diff options
5 files changed, 28 insertions, 1 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java index 1472f03ebca..233759f47a7 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java @@ -10,6 +10,7 @@ import com.yahoo.vespa.athenz.client.zms.ZmsClient; import java.time.Instant; import java.util.Collection; import java.util.List; +import java.util.stream.Collectors; public class AthenzAccessControlService implements AccessControlService { @@ -34,7 +35,11 @@ public class AthenzAccessControlService implements AccessControlService { } @Override + // Return list of approved members (users, excluding services) of data plane role public Collection<AthenzUser> listMembers() { - throw new UnsupportedOperationException("Not implemented"); + return zmsClient.listMembers(dataPlaneAccessRole) + .stream().filter(AthenzUser.class::isInstance) + .map(AthenzUser.class::cast) + .collect(Collectors.toList()); } } diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java index 6509bd40ebf..deeecf217e7 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java @@ -156,6 +156,10 @@ public class ZmsClientMock implements ZmsClient { public void approvePendingRoleMembership(AthenzRole athenzRole, AthenzUser athenzUser, Instant expiry) { } + @Override + public List<AthenzIdentity> listMembers(AthenzRole athenzRole) { + return List.of(); + } @Override public void close() {} diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java index 9ee599b22eb..f73ac9c3535 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/DefaultZmsClient.java @@ -33,6 +33,7 @@ import java.util.Collections; import java.util.List; import java.util.OptionalInt; import java.util.Set; +import java.util.function.Function; import java.util.function.Supplier; import java.util.stream.Collectors; @@ -230,6 +231,17 @@ public class DefaultZmsClient extends ClientBase implements ZmsClient { execute(request, response -> readEntity(response, Void.class)); } + @Override + public List<AthenzIdentity> listMembers(AthenzRole athenzRole) { + URI uri = zmsUrl.resolve(String.format("domain/%s/role/%s", athenzRole.domain().getName(), athenzRole.roleName())); + RoleEntity execute = execute(RequestBuilder.get(uri).build(), response -> readEntity(response, RoleEntity.class)); + return execute.roleMembers().stream() + .filter(member -> ! member.pendingApproval()) + .map(RoleEntity.Member::memberName) + .map(AthenzIdentities::from) + .collect(Collectors.toList()); + } + private static Header createCookieHeaderWithOktaTokens(OktaIdentityToken identityToken, OktaAccessToken accessToken) { return new BasicHeader("Cookie", String.format("okta_at=%s; okta_it=%s", accessToken.token(), identityToken.token())); } diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java index 8afa9000ed1..15e8ba77850 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/ZmsClient.java @@ -48,5 +48,7 @@ public interface ZmsClient extends AutoCloseable { void approvePendingRoleMembership(AthenzRole athenzRole, AthenzUser athenzUser, Instant expiry); + List<AthenzIdentity> listMembers(AthenzRole athenzRole); + void close(); } diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/bindings/RoleEntity.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/bindings/RoleEntity.java index e5bcc4d977e..5babe292138 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/bindings/RoleEntity.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/client/zms/bindings/RoleEntity.java @@ -8,6 +8,9 @@ import com.fasterxml.jackson.annotation.JsonProperty; import java.util.List; +/** + * @author mortent + */ @JsonIgnoreProperties(ignoreUnknown = true) public class RoleEntity { private final String roleName; @@ -27,6 +30,7 @@ public class RoleEntity { return roleMembers; } + @JsonIgnoreProperties(ignoreUnknown = true) public static final class Member { private final String memberName; private final boolean active; |