4 files changed, 23 insertions, 0 deletions

diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzDbMock.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzDbMock.java
index 7ab1ba36aa6..8e21d8cbf20 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzDbMock.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzDbMock.java
@@ -57,6 +57,11 @@ public class AthenzDbMock {
             return this;
         }
 
+        public Domain deleteTenantAdmin(AthenzIdentity identity) {
+            tenantAdmins.remove(identity);
+            return this;
+        }
+
         /**
          * Simulates establishing Vespa tenancy in Athens.
          */
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java
index e44038d0185..096a1af2824 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java
@@ -81,6 +81,13 @@ public class ZmsClientMock implements ZmsClient {
     }
 
     @Override
+    public void deleteRoleMember(AthenzRole role, AthenzIdentity member) {
+        if ( ! role.roleName().equals("tenancy.vespa.hosting.admin"))
+            throw new IllegalArgumentException("Mock only supports deleting tenant admins, not " + role.roleName());
+        getDomainOrThrow(role.domain(), true).deleteTenantAdmin(member);
+    }
+
+    @Override
     public boolean getMembership(AthenzRole role, AthenzIdentity identity) {
         if (role.roleName().equals("admin")) {
             return getDomainOrThrow(role.domain(), false).admins.contains(identity);
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java
index d0b0de45a0b..eaf83238145 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java
@@ -100,7 +100,16 @@ public class DefaultZmsClient extends ClientBase implements ZmsClient {
 
     @Override
     public void addRoleMember(AthenzRole role, AthenzIdentity member) {
+        URI uri = zmsUrl.resolve(String.format("domain/%s/role/%s/member/%s", role.domain().getName(), role.roleName(), member.getFullName()));
+        HttpUriRequest request = RequestBuilder.put(uri).build();
+        execute(request, response -> readEntity(response, Void.class));
+    }
 
+    @Override
+    public void deleteRoleMember(AthenzRole role, AthenzIdentity member) {
+        URI uri = zmsUrl.resolve(String.format("domain/%s/role/%s/member/%s", role.domain().getName(), role.roleName(), member.getFullName()));
+        HttpUriRequest request = RequestBuilder.delete(uri).build();
+        execute(request, response -> readEntity(response, Void.class));
     }
 
     @Override
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java
index 635cd30605d..12762534bd4 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java
@@ -30,6 +30,8 @@ public interface ZmsClient extends AutoCloseable {
 
     void addRoleMember(AthenzRole role, AthenzIdentity member);
 
+    void deleteRoleMember(AthenzRole role, AthenzIdentity member);
+
     boolean getMembership(AthenzRole role, AthenzIdentity identity);
 
     List<AthenzDomain> getDomainList(String prefix);