diff options
author | Jon Marius Venstad <venstad@gmail.com> | 2019-10-25 09:43:37 +0200 |
---|---|---|
committer | Jon Marius Venstad <venstad@gmail.com> | 2019-11-05 09:17:58 +0100 |
commit | 9b680ebad5edcaf47293bb371507093cd37e6e11 (patch) | |
tree | 0a91b80b34cc09dfca011085bc86ba1ef37e2b69 /controller-server | |
parent | b488286422f60248a50f8508ddd2f727bbb6d10e (diff) |
No more deprecated athenz domain or service usages
Diffstat (limited to 'controller-server')
3 files changed, 49 insertions, 38 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java index 7c718518129..71cfc679ca7 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java @@ -945,50 +945,61 @@ public class ApplicationController { public void verifyApplicationIdentityConfiguration(TenantName tenantName, ApplicationPackage applicationPackage, Optional<Principal> deployer) { verifyAllowedLaunchAthenzService(applicationPackage.deploymentSpec()); - applicationPackage.deploymentSpec().athenzDomain().ifPresent(identityDomain -> { - Tenant tenant = controller.tenants().require(tenantName); - deployer.filter(AthenzPrincipal.class::isInstance) - .map(AthenzPrincipal.class::cast) - .map(AthenzPrincipal::getIdentity) - .filter(AthenzUser.class::isInstance) - .ifPresentOrElse(user -> { - if ( ! ((AthenzFacade) accessControl).hasTenantAdminAccess(user, new AthenzDomain(identityDomain.value()))) - throw new IllegalArgumentException("User " + user.getFullName() + " is not allowed to launch " + - "services in Athenz domain " + identityDomain.value() + ". " + - "Please reach out to the domain admin."); - }, - () -> { - if (tenant.type() != Tenant.Type.athenz) - throw new IllegalArgumentException("Athenz domain defined in deployment.xml, but no " + - "Athenz domain for tenant " + tenantName.value()); - - AthenzDomain tenantDomain = ((AthenzTenant) tenant).domain(); - if ( ! Objects.equals(tenantDomain.getName(), identityDomain.value())) - throw new IllegalArgumentException("Athenz domain in deployment.xml: [" + identityDomain.value() + "] " + - "must match tenant domain: [" + tenantDomain.getName() + "]"); - }); - }); + Tenant tenant = controller.tenants().require(tenantName); + Stream.concat(applicationPackage.deploymentSpec().athenzDomain().stream(), + applicationPackage.deploymentSpec().instances().stream() + .flatMap(spec -> spec.athenzDomain().stream())) + .distinct() + .forEach(identityDomain -> { + deployer.filter(AthenzPrincipal.class::isInstance) + .map(AthenzPrincipal.class::cast) + .map(AthenzPrincipal::getIdentity) + .filter(AthenzUser.class::isInstance) + .ifPresentOrElse(user -> { + if ( ! ((AthenzFacade) accessControl).hasTenantAdminAccess(user, new AthenzDomain(identityDomain.value()))) + throw new IllegalArgumentException("User " + user.getFullName() + " is not allowed to launch " + + "services in Athenz domain " + identityDomain.value() + ". " + + "Please reach out to the domain admin."); + }, + () -> { + if (tenant.type() != Tenant.Type.athenz) + throw new IllegalArgumentException("Athenz domain defined in deployment.xml, but no " + + "Athenz domain for tenant " + tenantName.value()); + + AthenzDomain tenantDomain = ((AthenzTenant) tenant).domain(); + if ( ! Objects.equals(tenantDomain.getName(), identityDomain.value())) + throw new IllegalArgumentException("Athenz domain in deployment.xml: [" + identityDomain.value() + "] " + + "must match tenant domain: [" + tenantDomain.getName() + "]"); + }); + }); } /* * Verifies that the configured athenz service (if any) can be launched. */ private void verifyAllowedLaunchAthenzService(DeploymentSpec deploymentSpec) { - deploymentSpec.athenzDomain().ifPresent(athenzDomain -> { - controller.zoneRegistry().zones().reachable().ids() - .forEach(zone -> { - AthenzIdentity configServerAthenzIdentity = controller.zoneRegistry().getConfigServerHttpsIdentity(zone); - deploymentSpec.athenzService(zone.environment(), zone.region()) - .map(service -> new AthenzService(athenzDomain.value(), service.value())) - .ifPresent(service -> { - boolean allowedToLaunch = ((AthenzFacade) accessControl).canLaunch(configServerAthenzIdentity, service); - if (!allowedToLaunch) - throw new IllegalArgumentException("Not allowed to launch Athenz service " + service.getFullName()); - }); - }); + controller.zoneRegistry().zones().reachable().ids().forEach(zone -> { + AthenzIdentity configServerAthenzIdentity = controller.zoneRegistry().getConfigServerHttpsIdentity(zone); + deploymentSpec.athenzDomain().ifPresent(domain -> { + deploymentSpec.athenzService().ifPresent(service -> { + verifyAthenzServiceCanBeLaunchedBy(configServerAthenzIdentity, new AthenzService(domain.value(), service.value())); + }); + }); + deploymentSpec.instances().forEach(spec -> { + spec.athenzDomain().ifPresent(domain -> { + spec.athenzService(zone.environment(), zone.region()).ifPresent(service -> { + verifyAthenzServiceCanBeLaunchedBy(configServerAthenzIdentity, new AthenzService(domain.value(), service.value())); + }); + }); + }); }); } + private void verifyAthenzServiceCanBeLaunchedBy(AthenzIdentity configServerAthenzIdentity, AthenzService athenzService) { + if ( ! ((AthenzFacade) accessControl).canLaunch(configServerAthenzIdentity, athenzService)) + throw new IllegalArgumentException("Not allowed to launch Athenz service " + athenzService.getFullName()); + } + /** Returns the latest known version within the given major. */ private Optional<Version> lastCompatibleVersion(int targetMajorVersion) { return controller.versionStatus().versions().stream() diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/deployment/InternalStepRunner.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/deployment/InternalStepRunner.java index 9df0dff3966..ce5a2a8dd21 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/deployment/InternalStepRunner.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/deployment/InternalStepRunner.java @@ -657,7 +657,8 @@ public class InternalStepRunner implements StepRunner { .orElse(zone.region().value().contains("aws-") ? DEFAULT_TESTER_RESOURCES_AWS : DEFAULT_TESTER_RESOURCES)); byte[] testPackage = controller.applications().applicationStore().getTester(id.application().tenant(), id.application().application(), version); - byte[] deploymentXml = deploymentXml(spec.athenzDomain(), spec.athenzService(zone.environment(), zone.region())); + byte[] deploymentXml = deploymentXml(spec.requireInstance(id.application().instance()).athenzDomain(), + spec.requireInstance(id.application().instance()).athenzService(zone.environment(), zone.region())); try (ZipBuilder zipBuilder = new ZipBuilder(testPackage.length + servicesXml.length + 1000)) { zipBuilder.add(testPackage); diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/deployment/InternalStepRunnerTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/deployment/InternalStepRunnerTest.java index d50399c6c78..2320ca41b49 100644 --- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/deployment/InternalStepRunnerTest.java +++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/deployment/InternalStepRunnerTest.java @@ -95,8 +95,7 @@ public class InternalStepRunnerTest { .application(app.testerId().id(), JobType.stagingTest.zone(system())).get() .applicationPackage().deploymentSpec(); assertEquals("domain", spec.athenzDomain().get().value()); - ZoneId zone = JobType.stagingTest.zone(system()); - assertEquals("service", spec.athenzService(zone.environment(), zone.region()).get().value()); + assertEquals("service", spec.athenzService().get().value()); } @Test |