KeyPair keyPair, String dnsSuffix) { + throw new UnsupportedOperationException(); + } + + @Override + public ZToken getRoleToken(AthenzDomain domain) { + throw new UnsupportedOperationException(); + } + + @Override + public ZToken getRoleToken(AthenzRole athenzRole) { + throw new UnsupportedOperationException(); + } + + @Override + public X509Certificate getRoleCertificate(AthenzRole role, Duration expiry, KeyPair keyPair, String cloud) { + throw new UnsupportedOperationException(); + } + + @Override + public X509Certificate getRoleCertificate(AthenzRole role, KeyPair keyPair, String cloud) { + throw new UnsupportedOperationException(); + } + + @Override + public void close() { + + } } |