diff options
author | Morten Tokle <morten.tokle@gmail.com> | 2020-03-25 08:11:17 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-03-25 08:11:17 +0100 |
commit | 58b359dcfe5e609cbe46f3910453e819eaa89c99 (patch) | |
tree | 47a126fccd08624a2fae445aa599672b3caa84ae /controller-server | |
parent | ecf3845bbcd225463be9314ad2b9fd3f1feb9b37 (diff) |
Revert "Remove cleanup-code for user tenants"
Diffstat (limited to 'controller-server')
5 files changed, 22 insertions, 11 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/TenantController.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/TenantController.java index f64d79a2b80..ae905d2b209 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/TenantController.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/TenantController.java @@ -46,8 +46,13 @@ public class TenantController { Instant start = controller.clock().instant(); int count = 0; for (TenantName name : curator.readTenantNames()) { - lockIfPresent(name, LockedTenant.class, this::store); - count++; + if (name.value().startsWith(Tenant.userPrefix)) // TODO jonmv: Remove after run once. + + curator.removeTenant(name); + else { + lockIfPresent(name, LockedTenant.class, this::store); + count++; + } } log.log(Level.INFO, String.format("Wrote %d tenants in %s", count, Duration.between(start, controller.clock().instant()))); diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/persistence/TenantSerializer.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/persistence/TenantSerializer.java index d4d5f4deb7b..9df87ab4c12 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/persistence/TenantSerializer.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/persistence/TenantSerializer.java @@ -108,6 +108,7 @@ public class TenantSerializer { switch (type) { case athenz: return athenzTenantFrom(tenantObject); + case user: return null; // TODO jonmv: Remove when run once. case cloud: return cloudTenantFrom(tenantObject); default: throw new IllegalArgumentException("Unexpected tenant type '" + type + "'."); } @@ -189,6 +190,7 @@ public class TenantSerializer { private static Tenant.Type typeOf(String value) { switch (value) { case "athenz": return Tenant.Type.athenz; + case "user": return Tenant.Type.user; case "cloud": return Tenant.Type.cloud; default: throw new IllegalArgumentException("Unknown tenant type '" + value + "'."); } @@ -197,6 +199,7 @@ public class TenantSerializer { private static String valueOf(Tenant.Type type) { switch (type) { case athenz: return "athenz"; + case user: return "user"; case cloud: return "cloud"; default: throw new IllegalArgumentException("Unexpected tenant type '" + type + "'."); } diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java index afe8d156d00..4ae3c38bdf2 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java @@ -100,20 +100,22 @@ public class AthenzRoleFilter extends JsonSecurityRequestFilterBase { })); futures.add(executor.submit(() -> { - // Add all tenants that are accessible for this request - athenz.accessibleTenants(tenants.asList(), new Credentials(principal)) - .forEach(accessibleTenant -> roleMemberships.add(Role.athenzTenantAdmin(accessibleTenant.name()))); + // Add all tenants that are accessible for this request + athenz.accessibleTenants(tenants.asList(), new Credentials(principal)) + .forEach(accessibleTenant -> roleMemberships.add(Role.athenzTenantAdmin(accessibleTenant.name()))); })); if (identity.getDomain().equals(SCREWDRIVER_DOMAIN) && application.isPresent() && tenant.isPresent()) + // NOTE: Only fine-grained deploy authorization for Athenz tenants futures.add(executor.submit(() -> { - if (hasDeployerAccess(identity, ((AthenzTenant) tenant.get()).domain(), application.get())) - roleMemberships.add(Role.buildService(tenant.get().name(), application.get())); + if ( tenant.get().type() != Tenant.Type.athenz + || hasDeployerAccess(identity, ((AthenzTenant) tenant.get()).domain(), application.get())) + roleMemberships.add(Role.buildService(tenant.get().name(), application.get())); })); futures.add(executor.submit(() -> { - if (athenz.hasSystemFlagsAccess(identity, /*dryrun*/false)) - roleMemberships.add(Role.systemFlagsDeployer()); + if (athenz.hasSystemFlagsAccess(identity, /*dryrun*/false)) + roleMemberships.add(Role.systemFlagsDeployer()); })); // Run last request in handler thread to avoid creating extra thread. diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/tenant/Tenant.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/tenant/Tenant.java index bac43517f1a..d18318e5dcd 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/tenant/Tenant.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/tenant/Tenant.java @@ -64,6 +64,9 @@ public abstract class Tenant { /** Tenant authenticated through Athenz. */ athenz, + /** Tenant authenticated through Okta, as a user. */ + user, // TODO jonmv: Remove. + /** Tenant authenticated through some cloud identity provider. */ cloud diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiTest.java index fd0981e8427..c83961e315a 100644 --- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiTest.java +++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiTest.java @@ -183,11 +183,9 @@ public class ApplicationApiTest extends ControllerContainerTest { // PUT a user tenant — does nothing tester.assertResponse(request("/application/v4/user", PUT).userIdentity(USER_ID), ""); - // GET the authenticated user which now exists (with associated tenants) tester.assertResponse(request("/application/v4/user", GET).userIdentity(USER_ID), new File("user.json")); - // DELETE the user — it doesn't exist, so access control fails tester.assertResponse(request("/application/v4/tenant/by-myuser", DELETE).userIdentity(USER_ID), "{\n \"code\" : 403,\n \"message\" : \"Access denied\"\n}", 403); |