diff options
author | Bjørn Christian Seime <bjorncs@verizonmedia.com> | 2021-09-23 10:23:42 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-09-23 10:23:42 +0200 |
commit | eab6470364b66d261ce8f9669cd22ffe4ff0bf80 (patch) | |
tree | 3200a1275c61b2c8e4eefc2edd7e9fa34e8ef875 /vespa-athenz | |
parent | 7ceac5336eb5b1334fa63a493a66acb1918e51d8 (diff) | |
parent | 4b8cebdb56aaf99ff31a5b761ed346e6931f6a3a (diff) |
Merge pull request #19256 from vespa-engine/bjorncs/s3-athenz-access-control
Bjorncs/s3 athenz access control
Diffstat (limited to 'vespa-athenz')
-rw-r--r-- | vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/common/ClientBase.java | 2 | ||||
-rw-r--r-- | vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java | 33 | ||||
-rw-r--r-- | vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java | 6 | ||||
-rw-r--r-- | vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/bindings/ResourceGroupRolesEntity.java (renamed from vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/bindings/ProviderResourceGroupRolesRequestEntity.java) | 36 |
4 files changed, 59 insertions, 18 deletions
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/common/ClientBase.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/common/ClientBase.java index acf580d7e1b..3acd1c34d51 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/common/ClientBase.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/common/ClientBase.java @@ -34,7 +34,7 @@ import java.util.logging.Logger; */ public abstract class ClientBase implements AutoCloseable { - private static final Logger logger = Logger.getLogger(ClientBase.class.getName()); + protected final Logger logger = Logger.getLogger(getClass().getName()); private static final ObjectMapper objectMapper = new ObjectMapper().registerModule(new JavaTimeModule()); diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java index 297852e9584..769a2a54c95 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java @@ -1,7 +1,6 @@ // Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.athenz.client.zms; -import com.yahoo.io.IOUtils; import com.yahoo.vespa.athenz.api.AthenzDomain; import com.yahoo.vespa.athenz.api.AthenzGroup; import com.yahoo.vespa.athenz.api.AthenzIdentity; @@ -18,7 +17,7 @@ import com.yahoo.vespa.athenz.client.zms.bindings.AssertionEntity; import com.yahoo.vespa.athenz.client.zms.bindings.DomainListResponseEntity; import com.yahoo.vespa.athenz.client.zms.bindings.MembershipEntity; import com.yahoo.vespa.athenz.client.zms.bindings.PolicyEntity; -import com.yahoo.vespa.athenz.client.zms.bindings.ProviderResourceGroupRolesRequestEntity; +import com.yahoo.vespa.athenz.client.zms.bindings.ResourceGroupRolesEntity; import com.yahoo.vespa.athenz.client.zms.bindings.ResponseListEntity; import com.yahoo.vespa.athenz.client.zms.bindings.RoleEntity; import com.yahoo.vespa.athenz.client.zms.bindings.ServiceEntity; @@ -33,11 +32,8 @@ import org.apache.http.entity.StringEntity; import org.apache.http.message.BasicHeader; import javax.net.ssl.SSLContext; -import java.io.IOException; import java.net.URI; -import java.nio.charset.StandardCharsets; import java.time.Instant; -import java.util.ArrayList; import java.util.Collections; import java.util.HashMap; import java.util.List; @@ -104,7 +100,7 @@ public class DefaultZmsClient extends ClientBase implements ZmsClient { HttpUriRequest request = RequestBuilder.put() .setUri(uri) .addHeader(createCookieHeaderWithOktaTokens(identityToken, accessToken)) - .setEntity(toJsonStringEntity(new ProviderResourceGroupRolesRequestEntity(providerService, tenantDomain, roleActions, resourceGroup))) + .setEntity(toJsonStringEntity(new ResourceGroupRolesEntity(providerService, tenantDomain, roleActions, resourceGroup))) .build(); execute(request, response -> readEntity(response, Void.class)); // Note: The ZMS API will actually return a json object that is similar to ProviderResourceGroupRolesRequestEntity } @@ -121,6 +117,31 @@ public class DefaultZmsClient extends ClientBase implements ZmsClient { } @Override + public void createTenantResourceGroup(AthenzDomain tenantDomain, AthenzIdentity provider, String resourceGroup, + Set<RoleAction> roleActions) { + URI uri = zmsUrl.resolve(String.format("domain/%s/service/%s/tenant/%s/resourceGroup/%s", + provider.getDomainName(), provider.getName(), tenantDomain.getName(), resourceGroup)); + HttpUriRequest request = RequestBuilder.put() + .setUri(uri) + .setEntity(toJsonStringEntity( + new ResourceGroupRolesEntity(provider, tenantDomain, roleActions, resourceGroup))) + .build(); + execute(request, response -> readEntity(response, Void.class)); + } + + @Override + public