Merge pull request #9031 from vespa-engine/jvenstad/user-management

Jvenstad/user management
author: Jon Marius Venstad <jonmv@users.noreply.github.com> 2019-04-05 13:56:01 +0200
committer: GitHub <noreply@github.com> 2019-04-05 13:56:01 +0200
commit: e8b38ecd5e02a3358c3c5fd62f6750ce61915c7e (patch)
tree: 01c7df0f20c4bf805999840e335fa12d9de70a31 /controller-server
parent: 747114c0f7835bf9a3e47a19e924856227efde8d (diff)
parent: c997139134c747ad41803b4d1c9fabe5e37a4716 (diff)
4 files changed, 49 insertions, 17 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/TenantController.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/TenantController.java
index 19148a6c9bd..d1a6e39a1dd 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/TenantController.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/TenantController.java
@@ -61,7 +61,7 @@ public class TenantController {
                       .collect(Collectors.toList());
     }
 
-    /** Returns the lsit of tenants accessible to the given user. */
+    /** Returns the list of tenants accessible to the given user. */
     public List<Tenant> asList(Credentials credentials) {
         return accessControl.accessibleTenants(asList(), credentials);
     }
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/security/CloudAccessControl.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/security/CloudAccessControl.java
index 67d7a02a915..d1806fb5747 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/security/CloudAccessControl.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/security/CloudAccessControl.java
@@ -2,10 +2,17 @@ package com.yahoo.vespa.hosted.controller.security;
 
 import com.google.inject.Inject;
 import com.yahoo.config.provision.ApplicationId;
+import com.yahoo.config.provision.ApplicationName;
 import com.yahoo.config.provision.TenantName;
 import com.yahoo.vespa.hosted.controller.Application;
 import com.yahoo.vespa.hosted.controller.api.integration.organization.BillingInfo;
 import com.yahoo.vespa.hosted.controller.api.integration.organization.Marketplace;
+import com.yahoo.vespa.hosted.controller.api.integration.user.RoleId;
+import com.yahoo.vespa.hosted.controller.api.integration.user.UserId;
+import com.yahoo.vespa.hosted.controller.api.integration.user.UserManagement;
+import com.yahoo.vespa.hosted.controller.api.role.ApplicationRole;
+import com.yahoo.vespa.hosted.controller.api.role.Roles;
+import com.yahoo.vespa.hosted.controller.api.role.TenantRole;
 import com.yahoo.vespa.hosted.controller.tenant.CloudTenant;
 import com.yahoo.vespa.hosted.controller.tenant.Tenant;
 
@@ -19,21 +26,28 @@ import java.util.List;
 public class CloudAccessControl implements AccessControl {
 
     private final Marketplace marketplace;
+    private final UserManagement userManagement;
+    private final Roles roles;
 
     @Inject
-    public CloudAccessControl(Marketplace marketplace) {
+    public CloudAccessControl(Marketplace marketplace, UserManagement userManagement, Roles roles) {
         this.marketplace = marketplace;
+        this.userManagement = userManagement;
+        this.roles = roles;
     }
 
     @Override
     public CloudTenant createTenant(TenantSpec tenantSpec, Credentials credentials, List<Tenant> existing) {
         CloudTenantSpec spec = (CloudTenantSpec) tenantSpec;
+        CloudTenant tenant = new CloudTenant(spec.tenant(), new BillingInfo("customer", "Vespa"));
+        // CloudTenant tenant new CloudTenant(spec.tenant(), marketplace.resolveCustomer(spec.getRegistrationToken()));
+        // TODO Enable the above when things work.
 
-        // Do things ...
+        RoleId ownerRole = RoleId.fromRole(roles.tenantOwner(spec.tenant()));
+        userManagement.createRole(ownerRole);
+        userManagement.addUsers(ownerRole, List.of(new UserId(credentials.user().getName())));
 
-        // return new CloudTenant(spec.tenant(), marketplace.resolveCustomer(spec.getRegistrationToken()));
-        // TODO Enable the above when things work.
-        return new CloudTenant(spec.tenant(), new BillingInfo("customer", "Vespa"));
+        return tenant;
     }
 
     @Override
@@ -43,31 +57,48 @@ public class CloudAccessControl implements AccessControl {
 
     @Override
     public void deleteTenant(TenantName tenant, Credentials credentials) {
-
         // Probably terminate customer subscription?
 
