summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java2
-rw-r--r--controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java2
-rw-r--r--vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java16
-rw-r--r--vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java3
4 files changed, 15 insertions, 8 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java
index ed84a9b0a76..396be0adf92 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java
@@ -77,7 +77,7 @@ public class ZmsClientMock implements ZmsClient {
}
@Override
- public void addRoleMember(AthenzRole role, AthenzIdentity member) {
+ public void addRoleMember(AthenzRole role, AthenzIdentity member, Optional<String> reason) {
if ( ! role.roleName().equals("tenancy.vespa.hosting.admin"))
throw new IllegalArgumentException("Mock only supports adding tenant admins, not " + role.roleName());
getDomainOrThrow(role.domain(), true).tenantAdmin(member);
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java
index 073451f6309..cb3e5ea97c1 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java
@@ -215,7 +215,7 @@ public class AthenzFacade implements AccessControl {
}
public void addTenantAdmin(AthenzDomain tenantDomain, AthenzUser user) {
- zmsClient.addRoleMember(new AthenzRole(tenantDomain, "tenancy." + service.getFullName() + ".admin"), user);
+ zmsClient.addRoleMember(new AthenzRole(tenantDomain, "tenancy." + service.getFullName() + ".admin"), user, Optional.empty());
}
private void deleteApplication(AthenzDomain domain, ApplicationName application, OktaIdentityToken identityToken, OktaAccessToken accessToken) {
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java
index 5817eb0c8d2..7503b5a39ed 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java
@@ -32,6 +32,8 @@ import java.net.URI;
import java.time.Instant;
import java.util.Collections;
import java.util.List;
+import java.util.Objects;
+import java.util.Optional;
import java.util.OptionalInt;
import java.util.Set;
import java.util.function.Function;
@@ -111,13 +113,17 @@ public class DefaultZmsClient extends ClientBase implements ZmsClient {
}
@Override
- public void addRoleMember(AthenzRole role, AthenzIdentity member) {
+ public void addRoleMember(AthenzRole role, AthenzIdentity member, Optional<String> reason) {
URI uri = zmsUrl.resolve(String.format("domain/%s/role/%s/member/%s", role.domain().getName(), role.roleName(), member.getFullName()));
MembershipEntity membership = new MembershipEntity.RoleMembershipEntity(member.getFullName(), true, role.roleName(), null);
- HttpUriRequest request = RequestBuilder.put(uri)
- .setEntity(toJsonStringEntity(membership))
- .build();
- execute(request, response -> readEntity(response, Void.class));
+
+
+ RequestBuilder requestBuilder = RequestBuilder.put(uri)
+ .setEntity(toJsonStringEntity(membership));
+ if (reason.filter(s -> !s.isBlank()).isPresent()) {
+ requestBuilder.addHeader("Y-Audit-Ref", reason.get());
+ }
+ execute(requestBuilder.build(), response -> readEntity(response, Void.class));
}
@Override
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java
index 245078e3679..03afc9278cc 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java
@@ -12,6 +12,7 @@ import com.yahoo.vespa.athenz.api.OktaIdentityToken;
import java.time.Instant;
import java.util.List;
+import java.util.Optional;
import java.util.Set;
/**
@@ -31,7 +32,7 @@ public interface ZmsClient extends AutoCloseable {
void deleteProviderResourceGroup(AthenzDomain tenantDomain, AthenzIdentity providerService, String resourceGroup,
OktaIdentityToken identityToken, OktaAccessToken accessToken);
- void addRoleMember(AthenzRole role, AthenzIdentity member);
+ void addRoleMember(AthenzRole role, AthenzIdentity member, Optional<String> reason);
void deleteRoleMember(AthenzRole role, AthenzIdentity member);