Change application IAM role flags to tenant IAM role flags

author: Ola Aunrønning <olaa@verizonmedia.com> 2021-02-02 15:49:33 +0100
committer: Ola Aunrønning <olaa@verizonmedia.com> 2021-02-02 15:49:33 +0100
commit: 960022afa54672c004f37539452b6f68301a31a4 (patch)
tree: e3194d442b711a84d345bb59a93130a8a9f6c9f0 /controller-server
parent: 1da28a5c15fc0d78f461c6466ea83e774a996e4d (diff)
3 files changed, 20 insertions, 14 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java
index 42ac73a61d9..5eb7fb6e03d 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/ApplicationController.java
@@ -131,7 +131,6 @@ public class ApplicationController {
     private final ApplicationPackageValidator applicationPackageValidator;
     private final EndpointCertificateManager endpointCertificateManager;
     private final StringFlag dockerImageRepoFlag;
-    private final BooleanFlag provisionApplicationRoles;
     private final BillingController billingController;
 
     ApplicationController(Controller controller, CuratorDb curator, AccessControl accessControl, Clock clock,
@@ -145,7 +144,6 @@ public class ApplicationController {
         this.artifactRepository = controller.serviceRegistry().artifactRepository();
         this.applicationStore = controller.serviceRegistry().applicationStore();
         this.dockerImageRepoFlag = PermanentFlags.DOCKER_IMAGE_REPO.bindTo(flagSource);
-        this.provisionApplicationRoles = Flags.PROVISION_APPLICATION_ROLES.bindTo(flagSource);
         this.billingController = billingController;
 
         deploymentTrigger = new DeploymentTrigger(controller, clock);
@@ -403,15 +401,6 @@ public class ApplicationController {
 
                 endpoints = controller.routing().registerEndpointsInDns(application.get(), job.application().instance(), zone);
 
-                // Provision application roles if enabled for the zone
-                if (provisionApplicationRoles.with(FetchVector.Dimension.ZONE_ID, zone.value()).value()) {
-                    try {
-                        applicationRoles = controller.serviceRegistry().roleService().createApplicationRoles(instance.id());
-                    } catch (Exception e) {
-                        log.log(Level.SEVERE, "Exception creating application roles for application: " + instance.id(), e);
-                        throw new RuntimeException("Unable to provision iam roles for application");
-                    }
-                }
             } // Release application lock while doing the deployment, which is a lengthy task.
 
             // Carry out deployment without holding the application lock.
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/Controller.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/Controller.java
index aa5f0ae0fdc..ffe80866086 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/Controller.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/Controller.java
@@ -111,7 +111,7 @@ public class Controller extends AbstractComponent {
         nameServiceForwarder = new NameServiceForwarder(curator);
         jobController = new JobController(this);
         applicationController = new ApplicationController(this, curator, accessControl, clock, secretStore, flagSource, serviceRegistry.billingController());
-        tenantController = new TenantController(this, curator, accessControl);
+        tenantController = new TenantController(this, curator, accessControl, flagSource);
         routingController = new RoutingController(this, Objects.requireNonNull(rotationsConfig, "RotationsConfig cannot be null"));
         auditLogger = new AuditLogger(curator, clock);
         jobControl = new JobControl(new JobControlFlags(curator, flagSource));
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/TenantController.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/TenantController.java
index 24b9efc3c77..d3992290f20 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/TenantController.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/TenantController.java
@@ -3,6 +3,10 @@ package com.yahoo.vespa.hosted.controller;
 
 import com.yahoo.config.provision.TenantName;
 import com.yahoo.vespa.curator.Lock;
+import com.yahoo.vespa.flags.BooleanFlag;
+import com.yahoo.vespa.flags.FetchVector;
+import com.yahoo.vespa.flags.FlagSource;
+import com.yahoo.vespa.flags.Flags;
 import com.yahoo.vespa.hosted.controller.api.identifiers.TenantId;
 import com.yahoo.vespa.hosted.controller.athenz.impl.AthenzFacade;
 import com.yahoo.vespa.hosted.controller.concurrent.Once;
@@ -37,11 +41,15 @@ public class TenantController {
     private final Controller controller;
     private final CuratorDb curator;
     private final AccessControl accessControl;
+    private final BooleanFlag provisionTenantRoles;
 
-    public TenantController(Controller controller, CuratorDb curator, AccessControl accessControl) {
+
+    public TenantController(Controller controller, CuratorDb curator, AccessControl accessControl, FlagSource flagSource) {
         this.controller = Objects.requireNonNull(controller, "controller must be non-null");
         this.curator = Objects.requireNonNull(curator, "curator must be non-null");
         this.accessControl = accessControl;
+        this.provisionTenantRoles = Flags.PROVISION_TENANT_ROLES.bindTo(flagSource);
+
 
         // Update serialization format of all tenants
         Once.after(Duration.ofMinutes(1), () -> {
@@ -101,7 +109,16 @@ public class TenantController {
             requireNonExistent(tenantSpec.tenant());
             TenantId.validate(tenantSpec.tenant().value());
             curator.writeTenant(accessControl.createTenant(tenantSpec, controller.clock().instant(), credentials, asList()));
-            controller.serviceRegistry().roleService().createTenantRole(tenantSpec.tenant());
+
+            // Provision tenant role if enabled
+            if (provisionTenantRoles.with(FetchVector.Dimension.TENANT_ID, tenantSpec.tenant().value()).value()) {
+                try {
+                    controller.serviceRegistry().roleService().createTenantRole(tenantSpec.tenant());
+                } catch (Exception e) {
+                    throw new RuntimeException("Unable to create tenant role for tenant: " + tenantSpec.tenant());
+                }
+            }
+
         }
     }
author	Ola Aunrønning <olaa@verizonmedia.com>	2021-02-02 15:49:33 +0100
committer	Ola Aunrønning <olaa@verizonmedia.com>	2021-02-02 15:49:33 +0100
commit	960022afa54672c004f37539452b6f68301a31a4 (patch)
tree	e3194d442b711a84d345bb59a93130a8a9f6c9f0 /controller-server
parent	1da28a5c15fc0d78f461c6466ea83e774a996e4d (diff)