No role means no managed access, and to wait a little before activating it

author: jonmv <venstad@gmail.com> 2023-01-04 15:42:32 +0100
committer: jonmv <venstad@gmail.com> 2023-01-04 15:42:32 +0100
commit: 7efb546c2b34d35ff49e393211345e1399dbfc2e (patch)
tree: 33d652eff8d4e5140a1078127027276c902a0aee /controller-server
parent: 028642b0a35645c086cda2a7fafa369b99f12476 (diff)
2 files changed, 40 insertions, 27 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiHandler.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiHandler.java
index 2fffdc25875..8f254289f4e 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiHandler.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiHandler.java
@@ -31,6 +31,7 @@ import com.yahoo.container.jdisc.HttpRequest;
 import com.yahoo.container.jdisc.HttpResponse;
 import com.yahoo.container.jdisc.ThreadedHttpRequestHandler;
 import com.yahoo.io.IOUtils;
+import com.yahoo.jdisc.Response;
 import com.yahoo.jdisc.http.filter.security.misc.User;
 import com.yahoo.restapi.ByteArrayResponse;
 import com.yahoo.restapi.ErrorResponse;
@@ -47,6 +48,7 @@ import com.yahoo.slime.Slime;
 import com.yahoo.slime.SlimeUtils;
 import com.yahoo.text.Text;
 import com.yahoo.vespa.athenz.api.OAuthCredentials;
+import com.yahoo.vespa.athenz.client.zms.ZmsClientException;
 import com.yahoo.vespa.flags.Flags;
 import com.yahoo.vespa.hosted.controller.Application;
 import com.yahoo.vespa.hosted.controller.Controller;
@@ -228,10 +230,10 @@ public class ApplicationApiHandler extends AuditLoggingRequestHandler {
         }
         catch (ConfigServerException e) {
             return switch (e.code()) {
-                case NOT_FOUND: yield ErrorResponse.notFoundError(Exceptions.toMessageString(e));
-                case ACTIVATION_CONFLICT: yield new ErrorResponse(CONFLICT, e.code().name(), Exceptions.toMessageString(e));
-                case INTERNAL_SERVER_ERROR: yield ErrorResponses.logThrowing(request, log, e);
-                default: yield new ErrorResponse(BAD_REQUEST, e.code().name(), Exceptions.toMessageString(e));
+                case NOT_FOUND -> ErrorResponse.notFoundError(Exceptions.toMessageString(e));
+                case ACTIVATION_CONFLICT -> new ErrorResponse(CONFLICT, e.code().name(), Exceptions.toMessageString(e));
+                case INTERNAL_SERVER_ERROR -> ErrorResponses.logThrowing(request, log, e);
+                default -> new ErrorResponse(BAD_REQUEST, e.code().name(), Exceptions.toMessageString(e));
             };
         }
         catch (RuntimeException e) {
@@ -434,26 +436,31 @@ public class ApplicationApiHandler extends AuditLoggingRequestHandler {
             return ErrorResponse.badRequest("Can only see access requests for cloud tenants");
 
         var accessControlService = controller.serviceRegistry().accessControlService();
-        var accessRoleInformation = accessControlService.getAccessRoleInformation(tenant);
-        var managedAccess = accessControlService.getManagedAccess(tenant);
         var slime = new Slime();
         var cursor = slime.setObject();
-        cursor.setBool("managedAccess", managedAccess);
-        accessRoleInformation.getPendingRequest()
-                .ifPresent(membershipRequest -> {
-                    var requestCursor = cursor.setObject("pendingRequest");
-                    requestCursor.setString("requestTime", membershipRequest.getCreationTime());
-                    requestCursor.setString("reason", membershipRequest.getReason());
-                });
-        var auditLogCursor = cursor.setArray("auditLog");
-        accessRoleInformation.getAuditLog()
-                .forEach(auditLogEntry -> {
-                    var entryCursor = auditLogCursor.addObject();
-                    entryCursor.setString("created", auditLogEntry.getCreationTime());
-                    entryCursor.setString("approver", auditLogEntry.getApprover());
-                    entryCursor.setString("reason", auditLogEntry.getReason());
-                    entryCursor.setString("status", auditLogEntry.getAction());
-                });
+        try {
+            var accessRoleInformation = accessControlService.getAccessRoleInformation(tenant);
+            var managedAccess = accessControlService.getManagedAccess(tenant);
+            cursor.setBool("managedAccess", managedAccess);
+            accessRoleInformation.getPendingRequest()
+                                 .ifPresent(membershipRequest -> {
+                                     var requestCursor = cursor.setObject("pendingRequest");
+                                     requestCursor.setString("requestTime", membershipRequest.getCreationTime());
+                                     requestCursor.setString("reason", membershipRequest.getReason());
+                                 });
+            var auditLogCursor = cursor.setArray("auditLog");
+            accessRoleInformation.getAuditLog()
+                                 .forEach(auditLogEntry -> {
+                                     var entryCursor = auditLogCursor.addObject();
+                                     entryCursor.setString("created", auditLogEntry.getCreationTime());
+                                     entryCursor.setString("approver", auditLogEntry.getApprover());
+                                     entryCursor.setString("reason", auditLogEntry.getReason());
+                                     entryCursor.setString("status", auditLogEntry.getAction());
+                                 });
+        }
+        catch (ZmsClientException e) {
+            if (e.getErrorCode() == 404) cursor.setBool("managedAccess", false);
+        }
         return new SlimeJsonResponse(slime);
     }
 
@@ -500,10 +507,16 @@ public class ApplicationApiHandler extends AuditLoggingRequestHandler {
         if (controller.tenants().require(tenant).type() != Tenant.Type.cloud)
             return ErrorResponse.badRequest("Can only set access privel for cloud tenants");
 
-        controller.serviceRegistry().accessControlService().setManagedAccess(tenant, managedAccess);
-        var slime = new Slime();
-        slime.setObject().setBool("managedAccess", managedAccess);
-        return new SlimeJsonResponse(slime);
+        try {
+            controller.serviceRegistry().accessControlService().setManagedAccess(tenant, managedAccess);
+            var slime = new Slime();
+            slime.setObject().setBool("managedAccess", managedAccess);
+            return new SlimeJsonResponse(slime);
+        }
+        catch (ZmsClientException e) {
+            if (e.getErrorCode() == 404) return ErrorResponse.conflict("Configuration not yet ready, please try again in a few minutes");
+            throw e;
+        }
     }
 
     private HttpResponse tenantInfo(String tenantName, HttpRequest request) {
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/application/MultipartParser.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/application/MultipartParser.java
index a9e24943c0d..a28f0e9733d 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/application/MultipartParser.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/application/MultipartParser.java
@@ -33,7 +33,7 @@ public class MultipartParser {
     }
 
     /**
-     * Parses the given multi-part request and returns all the parts indexed by their name.
+     * Parses the given multipart request and returns all the parts indexed by their name.
      * 
      * @throws IllegalArgumentException if this request is not a well-formed request with Content-Type multipart/form-data
      */
author	jonmv <venstad@gmail.com>	2023-01-04 15:42:32 +0100
committer	jonmv <venstad@gmail.com>	2023-01-04 15:42:32 +0100
commit	7efb546c2b34d35ff49e393211345e1399dbfc2e (patch)
tree	33d652eff8d4e5140a1078127027276c902a0aee /controller-server
parent	028642b0a35645c086cda2a7fafa369b99f12476 (diff)