diff options
4 files changed, 58 insertions, 0 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/aws/NoopRoleService.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/aws/NoopRoleService.java index dceb56d14c1..d967ad3dca4 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/aws/NoopRoleService.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/aws/NoopRoleService.java @@ -4,6 +4,8 @@ package com.yahoo.vespa.hosted.controller.api.integration.aws; import com.yahoo.config.provision.ApplicationId; import com.yahoo.config.provision.TenantName; +import java.util.Collections; +import java.util.List; import java.util.Optional; /** @@ -17,7 +19,16 @@ public class NoopRoleService implements RoleService { } @Override + public void deleteTenantRole(TenantName tenant) { } + + @Override public String createTenantPolicy(TenantName tenant, String policyName, String awsId, String role) { return ""; } + + @Override + public void deleteTenantPolicy(TenantName tenant, String policyName) { } + + @Override + public void maintainRoles(List<TenantName> tenants) { } } diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/aws/RoleService.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/aws/RoleService.java index 3c04546f479..4219ad35612 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/aws/RoleService.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/aws/RoleService.java @@ -4,6 +4,7 @@ package com.yahoo.vespa.hosted.controller.api.integration.aws; import com.yahoo.config.provision.ApplicationId; import com.yahoo.config.provision.TenantName; +import java.util.List; import java.util.Optional; /** @@ -13,6 +14,14 @@ public interface RoleService { Optional<TenantRoles> createTenantRole(TenantName tenant); + void deleteTenantRole(TenantName tenant); + String createTenantPolicy(TenantName tenant, String policyName, String awsId, String role); + void deleteTenantPolicy(TenantName tenant, String policyName); + + /* + * Maintain roles for the tenants in the system. Create missing roles, update trust. + */ + void maintainRoles(List<TenantName> tenants); } diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/maintenance/ControllerMaintenance.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/maintenance/ControllerMaintenance.java index 9f9a0f6d56f..d9a233eb475 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/maintenance/ControllerMaintenance.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/maintenance/ControllerMaintenance.java @@ -66,6 +66,7 @@ public class ControllerMaintenance extends AbstractComponent { maintainers.add(new EndpointCertificateMaintainer(controller, intervals.endpointCertificateMaintainer)); maintainers.add(new TrafficShareUpdater(controller, intervals.trafficFractionUpdater)); maintainers.add(new ArchiveUriUpdater(controller, intervals.archiveUriUpdater)); + maintainers.add(new TenantRoleMaintainer(controller, intervals.tenantRoleMaintainer)); } public Upgrader upgrader() { return upgrader; } @@ -117,6 +118,7 @@ public class ControllerMaintenance extends AbstractComponent { private final Duration endpointCertificateMaintainer; private final Duration trafficFractionUpdater; private final Duration archiveUriUpdater; + private final Duration tenantRoleMaintainer; public Intervals(SystemName system) { this.system = Objects.requireNonNull(system); @@ -145,6 +147,7 @@ public class ControllerMaintenance extends AbstractComponent { this.endpointCertificateMaintainer = duration(12, HOURS); this.trafficFractionUpdater = duration(5, MINUTES); this.archiveUriUpdater = duration(5, MINUTES); + this.tenantRoleMaintainer = duration(5, MINUTES); } private Duration duration(long amount, TemporalUnit unit) { diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/maintenance/TenantRoleMaintainer.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/maintenance/TenantRoleMaintainer.java new file mode 100644 index 00000000000..e8b50a6b604 --- /dev/null +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/maintenance/TenantRoleMaintainer.java @@ -0,0 +1,35 @@ +// Copyright Verizon Media. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. + +package com.yahoo.vespa.hosted.controller.maintenance; + +import com.yahoo.vespa.flags.BooleanFlag; +import com.yahoo.vespa.flags.FetchVector; +import com.yahoo.vespa.flags.Flags; +import com.yahoo.vespa.hosted.controller.Controller; +import com.yahoo.vespa.hosted.controller.tenant.Tenant; + +import java.time.Duration; +import java.util.stream.Collectors; + +public class TenantRoleMaintainer extends ControllerMaintainer { + + private final BooleanFlag provisionTenantRoles; + + public TenantRoleMaintainer(Controller controller, Duration tenantRoleMaintainer) { + super(controller, tenantRoleMaintainer); + provisionTenantRoles = Flags.PROVISION_TENANT_ROLES.bindTo(controller.flagSource()); + } + + @Override + protected boolean maintain() { + var roleService = controller().serviceRegistry().roleService(); + var tenants = controller().tenants().asList(); + var tenantsWithRoles = tenants.stream() + .map(Tenant::name) + // Only maintain a subset of the tenants + .filter(name -> provisionTenantRoles.with(FetchVector.Dimension.TENANT_ID, name.value()).value()) + .collect(Collectors.toList()); + roleService.maintainRoles(tenantsWithRoles); + return true; + } +} |