Merge pull request #26117 from vespa-engine/mortent/zts-checkaccessv8.128.22

Use ZTS getAccess instead of ZMS

1 files changed, 12 insertions, 0 deletions

diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java
index c4be6d8ced7..eade6229123 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zts/ZtsClient.java
@@ -5,6 +5,7 @@ import com.yahoo.security.Pkcs10Csr;
 import com.yahoo.vespa.athenz.api.AthenzAccessToken;
 import com.yahoo.vespa.athenz.api.AthenzDomain;
 import com.yahoo.vespa.athenz.api.AthenzIdentity;
+import com.yahoo.vespa.athenz.api.AthenzResourceName;
 import com.yahoo.vespa.athenz.api.AthenzRole;
 import com.yahoo.vespa.athenz.api.AwsRole;
 import com.yahoo.vespa.athenz.api.AwsTemporaryCredentials;
@@ -187,5 +188,16 @@ public interface ZtsClient extends AutoCloseable {
      */
     AwsTemporaryCredentials getAwsTemporaryCredentials(AthenzDomain athenzDomain, AwsRole awsRole, Duration duration, String externalId);
 
+    /**
+     * Check access to resource for a given principal
+     *
+     * @param resource The resource to verify access to
+     * @param action Action to verify
+     * @param identity Principal that requests access
+     * @return <code>true</code> if access is allowed, <code>false</code> otherwise
+     */
+    boolean hasAccess(AthenzResourceName resource, String action, AthenzIdentity identity);
+
     void close();
+
 }