-        // Delete tenant group
-
+        tenantRoles(tenant).stream()
+                           .map(RoleId::fromRole)
+                           .filter(userManagement.listRoles()::contains)
+                           .forEach(userManagement::deleteRole);
     }
 
     @Override
     public void createApplication(ApplicationId application, Credentials credentials) {
-
-        // Create application group?
-
+        RoleId ownerRole = RoleId.fromRole(roles.applicationOwner(application.tenant(), application.application()));
+        userManagement.createRole(ownerRole);
+        userManagement.addUsers(ownerRole, List.of(new UserId(credentials.user().getName())));
     }
 
     @Override
     public void deleteApplication(ApplicationId id, Credentials credentials) {
-
-        // Delete application group?
-
+        applicationRoles(id.tenant(), id.application()).stream()
+                                                       .map(RoleId::fromRole)
+                                                       .filter(userManagement.listRoles()::contains)
+                                                       .forEach(userManagement::deleteRole);
     }
 
     @Override
     public List<Tenant> accessibleTenants(List<Tenant> tenants, Credentials credentials) {
-        // Get credential things (token with roles or something) and check what it's good for.
+        // TODO: Get credential things (token with roles or something) and check what it's good for.
+        // TODO  ... or ignore this here, and compute it somewhere else.
         return Collections.emptyList();
     }
 
+    private List<TenantRole> tenantRoles(TenantName tenant) {
+        return List.of(roles.tenantOperator(tenant),
+                       roles.tenantAdmin(tenant),
+                       roles.tenantOwner(tenant));
+    }
+
+    private List<ApplicationRole> applicationRoles(TenantName tenant, ApplicationName application) {
+        return List.of(roles.applicationReader(tenant, application),
+                       roles.applicationDeveloper(tenant, application),
+                       roles.applicationOperator(tenant, application),
+                       roles.applicationAdmin(tenant, application),
+                       roles.applicationOwner(tenant, application));
+    }
+
 }
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/security/CloudAccessControlRequests.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/security/CloudAccessControlRequests.java
index 631d4debe88..ea931616211 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/security/CloudAccessControlRequests.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/security/CloudAccessControlRequests.java
@@ -20,7 +20,7 @@ public class CloudAccessControlRequests implements AccessControlRequests {
 
     @Override
     public Credentials credentials(TenantName tenant, Inspector requestObject, HttpRequest request) {
-        // TODO Pick out JWT data and return a specialised credentials thing.
+        // TODO Include roles, if this is to be used for displaying accessible data.
         return new Credentials(request.getUserPrincipal());
     }
 
diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/ControllerContainerTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/ControllerContainerTest.java
index ddc8d68e08b..c21d4b4b0bf 100644
--- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/ControllerContainerTest.java
+++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/ControllerContainerTest.java
@@ -95,6 +95,7 @@ public class ControllerContainerTest {
             "  <component id='com.yahoo.vespa.hosted.controller.integration.ApplicationStoreMock'/>\n" +
             "  <component id='com.yahoo.vespa.hosted.controller.api.integration.stubs.MockTesterCloud'/>\n" +
             "  <component id='com.yahoo.vespa.hosted.controller.api.integration.stubs.MockMailer'/>\n" +
+            "  <component id='com.yahoo.vespa.hosted.controller.api.role.Roles'/>\n" +
             "  <component id='com.yahoo.vespa.hosted.controller.security.AthenzAccessControlRequests'/>\n" +
             "  <component id='com.yahoo.vespa.hosted.controller.athenz.impl.AthenzFacade'/>\n" +
             "  <handler id='com.yahoo.vespa.hosted.controller.restapi.application.ApplicationApiHandler'>\n" +
author	Jon Marius Venstad <jonmv@users.noreply.github.com>	2019-04-05 13:56:01 +0200
committer	GitHub <noreply@github.com>	2019-04-05 13:56:01 +0200
commit	e8b38ecd5e02a3358c3c5fd62f6750ce61915c7e (patch)
tree	01c7df0f20c4bf805999840e335fa12d9de70a31 /controller-server
parent	747114c0f7835bf9a3e47a19e924856227efde8d (diff)
parent	c997139134c747ad41803b4d1c9fabe5e37a4716 (diff)