Set<RoleAction> getTenantResourceGroups(AthenzDomain tenantDomain, AthenzIdentity provider, + String resourceGroup) { + URI uri = zmsUrl.resolve(String.format("domain/%s/service/%s/tenant/%s/resourceGroup/%s", + provider.getDomainName(), provider.getName(), tenantDomain.getName(), resourceGroup)); + HttpUriRequest request = RequestBuilder.get() + .setUri(uri) + .build(); + ResourceGroupRolesEntity result = execute(request, response -> readEntity(response, ResourceGroupRolesEntity.class)); + return result.roles.stream().map(rgr -> new RoleAction(rgr.role, rgr.action)).collect(Collectors.toSet()); + } + + @Override public void addRoleMember(AthenzRole role, AthenzIdentity member, Optional<String> reason) { URI uri = zmsUrl.resolve(String.format("domain/%s/role/%s/member/%s", role.domain().getName(), role.roleName(), member.getFullName())); MembershipEntity membership = new MembershipEntity.RoleMembershipEntity(member.getFullName(), true, role.roleName(), null); diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java index 7dd0585bfd4..b1c26923113 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java @@ -34,6 +34,12 @@ public interface ZmsClient extends AutoCloseable { void deleteProviderResourceGroup(AthenzDomain tenantDomain, AthenzIdentity providerService, String resourceGroup, OktaIdentityToken identityToken, OktaAccessToken accessToken); + /** For manual tenancy provisioning - only creates roles/policies on provider domain */ + void createTenantResourceGroup(AthenzDomain tenantDomain, AthenzIdentity provider, String resourceGroup, + Set<RoleAction> roleActions); + + Set<RoleAction> getTenantResourceGroups(AthenzDomain tenantDomain, AthenzIdentity provider, String resourceGroup); + void addRoleMember(AthenzRole role, AthenzIdentity member, Optional<String> reason); void deleteRoleMember(AthenzRole role, AthenzIdentity member); diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/bindings/ProviderResourceGroupRolesRequestEntity.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/bindings/ResourceGroupRolesEntity.java index a67bd4dcad6..865dc8c02cb 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/bindings/ProviderResourceGroupRolesRequestEntity.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/bindings/ResourceGroupRolesEntity.java @@ -1,39 +1,53 @@ // Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.athenz.client.zms.bindings; +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonIgnoreProperties; import com.fasterxml.jackson.annotation.JsonProperty; import com.yahoo.vespa.athenz.api.AthenzDomain; import com.yahoo.vespa.athenz.api.AthenzIdentity; -import com.yahoo.vespa.athenz.api.AthenzService; import com.yahoo.vespa.athenz.client.zms.RoleAction; import java.util.List; import java.util.Set; -import java.util.stream.Collectors; import static java.util.stream.Collectors.toList; /** * @author bjorncs */ -public class ProviderResourceGroupRolesRequestEntity { +@JsonIgnoreProperties(ignoreUnknown = true) +public class ResourceGroupRolesEntity { @JsonProperty("domain") - private final String domain; + public final String domain; @JsonProperty("service") - private final String service; + public final String service; @JsonProperty("tenant") - private final String tenant; + public final String tenant; @JsonProperty("roles") - private final List<TenantRoleAction> roles; + public final List<TenantRoleAction> roles; @JsonProperty("resourceGroup") - private final String resourceGroup; + public final String resourceGroup; - public ProviderResourceGroupRolesRequestEntity(AthenzIdentity providerService, AthenzDomain tenantDomain, Set<RoleAction> rolesActions, String resourceGroup) { + @JsonCreator + public ResourceGroupRolesEntity(@JsonProperty("domain") String domain, + @JsonProperty("service") String service, + @JsonProperty("tenant") String tenant, + @JsonProperty("roles") List<TenantRoleAction> roles, + @JsonProperty("resourceGroup") String resourceGroup) { + this.domain = domain; + this.service = service; + this.tenant = tenant; + this.roles = roles; + this.resourceGroup = resourceGroup; + } + + public ResourceGroupRolesEntity(AthenzIdentity providerService, AthenzDomain tenantDomain, Set<RoleAction> rolesActions, String resourceGroup) { this.domain = providerService.getDomainName(); this.service = providerService.getName(); this.tenant = tenantDomain.getName(); @@ -43,10 +57,10 @@ public class ProviderResourceGroupRolesRequestEntity { public static class TenantRoleAction { @JsonProperty("role") - private final String role; + public final String role; @JsonProperty("action") - private final String action; + public final String action; public TenantRoleAction(String role, String action) { this.role = role; |