diff options
author | Jon Marius Venstad <venstad@gmail.com> | 2020-03-24 10:02:41 +0100 |
---|---|---|
committer | Jon Marius Venstad <venstad@gmail.com> | 2020-03-24 10:02:41 +0100 |
commit | 4a63d2244a39342f941a2b1bb3e6af6b2e4fa72e (patch) | |
tree | bc8bcd80a65821903b9c28a07a2e14e0509f737e /controller-server | |
parent | 76a82eeed23094e0f2b70b1325115b8b1e521904 (diff) |
Remove cleanup-code for user tenants
Diffstat (limited to 'controller-server')
5 files changed, 11 insertions, 22 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/TenantController.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/TenantController.java index ae905d2b209..f64d79a2b80 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/TenantController.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/TenantController.java @@ -46,13 +46,8 @@ public class TenantController { Instant start = controller.clock().instant(); int count = 0; for (TenantName name : curator.readTenantNames()) { - if (name.value().startsWith(Tenant.userPrefix)) // TODO jonmv: Remove after run once. - - curator.removeTenant(name); - else { - lockIfPresent(name, LockedTenant.class, this::store); - count++; - } + lockIfPresent(name, LockedTenant.class, this::store); + count++; } log.log(Level.INFO, String.format("Wrote %d tenants in %s", count, Duration.between(start, controller.clock().instant()))); diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/persistence/TenantSerializer.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/persistence/TenantSerializer.java index 9df87ab4c12..d4d5f4deb7b 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/persistence/TenantSerializer.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/persistence/TenantSerializer.java @@ -108,7 +108,6 @@ public class TenantSerializer { switch (type) { case athenz: return athenzTenantFrom(tenantObject); - case user: return null; // TODO jonmv: Remove when run once. case cloud: return cloudTenantFrom(tenantObject); default: throw new IllegalArgumentException("Unexpected tenant type '" + type + "'."); } @@ -190,7 +189,6 @@ public class TenantSerializer { private static Tenant.Type typeOf(String value) { switch (value) { case "athenz": return Tenant.Type.athenz; - case "user": return Tenant.Type.user; case "cloud": return Tenant.Type.cloud; default: throw new IllegalArgumentException("Unknown tenant type '" + value + "'."); } @@ -199,7 +197,6 @@ public class TenantSerializer { private static String valueOf(Tenant.Type type) { switch (type) { case athenz: return "athenz"; - case user: return "user"; case cloud: return "cloud"; default: throw new IllegalArgumentException("Unexpected tenant type '" + type + "'."); } diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java index 4ae3c38bdf2..afe8d156d00 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java @@ -100,22 +100,20 @@ public class AthenzRoleFilter extends JsonSecurityRequestFilterBase { })); futures.add(executor.submit(() -> { - // Add all tenants that are accessible for this request - athenz.accessibleTenants(tenants.asList(), new Credentials(principal)) - .forEach(accessibleTenant -> roleMemberships.add(Role.athenzTenantAdmin(accessibleTenant.name()))); + // Add all tenants that are accessible for this request + athenz.accessibleTenants(tenants.asList(), new Credentials(principal)) + .forEach(accessibleTenant -> roleMemberships.add(Role.athenzTenantAdmin(accessibleTenant.name()))); })); if (identity.getDomain().equals(SCREWDRIVER_DOMAIN) && application.isPresent() && tenant.isPresent()) - // NOTE: Only fine-grained deploy authorization for Athenz tenants futures.add(executor.submit(() -> { - if ( tenant.get().type() != Tenant.Type.athenz - || hasDeployerAccess(identity, ((AthenzTenant) tenant.get()).domain(), application.get())) - roleMemberships.add(Role.buildService(tenant.get().name(), application.get())); + if (hasDeployerAccess(identity, ((AthenzTenant) tenant.get()).domain(), application.get())) + roleMemberships.add(Role.buildService(tenant.get().name(), application.get())); })); futures.add(executor.submit(() -> { - if (athenz.hasSystemFlagsAccess(identity, /*dryrun*/false)) - roleMemberships.add(Role.systemFlagsDeployer()); + if (athenz.hasSystemFlagsAccess(identity, /*dryrun*/false)) + roleMemberships.add(Role.systemFlagsDeployer()); })); // Run last request in handler thread to avoid creating extra thread. diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/tenant/Tenant.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/tenant/Tenant.java index d18318e5dcd..bac43517f1a 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/tenant/Tenant.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/tenant/Tenant.java @@ -64,9 +64,6 @@ public abstract class Tenant { /** Tenant authenticated through Athenz. */ athenz, - /** Tenant authenticated through Okta, as a user. */ - user, // TODO jonmv: Remove. - /** Tenant authenticated through some cloud identity provider. */ cloud diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiTest.java index c83961e315a..fd0981e8427 100644 --- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiTest.java +++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiTest.java @@ -183,9 +183,11 @@ public class ApplicationApiTest extends ControllerContainerTest { // PUT a user tenant — does nothing tester.assertResponse(request("/application/v4/user", PUT).userIdentity(USER_ID), ""); + // GET the authenticated user which now exists (with associated tenants) tester.assertResponse(request("/application/v4/user", GET).userIdentity(USER_ID), new File("user.json")); + // DELETE the user — it doesn't exist, so access control fails tester.assertResponse(request("/application/v4/tenant/by-myuser", DELETE).userIdentity(USER_ID), "{\n \"code\" : 403,\n \"message\" : \"Access denied\"\n}", 403); |