diff options
author | Bjørn Christian Seime <bjorncs@oath.com> | 2018-06-12 12:27:52 +0200 |
---|---|---|
committer | Bjørn Christian Seime <bjorncs@oath.com> | 2018-06-12 12:34:58 +0200 |
commit | a3a9d6ae29cec4fe4f55c3c7b93986547a267a0f (patch) | |
tree | 1bcf0019eb34572232208bc239dc7598c0f48fca /node-repository | |
parent | a78e1ec449e493fe8ff4f7131a0fb84bae0eda1d (diff) |
Add access control for identity document api + identity provider api
Diffstat (limited to 'node-repository')
2 files changed, 22 insertions, 2 deletions
diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/Authorizer.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/Authorizer.java index da8f5be142f..ad078e09c45 100644 --- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/Authorizer.java +++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/Authorizer.java @@ -7,7 +7,6 @@ import com.yahoo.vespa.athenz.api.AthenzIdentity; import com.yahoo.vespa.athenz.api.AthenzService; import com.yahoo.vespa.hosted.provision.Node; import com.yahoo.vespa.hosted.provision.NodeRepository; -import com.yahoo.vespa.hosted.provision.restapi.v2.filter.NodePrincipal; import org.apache.http.NameValuePair; import org.apache.http.client.utils.URLEncodedUtils; @@ -52,6 +51,11 @@ public class Authorizer implements BiPredicate<NodePrincipal, URI> { return true; } if (principal.getHostname().isPresent()) { + String hostname = principal.getHostname().get(); + if (isAthenzProviderApi(uri)) { + return hostname.equals(NodeIdentifier.ZTS_AWS_IDENTITY) || hostname.equals(NodeIdentifier.ZTS_ON_PREM_IDENTITY); + } + // Individual nodes can only access their own resources if (canAccessAll(hostnamesFrom(uri), principal, this::isSelfOrParent)) { return true; @@ -63,13 +67,18 @@ public class Authorizer implements BiPredicate<NodePrincipal, URI> { } // The host itself can access all resources - if (whitelistedHostnames.contains(principal.getHostname().get())) { + if (whitelistedHostnames.contains(hostname)) { return true; } } return false; } + private static boolean isAthenzProviderApi(URI uri) { + return "/athenz/v1/provider/instance".equals(uri.getPath()) || + "/athenz/v1/provider/refresh".equals(uri.getPath()); + } + /** Returns whether principal is the node itself or the parent of the node */ private boolean isSelfOrParent(String hostname, NodePrincipal principal) { // Node can always access itself @@ -153,6 +162,9 @@ public class Authorizer implements BiPredicate<NodePrincipal, URI> { "/nodes/v2/node/".equals(uri.getPath())) { return hostnamesFromQuery(uri); } + if (isChildOf("/athenz/v1/provider/identity-document", uri.getPath())) { + return Collections.singletonList(lastChildOf(uri.getPath())); + } return Collections.emptyList(); } diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizerTest.java b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizerTest.java index 9dc57507b8c..38128e66861 100644 --- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizerTest.java +++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizerTest.java @@ -101,6 +101,8 @@ public class AuthorizerTest { assertTrue(authorizedTenantHostNode("host1", "/nodes/v2/node/host1")); assertTrue(authorizedTenantHostNode("host1", "/nodes/v2/node/child1-1")); assertTrue(authorizedTenantHostNode("host1", "/nodes/v2/command/reboot?hostname=child1-1")); + assertTrue(authorizedTenantHostNode("host1", "/athenz/v1/provider/identity-document/tenant/host1")); + assertTrue(authorizedTenantHostNode("host1", "/athenz/v1/provider/identity-document/node/child1-1")); // Trusted services can access everything in their own system assertFalse(authorizedController("vespa.vespa.cd.hosting", "/")); // Wrong system @@ -151,6 +153,12 @@ public class AuthorizerTest { assertTrue(authorizedLegacyNode("cfghost1", "/application/v2")); } + @Test + public void zts_allowed_for_athenz_provider_api() { + assertTrue(authorizedLegacyNode(NodeIdentifier.ZTS_AWS_IDENTITY, "/athenz/v1/provider/refresh")); + assertTrue(authorizedLegacyNode(NodeIdentifier.ZTS_ON_PREM_IDENTITY, "/athenz/v1/provider/instance")); + } + private boolean authorizedTenantNode(String hostname, String path) { return authorized(NodePrincipal.withAthenzIdentity("vespa.vespa.tenant", hostname, emptyList()), path); } |