Merge pull request #19256 from vespa-engine/bjorncs/s3-athenz-access-control

Bjorncs/s3 athenz access control

4 files changed, 59 insertions, 18 deletions

diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/common/ClientBase.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/common/ClientBase.java
index acf580d7e1b..3acd1c34d51 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/common/ClientBase.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/common/ClientBase.java
@@ -34,7 +34,7 @@ import java.util.logging.Logger;
  */
 public abstract class ClientBase implements AutoCloseable {
 
-    private static final Logger logger = Logger.getLogger(ClientBase.class.getName());
+    protected final Logger logger = Logger.getLogger(getClass().getName());
 
     private static final ObjectMapper objectMapper = new ObjectMapper().registerModule(new JavaTimeModule());
 
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java
index 297852e9584..769a2a54c95 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java
@@ -1,7 +1,6 @@
 // Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.vespa.athenz.client.zms;
 
-import com.yahoo.io.IOUtils;
 import com.yahoo.vespa.athenz.api.AthenzDomain;
 import com.yahoo.vespa.athenz.api.AthenzGroup;
 import com.yahoo.vespa.athenz.api.AthenzIdentity;
@@ -18,7 +17,7 @@ import com.yahoo.vespa.athenz.client.zms.bindings.AssertionEntity;
 import com.yahoo.vespa.athenz.client.zms.bindings.DomainListResponseEntity;
 import com.yahoo.vespa.athenz.client.zms.bindings.MembershipEntity;
 import com.yahoo.vespa.athenz.client.zms.bindings.PolicyEntity;
-import com.yahoo.vespa.athenz.client.zms.bindings.ProviderResourceGroupRolesRequestEntity;
+import com.yahoo.vespa.athenz.client.zms.bindings.ResourceGroupRolesEntity;
 import com.yahoo.vespa.athenz.client.zms.bindings.ResponseListEntity;
 import com.yahoo.vespa.athenz.client.zms.bindings.RoleEntity;
 import com.yahoo.vespa.athenz.client.zms.bindings.ServiceEntity;
@@ -33,11 +32,8 @@ import org.apache.http.entity.StringEntity;
 import org.apache.http.message.BasicHeader;
 
 import javax.net.ssl.SSLContext;
-import java.io.IOException;
 import java.net.URI;
-import java.nio.charset.StandardCharsets;
 import java.time.Instant;
-import java.util.ArrayList;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
@@ -104,7 +100,7 @@ public class DefaultZmsClient extends ClientBase implements ZmsClient {
         HttpUriRequest request = RequestBuilder.put()
                 .setUri(uri)
                 .addHeader(createCookieHeaderWithOktaTokens(identityToken, accessToken))
-                .setEntity(toJsonStringEntity(new ProviderResourceGroupRolesRequestEntity(providerService, tenantDomain, roleActions, resourceGroup)))
+                .setEntity(toJsonStringEntity(new ResourceGroupRolesEntity(providerService, tenantDomain, roleActions, resourceGroup)))
                 .build();
         execute(request, response -> readEntity(response, Void.class)); // Note: The ZMS API will actually return a json object that is similar to ProviderResourceGroupRolesRequestEntity
     }
@@ -121,6 +117,31 @@ public class DefaultZmsClient extends ClientBase implements ZmsClient {
     }
 
     @Override
+    public void createTenantResourceGroup(AthenzDomain tenantDomain, AthenzIdentity provider, String resourceGroup,
+                                          Set<RoleAction> roleActions) {
+        URI uri = zmsUrl.resolve(String.format("domain/%s/service/%s/tenant/%s/resourceGroup/%s",
+                provider.getDomainName(), provider.getName(), tenantDomain.getName(), resourceGroup));
+        HttpUriRequest request = RequestBuilder.put()
+                .setUri(uri)
+                .setEntity(toJsonStringEntity(
+                        new ResourceGroupRolesEntity(provider, tenantDomain, roleActions, resourceGroup)))
+                .build();
+        execute(request, response -> readEntity(response, Void.class));
+    }
+
+    @Override
+    public Set<RoleAction> getTenantResourceGroups(AthenzDomain tenantDomain, AthenzIdentity provider,
+                                                   String resourceGroup) {
+        URI uri = zmsUrl.resolve(String.format("domain/%s/service/%s/tenant/%s/resourceGroup/%s",
+                provider.getDomainName(), provider.getName(), tenantDomain.getName(), resourceGroup));
+        HttpUriRequest request = RequestBuilder.get()
+                .setUri(uri)
+                .build();
+        ResourceGroupRolesEntity result = execute(request, response -> readEntity(response, ResourceGroupRolesEntity.class));
+        return result.roles.stream().map(rgr -> new RoleAction(rgr.role, rgr.action)).collect(Collectors.toSet());
+    }
+
+    @Override
     public void addRoleMember(AthenzRole role, AthenzIdentity member, Optional<String> reason) {
         URI uri = zmsUrl.resolve(String.format("domain/%s/role/%s/member/%s", role.domain().getName(), role.roleName(), member.getFullName()));
         MembershipEntity membership = new MembershipEntity.RoleMembershipEntity(member.getFullName(), true, role.roleName(), null);
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java
index 7dd0585bfd4..b1c26923113 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java
@@ -34,6 +34,12 @@ public interface ZmsClient extends AutoCloseable {
     void deleteProviderResourceGroup(AthenzDomain tenantDomain, AthenzIdentity providerService, String resourceGroup,
                                      OktaIdentityToken identityToken, OktaAccessToken accessToken);
 
