diff options
Diffstat (limited to 'controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java')
-rw-r--r-- | controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java index 233759f47a7..0be32165916 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java @@ -3,6 +3,7 @@ package com.yahoo.vespa.hosted.controller.api.integration.athenz; import com.yahoo.vespa.athenz.api.AthenzDomain; +import com.yahoo.vespa.athenz.api.AthenzGroup; import com.yahoo.vespa.athenz.api.AthenzRole; import com.yahoo.vespa.athenz.api.AthenzUser; import com.yahoo.vespa.athenz.client.zms.ZmsClient; @@ -14,18 +15,25 @@ import java.util.stream.Collectors; public class AthenzAccessControlService implements AccessControlService { + private static final String ALLOWED_OPERATOR_GROUPNAME = "vespa-team"; private static final String DATAPLANE_ACCESS_ROLENAME = "operator-data-plane"; private final ZmsClient zmsClient; private final AthenzRole dataPlaneAccessRole; + private final AthenzGroup vespaTeam; public AthenzAccessControlService(ZmsClient zmsClient, AthenzDomain domain) { this.zmsClient = zmsClient; this.dataPlaneAccessRole = new AthenzRole(domain, DATAPLANE_ACCESS_ROLENAME); + this.vespaTeam = new AthenzGroup(domain, ALLOWED_OPERATOR_GROUPNAME); } @Override public boolean approveDataPlaneAccess(AthenzUser user, Instant expiry) { + // Can only approve team members, other members must be manually approved + if(!isVespaTeamMember(user)) { + throw new IllegalArgumentException(String.format("User %s requires manual approval, please contact Vespa team", user.getName())); + } List<AthenzUser> users = zmsClient.listPendingRoleApprovals(dataPlaneAccessRole); if (users.contains(user)) { zmsClient.approvePendingRoleMembership(dataPlaneAccessRole, user, expiry); @@ -42,4 +50,8 @@ public class AthenzAccessControlService implements AccessControlService { .map(AthenzUser.class::cast) .collect(Collectors.toList()); } + + public boolean isVespaTeamMember(AthenzUser user) { + return zmsClient.getGroupMembership(vespaTeam, user); + } } |