diff options
author | Morten Tokle <mortent@verizonmedia.com> | 2022-02-24 14:57:27 +0100 |
---|---|---|
committer | Morten Tokle <mortent@verizonmedia.com> | 2022-02-24 14:57:27 +0100 |
commit | a651349ecc14b0b0f51075e33ad6e56b414bf064 (patch) | |
tree | 85daec4920aeb8df7e4fb7ff08ad85f45c3d5fa5 /controller-server | |
parent | ccf690fbe40e769161c6bf15bbd0d2f87ad7cefa (diff) |
Read zone from job name
Diffstat (limited to 'controller-server')
2 files changed, 18 insertions, 9 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java index 305967c9601..f5900604627 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java @@ -8,6 +8,7 @@ import com.yahoo.config.provision.ApplicationName; import com.yahoo.config.provision.Environment; import com.yahoo.config.provision.TenantName; import com.yahoo.config.provision.Zone; +import com.yahoo.config.provision.zone.ZoneId; import com.yahoo.text.Text; import com.yahoo.vespa.athenz.api.AthenzDomain; import com.yahoo.vespa.athenz.api.AthenzIdentity; @@ -249,7 +250,7 @@ public class AthenzFacade implements AccessControl { } public boolean hasApplicationAccess( - AthenzIdentity identity, ApplicationAction action, AthenzDomain tenantDomain, ApplicationName applicationName, Optional<Zone> zone) { + AthenzIdentity identity, ApplicationAction action, AthenzDomain tenantDomain, ApplicationName applicationName, Optional<ZoneId> zone) { return hasAccess( action.name(), applicationResourceString(tenantDomain, applicationName, zone), identity); } @@ -327,9 +328,9 @@ public class AthenzFacade implements AccessControl { return resourceStringPrefix(tenantDomain) + ".wildcard"; } - private String applicationResourceString(AthenzDomain tenantDomain, ApplicationName applicationName, Optional<Zone> zone) { + private String applicationResourceString(AthenzDomain tenantDomain, ApplicationName applicationName, Optional<ZoneId> zone) { // If environment is not provided, add .wildcard to match .* in the policy resource (* is not allowed in the request) - String environment = zone.map(Zone::environment).map(Environment::value).orElse("wildcard"); + String environment = zone.map(ZoneId::environment).map(Environment::value).orElse("wildcard"); return resourceStringPrefix(tenantDomain) + "." + "res_group" + "." + applicationName.value() + "." + environment; } diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java index 8c3dd74d664..da048e6b569 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java @@ -6,8 +6,10 @@ import com.google.inject.Inject; import com.yahoo.config.provision.ApplicationName; import com.yahoo.config.provision.Environment; import com.yahoo.config.provision.RegionName; +import com.yahoo.config.provision.SystemName; import com.yahoo.config.provision.TenantName; import com.yahoo.config.provision.Zone; +import com.yahoo.config.provision.zone.ZoneId; import com.yahoo.jdisc.http.filter.DiscFilterRequest; import com.yahoo.jdisc.http.filter.security.base.JsonSecurityRequestFilterBase; import com.yahoo.restapi.Path; @@ -20,6 +22,7 @@ import com.yahoo.vespa.hosted.controller.Controller; import com.yahoo.vespa.hosted.controller.TenantController; import com.yahoo.vespa.hosted.controller.api.integration.athenz.ApplicationAction; import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzClientFactory; +import com.yahoo.vespa.hosted.controller.api.integration.deployment.JobType; import com.yahoo.vespa.hosted.controller.api.role.Role; import com.yahoo.vespa.hosted.controller.api.role.SecurityContext; import com.yahoo.vespa.hosted.controller.athenz.impl.AthenzFacade; @@ -60,12 +63,14 @@ public class AthenzRoleFilter extends JsonSecurityRequestFilterBase { private final AthenzFacade athenz; private final TenantController tenants; private final ExecutorService executor; + private final SystemName systemName; @Inject public AthenzRoleFilter(AthenzClientFactory athenzClientFactory, Controller controller) { this.athenz = new AthenzFacade(athenzClientFactory); this.tenants = controller.tenants(); this.executor = Executors.newCachedThreadPool(); + this.systemName = controller.system(); } @Override @@ -98,11 +103,14 @@ public class AthenzRoleFilter extends JsonSecurityRequestFilterBase { path.matches("/application/v4/tenant/{tenant}/application/{application}/{*}"); Optional<ApplicationName> application = Optional.ofNullable(path.get("application")).map(ApplicationName::from); - final Optional<Zone> zone; + final Optional<ZoneId> zone; if(path.matches("/application/v4/tenant/{tenant}/application/{application}/instance/{instance}/environment/{environment}/region/{region}/{*}")) { - zone = Optional.of(new Zone(Environment.from(path.get("environment")), RegionName.from(path.get("region")))); + zone = Optional.of(ZoneId.from(path.get("environment"), path.get("region"))); } else if(path.matches("/application/v4/tenant/{tenant}/application/{application}/environment/{environment}/region/{region}/{*}")) { - zone = Optional.of(new Zone(Environment.from(path.get("environment")), RegionName.from(path.get("region")))); + zone = Optional.of(ZoneId.from(path.get("environment"), path.get("region"))); + } else if(path.matches("/application/v4/tenant/{tenant}/application/{application}/instance/{instance}/deploy/{jobname}")) { + var jobtype= JobType.fromJobName(path.get("jobname")); + zone = Optional.of(jobtype.zone(systemName)); } else { zone = Optional.empty(); } @@ -142,7 +150,7 @@ public class AthenzRoleFilter extends JsonSecurityRequestFilterBase { && zone.isPresent() && tenant.isPresent() && application.isPresent()) { - Zone z = zone.get(); + ZoneId z = zone.get(); futures.add(executor.submit(() -> { if (canDeployToManualZones(identity, ((AthenzTenant) tenant.get()).domain(), application.get(), z)) roleMemberships.add(Role.hostedDeveloper(tenant.get().name())); @@ -194,7 +202,7 @@ public class AthenzRoleFilter extends JsonSecurityRequestFilterBase { } } - private boolean hasDeployerAccess(AthenzIdentity identity, AthenzDomain tenantDomain, ApplicationName application, Optional<Zone> zone) { + private boolean hasDeployerAccess(AthenzIdentity identity, AthenzDomain tenantDomain, ApplicationName application, Optional<ZoneId> zone) { try { return athenz.hasApplicationAccess(identity, ApplicationAction.deploy, @@ -206,7 +214,7 @@ public class AthenzRoleFilter extends JsonSecurityRequestFilterBase { } } - private boolean canDeployToManualZones(AthenzIdentity identity, AthenzDomain tenantDomain, ApplicationName application, Zone zone) { + private boolean canDeployToManualZones(AthenzIdentity identity, AthenzDomain tenantDomain, ApplicationName application, ZoneId zone) { if (! zone.environment().isManuallyDeployed()) return false; try { return athenz.hasApplicationAccess(identity, ApplicationAction.deploy, tenantDomain, application, Optional.of(zone)); |