diff options
author | Ola Aunrønning <olaa@verizonmedia.com> | 2021-02-02 15:49:33 +0100 |
---|---|---|
committer | Ola Aunrønning <olaa@verizonmedia.com> | 2021-02-02 15:49:33 +0100 |
commit | 960022afa54672c004f37539452b6f68301a31a4 (patch) | |
tree | e3194d442b711a84d345bb59a93130a8a9f6c9f0 /controller-server | |
parent | 1da28a5c15fc0d78f461c6466ea83e774a996e4d (diff) |
Change application IAM role flags to tenant IAM role flags
Diffstat (limited to 'controller-server')
3 files changed, 20 insertions, 14 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java index 42ac73a61d9..5eb7fb6e03d 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java @@ -131,7 +131,6 @@ public class ApplicationController { private final ApplicationPackageValidator applicationPackageValidator; private final EndpointCertificateManager endpointCertificateManager; private final StringFlag dockerImageRepoFlag; - private final BooleanFlag provisionApplicationRoles; private final BillingController billingController; ApplicationController(Controller controller, CuratorDb curator, AccessControl accessControl, Clock clock, @@ -145,7 +144,6 @@ public class ApplicationController { this.artifactRepository = controller.serviceRegistry().artifactRepository(); this.applicationStore = controller.serviceRegistry().applicationStore(); this.dockerImageRepoFlag = PermanentFlags.DOCKER_IMAGE_REPO.bindTo(flagSource); - this.provisionApplicationRoles = Flags.PROVISION_APPLICATION_ROLES.bindTo(flagSource); this.billingController = billingController; deploymentTrigger = new DeploymentTrigger(controller, clock); @@ -403,15 +401,6 @@ public class ApplicationController { endpoints = controller.routing().registerEndpointsInDns(application.get(), job.application().instance(), zone); - // Provision application roles if enabled for the zone - if (provisionApplicationRoles.with(FetchVector.Dimension.ZONE_ID, zone.value()).value()) { - try { - applicationRoles = controller.serviceRegistry().roleService().createApplicationRoles(instance.id()); - } catch (Exception e) { - log.log(Level.SEVERE, "Exception creating application roles for application: " + instance.id(), e); - throw new RuntimeException("Unable to provision iam roles for application"); - } - } } // Release application lock while doing the deployment, which is a lengthy task. // Carry out deployment without holding the application lock. diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/Controller.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/Controller.java index aa5f0ae0fdc..ffe80866086 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/Controller.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/Controller.java @@ -111,7 +111,7 @@ public class Controller extends AbstractComponent { nameServiceForwarder = new NameServiceForwarder(curator); jobController = new JobController(this); applicationController = new ApplicationController(this, curator, accessControl, clock, secretStore, flagSource, serviceRegistry.billingController()); - tenantController = new TenantController(this, curator, accessControl); + tenantController = new TenantController(this, curator, accessControl, flagSource); routingController = new RoutingController(this, Objects.requireNonNull(rotationsConfig, "RotationsConfig cannot be null")); auditLogger = new AuditLogger(curator, clock); jobControl = new JobControl(new JobControlFlags(curator, flagSource)); diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/TenantController.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/TenantController.java index 24b9efc3c77..d3992290f20 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/TenantController.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/TenantController.java @@ -3,6 +3,10 @@ package com.yahoo.vespa.hosted.controller; import com.yahoo.config.provision.TenantName; import com.yahoo.vespa.curator.Lock; +import com.yahoo.vespa.flags.BooleanFlag; +import com.yahoo.vespa.flags.FetchVector; +import com.yahoo.vespa.flags.FlagSource; +import com.yahoo.vespa.flags.Flags; import com.yahoo.vespa.hosted.controller.api.identifiers.TenantId; import com.yahoo.vespa.hosted.controller.athenz.impl.AthenzFacade; import com.yahoo.vespa.hosted.controller.concurrent.Once; @@ -37,11 +41,15 @@ public class TenantController { private final Controller controller; private final CuratorDb curator; private final AccessControl accessControl; + private final BooleanFlag provisionTenantRoles; - public TenantController(Controller controller, CuratorDb curator, AccessControl accessControl) { + + public TenantController(Controller controller, CuratorDb curator, AccessControl accessControl, FlagSource flagSource) { this.controller = Objects.requireNonNull(controller, "controller must be non-null"); this.curator = Objects.requireNonNull(curator, "curator must be non-null"); this.accessControl = accessControl; + this.provisionTenantRoles = Flags.PROVISION_TENANT_ROLES.bindTo(flagSource); + // Update serialization format of all tenants Once.after(Duration.ofMinutes(1), () -> { @@ -101,7 +109,16 @@ public class TenantController { requireNonExistent(tenantSpec.tenant()); TenantId.validate(tenantSpec.tenant().value()); curator.writeTenant(accessControl.createTenant(tenantSpec, controller.clock().instant(), credentials, asList())); - controller.serviceRegistry().roleService().createTenantRole(tenantSpec.tenant()); + + // Provision tenant role if enabled + if (provisionTenantRoles.with(FetchVector.Dimension.TENANT_ID, tenantSpec.tenant().value()).value()) { + try { + controller.serviceRegistry().roleService().createTenantRole(tenantSpec.tenant()); + } catch (Exception e) { + throw new RuntimeException("Unable to create tenant role for tenant: " + tenantSpec.tenant()); + } + } + } } |