aboutsummaryrefslogtreecommitdiffstats
path: root/controller-server
diff options
context:
space:
mode:
authorMorten Tokle <mortent@verizonmedia.com>2022-02-24 14:57:27 +0100
committerMorten Tokle <mortent@verizonmedia.com>2022-02-24 14:57:27 +0100
commita651349ecc14b0b0f51075e33ad6e56b414bf064 (patch)
tree85daec4920aeb8df7e4fb7ff08ad85f45c3d5fa5 /controller-server
parentccf690fbe40e769161c6bf15bbd0d2f87ad7cefa (diff)
Read zone from job name
Diffstat (limited to 'controller-server')
-rw-r--r--controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java7
-rw-r--r--controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java20
2 files changed, 18 insertions, 9 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java
index 305967c9601..f5900604627 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java
@@ -8,6 +8,7 @@ import com.yahoo.config.provision.ApplicationName;
import com.yahoo.config.provision.Environment;
import com.yahoo.config.provision.TenantName;
import com.yahoo.config.provision.Zone;
+import com.yahoo.config.provision.zone.ZoneId;
import com.yahoo.text.Text;
import com.yahoo.vespa.athenz.api.AthenzDomain;
import com.yahoo.vespa.athenz.api.AthenzIdentity;
@@ -249,7 +250,7 @@ public class AthenzFacade implements AccessControl {
}
public boolean hasApplicationAccess(
- AthenzIdentity identity, ApplicationAction action, AthenzDomain tenantDomain, ApplicationName applicationName, Optional<Zone> zone) {
+ AthenzIdentity identity, ApplicationAction action, AthenzDomain tenantDomain, ApplicationName applicationName, Optional<ZoneId> zone) {
return hasAccess(
action.name(), applicationResourceString(tenantDomain, applicationName, zone), identity);
}
@@ -327,9 +328,9 @@ public class AthenzFacade implements AccessControl {
return resourceStringPrefix(tenantDomain) + ".wildcard";
}
- private String applicationResourceString(AthenzDomain tenantDomain, ApplicationName applicationName, Optional<Zone> zone) {
+ private String applicationResourceString(AthenzDomain tenantDomain, ApplicationName applicationName, Optional<ZoneId> zone) {
// If environment is not provided, add .wildcard to match .* in the policy resource (* is not allowed in the request)
- String environment = zone.map(Zone::environment).map(Environment::value).orElse("wildcard");
+ String environment = zone.map(ZoneId::environment).map(Environment::value).orElse("wildcard");
return resourceStringPrefix(tenantDomain) + "." + "res_group" + "." + applicationName.value() + "." + environment;
}
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java
index 8c3dd74d664..da048e6b569 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java
@@ -6,8 +6,10 @@ import com.google.inject.Inject;
import com.yahoo.config.provision.ApplicationName;
import com.yahoo.config.provision.Environment;
import com.yahoo.config.provision.RegionName;
+import com.yahoo.config.provision.SystemName;
import com.yahoo.config.provision.TenantName;
import com.yahoo.config.provision.Zone;
+import com.yahoo.config.provision.zone.ZoneId;
import com.yahoo.jdisc.http.filter.DiscFilterRequest;
import com.yahoo.jdisc.http.filter.security.base.JsonSecurityRequestFilterBase;
import com.yahoo.restapi.Path;
@@ -20,6 +22,7 @@ import com.yahoo.vespa.hosted.controller.Controller;
import com.yahoo.vespa.hosted.controller.TenantController;
import com.yahoo.vespa.hosted.controller.api.integration.athenz.ApplicationAction;
import com.yahoo.vespa.hosted.controller.api.integration.athenz.AthenzClientFactory;
+import com.yahoo.vespa.hosted.controller.api.integration.deployment.JobType;
import com.yahoo.vespa.hosted.controller.api.role.Role;
import com.yahoo.vespa.hosted.controller.api.role.SecurityContext;
import com.yahoo.vespa.hosted.controller.athenz.impl.AthenzFacade;
@@ -60,12 +63,14 @@ public class AthenzRoleFilter extends JsonSecurityRequestFilterBase {
private final AthenzFacade athenz;
private final TenantController tenants;
private final ExecutorService executor;
+ private final SystemName systemName;
@Inject
public AthenzRoleFilter(AthenzClientFactory athenzClientFactory, Controller controller) {
this.athenz = new AthenzFacade(athenzClientFactory);
this.tenants = controller.tenants();
this.executor = Executors.newCachedThreadPool();
+ this.systemName = controller.system();
}
@Override
@@ -98,11 +103,14 @@ public class AthenzRoleFilter extends JsonSecurityRequestFilterBase {
path.matches("/application/v4/tenant/{tenant}/application/{application}/{*}");
Optional<ApplicationName> application = Optional.ofNullable(path.get("application")).map(ApplicationName::from);
- final Optional<Zone> zone;
+ final Optional<ZoneId> zone;
if(path.matches("/application/v4/tenant/{tenant}/application/{application}/instance/{instance}/environment/{environment}/region/{region}/{*}")) {
- zone = Optional.of(new Zone(Environment.from(path.get("environment")), RegionName.from(path.get("region"))));
+ zone = Optional.of(ZoneId.from(path.get("environment"), path.get("region")));
} else if(path.matches("/application/v4/tenant/{tenant}/application/{application}/environment/{environment}/region/{region}/{*}")) {
- zone = Optional.of(new Zone(Environment.from(path.get("environment")), RegionName.from(path.get("region"))));
+ zone = Optional.of(ZoneId.from(path.get("environment"), path.get("region")));
+ } else if(path.matches("/application/v4/tenant/{tenant}/application/{application}/instance/{instance}/deploy/{jobname}")) {
+ var jobtype= JobType.fromJobName(path.get("jobname"));
+ zone = Optional.of(jobtype.zone(systemName));
} else {
zone = Optional.empty();
}
@@ -142,7 +150,7 @@ public class AthenzRoleFilter extends JsonSecurityRequestFilterBase {
&& zone.isPresent()
&& tenant.isPresent()
&& application.isPresent()) {
- Zone z = zone.get();
+ ZoneId z = zone.get();
futures.add(executor.submit(() -> {
if (canDeployToManualZones(identity, ((AthenzTenant) tenant.get()).domain(), application.get(), z))
roleMemberships.add(Role.hostedDeveloper(tenant.get().name()));
@@ -194,7 +202,7 @@ public class AthenzRoleFilter extends JsonSecurityRequestFilterBase {
}
}
- private boolean hasDeployerAccess(AthenzIdentity identity, AthenzDomain tenantDomain, ApplicationName application, Optional<Zone> zone) {
+ private boolean hasDeployerAccess(AthenzIdentity identity, AthenzDomain tenantDomain, ApplicationName application, Optional<ZoneId> zone) {
try {
return athenz.hasApplicationAccess(identity,
ApplicationAction.deploy,
@@ -206,7 +214,7 @@ public class AthenzRoleFilter extends JsonSecurityRequestFilterBase {
}
}
- private boolean canDeployToManualZones(AthenzIdentity identity, AthenzDomain tenantDomain, ApplicationName application, Zone zone) {
+ private boolean canDeployToManualZones(AthenzIdentity identity, AthenzDomain tenantDomain, ApplicationName application, ZoneId zone) {
if (! zone.environment().isManuallyDeployed()) return false;
try {
return athenz.hasApplicationAccess(identity, ApplicationAction.deploy, tenantDomain, application, Optional.of(zone));