Use ArchiveAccess instead of directly accessing AWS IAM role

3 files changed, 18 insertions, 32 deletions

diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/maintenance/ArchiveAccessMaintainer.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/maintenance/ArchiveAccessMaintainer.java
index 9691b45de7d..788360996ff 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/maintenance/ArchiveAccessMaintainer.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/maintenance/ArchiveAccessMaintainer.java
@@ -10,6 +10,7 @@ import com.yahoo.vespa.hosted.controller.api.integration.archive.ArchiveBucket;
 import com.yahoo.vespa.hosted.controller.api.integration.archive.ArchiveService;
 import com.yahoo.vespa.hosted.controller.api.integration.zone.ZoneRegistry;
 import com.yahoo.vespa.hosted.controller.archive.CuratorArchiveBucketDb;
+import com.yahoo.vespa.hosted.controller.tenant.ArchiveAccess;
 import com.yahoo.vespa.hosted.controller.tenant.CloudTenant;
 import com.yahoo.vespa.hosted.controller.tenant.Tenant;
 
@@ -53,41 +54,26 @@ public class ArchiveAccessMaintainer extends ControllerMaintainer {
                                 "cloud", z.getCloudName().value()))));
 
         zoneRegistry.zonesIncludingSystem().controllerUpgraded().zones().forEach(z -> {
-                    ZoneId zoneId = z.getVirtualId();
-                    try {
-                        var tenantArchiveAccessRoles = cloudTenantArchiveExternalAccessRoles();
-                        archiveBucketDb.buckets(zoneId).forEach(archiveBucket ->
-                                archiveService.updateBucketPolicy(zoneId, archiveBucket,
-                                        Maps.filterEntries(tenantArchiveAccessRoles,
-                                                entry -> archiveBucket.tenants().contains(entry.getKey())))
-                        );
-                        Map<String, List<ArchiveBucket>> bucketsPerKey = archiveBucketDb.buckets(zoneId).stream()
-                                .collect(groupingBy(ArchiveBucket::keyArn));
-                        bucketsPerKey.forEach((keyArn, buckets) -> {
-                            Set<String> authorizedIamRolesForKey = buckets.stream()
-                                    .flatMap(b -> b.tenants().stream())
-                                    .filter(tenantArchiveAccessRoles::containsKey)
-                                    .map(tenantArchiveAccessRoles::get)
-                                    .collect(Collectors.toSet());
-                            archiveService.updateKeyPolicy(zoneId, keyArn, authorizedIamRolesForKey);
-                        });
-                    } catch (Exception e) {
-                        throw new RuntimeException("Failed to maintain archive access in " + zoneId.value(), e);
-                    }
-                }
-        );
+            ZoneId zoneId = z.getVirtualId();
+            try {
+                var tenantArchiveAccessRoles = cloudTenantArchiveExternalAccessRoles();
+                var buckets = archiveBucketDb.buckets(zoneId);
+                archiveService.updatePolicies(zoneId, buckets, tenantArchiveAccessRoles);
+            } catch (Exception e) {
+                throw new RuntimeException("Failed to maintain archive access in " + zoneId.value(), e);
+            }
+        });
 
         return 1.0;
     }
 
-    private Map<TenantName, String> cloudTenantArchiveExternalAccessRoles() {
+    private Map<TenantName, ArchiveAccess> cloudTenantArchiveExternalAccessRoles() {
         List<Tenant> tenants = controller().tenants().asList();
         return tenants.stream()
                 .filter(t -> t instanceof CloudTenant)
                 .map(t -> (CloudTenant) t)
-                .filter(t -> t.archiveAccessRole().isPresent())
                 .collect(Collectors.toUnmodifiableMap(
-                        Tenant::name, cloudTenant -> cloudTenant.archiveAccessRole().orElseThrow()));
+                        Tenant::name, cloudTenant -> cloudTenant.archiveAccess()));
     }
 
 }
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiHandler.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiHandler.java
index 0c564a51f37..18cae83a131 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiHandler.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiHandler.java
@@ -2356,7 +2356,7 @@ public class ApplicationApiHandler extends AuditLoggingRequestHandler {
                     log.warning(String.format("Failed to get quota for tenant %s: %s", tenant.name(), Exceptions.toMessageString(e)));
                 }
 
-                cloudTenant.archiveAccessRole().ifPresent(role -> object.setString("archiveAccessRole", role));
+                cloudTenant.archiveAccess().awsRole().ifPresent(role -> object.setString("archiveAccessRole", role));
 
                 break;
             }
diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/maintenance/ArchiveAccessMaintainerTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/maintenance/ArchiveAccessMaintainerTest.java
index 12418656c2f..b2451161f34 100644
--- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/maintenance/ArchiveAccessMaintainerTest.java
+++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/maintenance/ArchiveAccessMaintainerTest.java
@@ -34,19 +34,19 @@ public class ArchiveAccessMaintainerTest {
         String tenant1role = "arn:aws:iam::123456789012:role/my-role";
         String tenant2role = "arn:aws:iam::210987654321:role/my-role";
         var tenant1 = createTenantWithAccessRole(tester, "tenant1", tenant1role);
-        createTenantWithAccessRole(tester, "tenant2", tenant2role);
+        var tenant2 = createTenantWithAccessRole(tester, "tenant2", tenant2role);
 
         ZoneId testZone = ZoneId.from("prod.aws-us-east-1c");
         tester.controller().archiveBucketDb().archiveUriFor(testZone, tenant1, true);
         var testBucket = new ArchiveBucket("bucketName", "keyArn").withTenant(tenant1);
 
         MockArchiveService archiveService = (MockArchiveService) tester.controller().serviceRegistry().archiveService();
-        assertNull(archiveService.authorizedIamRolesForBucket.get(testBucket));
-        assertNull(archiveService.authorizedIamRolesForKey.get(testBucket.keyArn()));
+
+        assertEquals(0, archiveService.authorizeAccessByTenantName.size());
         MockMetric metric = new MockMetric();
         new ArchiveAccessMaintainer(tester.controller(), metric, Duration.ofMinutes(10)).maintain();
-        assertEquals(Map.of(tenant1, tenant1role), archiveService.authorizedIamRolesForBucket.get(testBucket));
-        assertEquals(Set.of(tenant1role), archiveService.authorizedIamRolesForKey.get(testBucket.keyArn()));
+        assertEquals(new ArchiveAccess(Optional.of(tenant1role), Optional.empty()), archiveService.authorizeAccessByTenantName.get(tenant1));
+        assertEquals(new ArchiveAccess(Optional.of(tenant2role), Optional.empty()), archiveService.authorizeAccessByTenantName.get(tenant2));
 
         var expected = Map.of("archive.bucketCount",
                               tester.controller().zoneRegistry().zonesIncludingSystem().all().ids().stream()