+    /** For manual tenancy provisioning - only creates roles/policies on provider domain */
+    void createTenantResourceGroup(AthenzDomain tenantDomain, AthenzIdentity provider, String resourceGroup,
+                                   Set<RoleAction> roleActions);
+
+    Set<RoleAction> getTenantResourceGroups(AthenzDomain tenantDomain, AthenzIdentity provider, String resourceGroup);
+
     void addRoleMember(AthenzRole role, AthenzIdentity member, Optional<String> reason);
 
     void deleteRoleMember(AthenzRole role, AthenzIdentity member);
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/bindings/ProviderResourceGroupRolesRequestEntity.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/bindings/ResourceGroupRolesEntity.java
index a67bd4dcad6..865dc8c02cb 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/bindings/ProviderResourceGroupRolesRequestEntity.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/bindings/ResourceGroupRolesEntity.java
@@ -1,39 +1,53 @@
 // Copyright 2018 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.vespa.athenz.client.zms.bindings;
 
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.yahoo.vespa.athenz.api.AthenzDomain;
 import com.yahoo.vespa.athenz.api.AthenzIdentity;
-import com.yahoo.vespa.athenz.api.AthenzService;
 import com.yahoo.vespa.athenz.client.zms.RoleAction;
 
 import java.util.List;
 import java.util.Set;
-import java.util.stream.Collectors;
 
 import static java.util.stream.Collectors.toList;
 
 /**
  * @author bjorncs
  */
-public class ProviderResourceGroupRolesRequestEntity {
+@JsonIgnoreProperties(ignoreUnknown = true)
+public class ResourceGroupRolesEntity {
 
     @JsonProperty("domain")
-    private final String domain;
+    public final String domain;
 
     @JsonProperty("service")
-    private final String service;
+    public final String service;
 
     @JsonProperty("tenant")
-    private final String tenant;
+    public final String tenant;
 
     @JsonProperty("roles")
-    private final List<TenantRoleAction> roles;
+    public final List<TenantRoleAction> roles;
 
     @JsonProperty("resourceGroup")
-    private final String resourceGroup;
+    public final String resourceGroup;
 
-    public ProviderResourceGroupRolesRequestEntity(AthenzIdentity providerService, AthenzDomain tenantDomain, Set<RoleAction> rolesActions, String resourceGroup) {
+    @JsonCreator
+    public ResourceGroupRolesEntity(@JsonProperty("domain") String domain,
+                                    @JsonProperty("service") String service,
+                                    @JsonProperty("tenant") String tenant,
+                                    @JsonProperty("roles") List<TenantRoleAction> roles,
+                                    @JsonProperty("resourceGroup") String resourceGroup) {
+        this.domain = domain;
+        this.service = service;
+        this.tenant = tenant;
+        this.roles = roles;
+        this.resourceGroup = resourceGroup;
+    }
+
+    public ResourceGroupRolesEntity(AthenzIdentity providerService, AthenzDomain tenantDomain, Set<RoleAction> rolesActions, String resourceGroup) {
         this.domain = providerService.getDomainName();
         this.service = providerService.getName();
         this.tenant = tenantDomain.getName();
@@ -43,10 +57,10 @@ public class ProviderResourceGroupRolesRequestEntity {
 
     public static class TenantRoleAction {
         @JsonProperty("role")
-        private final String role;
+        public final String role;
 
         @JsonProperty("action")
-        private final String action;
+        public final String action;
 
         public TenantRoleAction(String role, String action) {
             this.role = role;