diff options
author | Jon Marius Venstad <venstad@gmail.com> | 2020-02-25 15:59:11 +0100 |
---|---|---|
committer | Jon Marius Venstad <venstad@gmail.com> | 2020-02-25 15:59:11 +0100 |
commit | a0e14da8a3439ab1d96ecfc11a5c544555cef15c (patch) | |
tree | fa98ac503a6ea64191859d3f52fc7cd076f5a865 /controller-server | |
parent | 948b2067b93fc3634583cc5545daec4c4fd3b0b4 (diff) |
Cache ZMS has-access lookups as well
Diffstat (limited to 'controller-server')
2 files changed, 24 insertions, 6 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java index 0b45d828407..6c32ef89ae9 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java @@ -3,7 +3,6 @@ package com.yahoo.vespa.hosted.controller.athenz.impl; import com.google.common.cache.CacheBuilder; import com.google.common.cache.CacheLoader; -import com.google.common.cache.LoadingCache; import com.google.inject.Inject; import com.yahoo.config.provision.ApplicationName; import com.yahoo.config.provision.TenantName; @@ -41,6 +40,7 @@ import java.util.Optional; import java.util.Set; import java.util.concurrent.TimeUnit; import java.util.function.Function; +import java.util.function.Predicate; import java.util.logging.Logger; import java.util.stream.Collectors; @@ -55,6 +55,7 @@ public class AthenzFacade implements AccessControl { private final ZtsClient ztsClient; private final AthenzIdentity service; private final Function<AthenzIdentity, List<AthenzDomain>> userDomains; + private final Predicate<AccessTuple> accessRights; @Inject public AthenzFacade(AthenzClientFactory factory) { @@ -66,6 +67,11 @@ public class AthenzFacade implements AccessControl { .expireAfterWrite(1, TimeUnit.MINUTES) .build(CacheLoader.from(this::getUserDomains))::getUnchecked : this::getUserDomains; + this.accessRights = factory.cacheZtsUserDomains() + ? CacheBuilder.newBuilder() + .expireAfterWrite(1, TimeUnit.MINUTES) + .build(CacheLoader.from(this::lookupAccess))::getUnchecked + : this::lookupAccess; } private List<AthenzDomain> getUserDomains(AthenzIdentity userIdentity) { @@ -260,8 +266,12 @@ public class AthenzFacade implements AccessControl { } private boolean hasAccess(String action, String resource, AthenzIdentity identity) { - log("getAccess(action=%s, resource=%s, principal=%s)", action, resource, identity); - return zmsClient.hasAccess(AthenzResourceName.fromString(resource), action, identity); + return accessRights.test(new AccessTuple(resource, action, identity)); + } + + private boolean lookupAccess(AccessTuple tuple) { + log("getAccess(action=%s, resource=%s, principal=%s)", tuple.action, tuple.resource, tuple.identity); + return zmsClient.hasAccess(AthenzResourceName.fromString(tuple.resource), tuple.action, tuple.identity); } private static void log(String format, Object... args) { @@ -287,4 +297,15 @@ public class AthenzFacade implements AccessControl { _modify_ } + private static class AccessTuple { + private final String resource; + private final String action; + private final AthenzIdentity identity; + private AccessTuple(String resource, String action, AthenzIdentity identity) { + this.resource = resource; + this.action = action; + this.identity = identity; + } + } + } diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java index ba974521278..3ccab581ab0 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java @@ -78,9 +78,6 @@ public class AthenzRoleFilter extends JsonSecurityRequestFilterBase { path.matches("/application/v4/tenant/{tenant}/application/{application}/{*}"); Optional<ApplicationName> application = Optional.ofNullable(path.get("application")).map(ApplicationName::from); - path.matches("/application/v4/tenant/{tenant}/application/{application}/instance/{instance}/{*}"); - Optional<InstanceName> instance = Optional.ofNullable(path.get("instance")).map(InstanceName::from); - AthenzIdentity identity = principal.getIdentity(); Set<Role> roleMemberships = new HashSet<>(); |