Cache ZMS has-access lookups as well

author: Jon Marius Venstad <venstad@gmail.com> 2020-02-25 15:59:11 +0100
committer: Jon Marius Venstad <venstad@gmail.com> 2020-02-25 15:59:11 +0100
commit: a0e14da8a3439ab1d96ecfc11a5c544555cef15c (patch)
tree: fa98ac503a6ea64191859d3f52fc7cd076f5a865 /controller-server
parent: 948b2067b93fc3634583cc5545daec4c4fd3b0b4 (diff)
2 files changed, 24 insertions, 6 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java
index 0b45d828407..6c32ef89ae9 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java
@@ -3,7 +3,6 @@ package com.yahoo.vespa.hosted.controller.athenz.impl;
 
 import com.google.common.cache.CacheBuilder;
 import com.google.common.cache.CacheLoader;
-import com.google.common.cache.LoadingCache;
 import com.google.inject.Inject;
 import com.yahoo.config.provision.ApplicationName;
 import com.yahoo.config.provision.TenantName;
@@ -41,6 +40,7 @@ import java.util.Optional;
 import java.util.Set;
 import java.util.concurrent.TimeUnit;
 import java.util.function.Function;
+import java.util.function.Predicate;
 import java.util.logging.Logger;
 import java.util.stream.Collectors;
 
@@ -55,6 +55,7 @@ public class AthenzFacade implements AccessControl {
     private final ZtsClient ztsClient;
     private final AthenzIdentity service;
     private final Function<AthenzIdentity, List<AthenzDomain>> userDomains;
+    private final Predicate<AccessTuple> accessRights;
 
     @Inject
     public AthenzFacade(AthenzClientFactory factory) {
@@ -66,6 +67,11 @@ public class AthenzFacade implements AccessControl {
                                          .expireAfterWrite(1, TimeUnit.MINUTES)
                                          .build(CacheLoader.from(this::getUserDomains))::getUnchecked
                            : this::getUserDomains;
+        this.accessRights = factory.cacheZtsUserDomains()
+                            ? CacheBuilder.newBuilder()
+                                          .expireAfterWrite(1, TimeUnit.MINUTES)
+                                          .build(CacheLoader.from(this::lookupAccess))::getUnchecked
+                            : this::lookupAccess;
     }
 
     private List<AthenzDomain> getUserDomains(AthenzIdentity userIdentity) {
@@ -260,8 +266,12 @@ public class AthenzFacade implements AccessControl {
     }
 
     private boolean hasAccess(String action, String resource, AthenzIdentity identity) {
-        log("getAccess(action=%s, resource=%s, principal=%s)", action, resource, identity);
-        return zmsClient.hasAccess(AthenzResourceName.fromString(resource), action, identity);
+        return accessRights.test(new AccessTuple(resource, action, identity));
+    }
+
+    private boolean lookupAccess(AccessTuple tuple) {
+        log("getAccess(action=%s, resource=%s, principal=%s)", tuple.action, tuple.resource, tuple.identity);
+        return zmsClient.hasAccess(AthenzResourceName.fromString(tuple.resource), tuple.action, tuple.identity);
     }
 
     private static void log(String format, Object... args) {
@@ -287,4 +297,15 @@ public class AthenzFacade implements AccessControl {
         _modify_
     }
 
+    private static class AccessTuple {
+        private final String resource;
+        private final String action;
+        private final AthenzIdentity identity;
+        private AccessTuple(String resource, String action, AthenzIdentity identity) {
+            this.resource = resource;
+            this.action = action;
+            this.identity = identity;
+        }
+    }
+
 }
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java
index ba974521278..3ccab581ab0 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java
@@ -78,9 +78,6 @@ public class AthenzRoleFilter extends JsonSecurityRequestFilterBase {
         path.matches("/application/v4/tenant/{tenant}/application/{application}/{*}");
         Optional<ApplicationName> application = Optional.ofNullable(path.get("application")).map(ApplicationName::from);
 
-        path.matches("/application/v4/tenant/{tenant}/application/{application}/instance/{instance}/{*}");
-        Optional<InstanceName> instance = Optional.ofNullable(path.get("instance")).map(InstanceName::from);
-
         AthenzIdentity identity = principal.getIdentity();
 
         Set<Role> roleMemberships = new HashSet<>();
author	Jon Marius Venstad <venstad@gmail.com>	2020-02-25 15:59:11 +0100
committer	Jon Marius Venstad <venstad@gmail.com>	2020-02-25 15:59:11 +0100
commit	a0e14da8a3439ab1d96ecfc11a5c544555cef15c (patch)
tree	fa98ac503a6ea64191859d3f52fc7cd076f5a865 /controller-server
parent	948b2067b93fc3634583cc5545daec4c4fd3b0b4 (diff)