diff options
Diffstat (limited to 'controller-api/src')
4 files changed, 70 insertions, 3 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AccessControlService.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AccessControlService.java index a981b11887e..c1d70bf297d 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AccessControlService.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AccessControlService.java @@ -2,6 +2,7 @@ package com.yahoo.vespa.hosted.controller.api.integration.athenz; +import com.yahoo.config.provision.TenantName; import com.yahoo.vespa.athenz.api.AthenzUser; import java.time.Instant; @@ -14,5 +15,8 @@ import java.util.Collection; */ public interface AccessControlService { boolean approveDataPlaneAccess(AthenzUser user, Instant expiry); + boolean approveSshAccess(TenantName tenantName, Instant expiry); + boolean requestSshAccess(TenantName tenantName); + boolean hasPendingAccessRequests(TenantName tenantName); Collection<AthenzUser> listMembers(); } diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java index c2d4d4a5996..3f0418b1a9e 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java @@ -2,6 +2,7 @@ package com.yahoo.vespa.hosted.controller.api.integration.athenz; +import com.yahoo.config.provision.TenantName; import com.yahoo.vespa.athenz.api.AthenzDomain; import com.yahoo.vespa.athenz.api.AthenzGroup; import com.yahoo.vespa.athenz.api.AthenzRole; @@ -10,7 +11,6 @@ import com.yahoo.vespa.athenz.client.zms.ZmsClient; import java.time.Instant; import java.util.Collection; -import java.util.List; import java.util.Map; import java.util.Optional; import java.util.stream.Collectors; @@ -19,13 +19,16 @@ public class AthenzAccessControlService implements AccessControlService { private static final String ALLOWED_OPERATOR_GROUPNAME = "vespa-team"; private static final String DATAPLANE_ACCESS_ROLENAME = "operator-data-plane"; + private final String TENANT_DOMAIN_PREFIX = "vespa.tenant."; private final ZmsClient zmsClient; private final AthenzRole dataPlaneAccessRole; private final AthenzGroup vespaTeam; + private final ZmsClient vespaZmsClient; //TODO: Merge ZMS clients - public AthenzAccessControlService(ZmsClient zmsClient, AthenzDomain domain) { + public AthenzAccessControlService(ZmsClient zmsClient, AthenzDomain domain, ZmsClient vespaZmsClient) { this.zmsClient = zmsClient; + this.vespaZmsClient = vespaZmsClient; this.dataPlaneAccessRole = new AthenzRole(domain, DATAPLANE_ACCESS_ROLENAME); this.vespaTeam = new AthenzGroup(domain, ALLOWED_OPERATOR_GROUPNAME); } @@ -53,6 +56,50 @@ public class AthenzAccessControlService implements AccessControlService { .collect(Collectors.toList()); } + /** + * @return Whether the ssh access role has any pending role membership requests + */ + public boolean hasPendingAccessRequests(TenantName tenantName) { + var role = sshRole(tenantName); + var pendingApprovals = vespaZmsClient.listPendingRoleApprovals(role); + return !pendingApprovals.isEmpty(); + } + + /** + * @return true if access has been granted - false if already member + */ + public boolean approveSshAccess(TenantName tenantName, Instant expiry) { + var role = sshRole(tenantName); + if (vespaZmsClient.getMembership(role, vespaTeam)) + return false; + + if (!hasPendingAccessRequests(tenantName)) { + vespaZmsClient.addRoleMember(role, vespaTeam, Optional.empty()); + } + // TODO: Pass along auth0 credentials + vespaZmsClient.approvePendingRoleMembership(role, vespaTeam, expiry, Optional.empty()); + return true; + } + + /** + * @return true if access has been requested - false if already member + */ + public boolean requestSshAccess(TenantName tenantName) { + var role = sshRole(tenantName); + if (vespaZmsClient.getMembership(role, vespaTeam)) + return false; + vespaZmsClient.addRoleMember(role, vespaTeam, Optional.empty()); + return true; + } + + private AthenzRole sshRole(TenantName tenantName) { + return new AthenzRole(tenantDomain(tenantName), "ssh_access"); + } + + private AthenzDomain tenantDomain(TenantName tenantName) { + return new AthenzDomain(TENANT_DOMAIN_PREFIX + tenantName.value()); + } + public boolean isVespaTeamMember(AthenzUser user) { return zmsClient.getGroupMembership(vespaTeam, user); } diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/MockAccessControlService.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/MockAccessControlService.java index a0cc0d1ae1c..f906172dba0 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/MockAccessControlService.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/MockAccessControlService.java @@ -2,6 +2,7 @@ package com.yahoo.vespa.hosted.controller.api.integration.athenz; +import com.yahoo.config.provision.TenantName; import com.yahoo.vespa.athenz.api.AthenzUser; import java.time.Instant; @@ -28,6 +29,21 @@ public class MockAccessControlService implements AccessControlService { return Set.copyOf(members); } + @Override + public boolean approveSshAccess(TenantName tenantName, Instant expiry) { + return false; + } + + @Override + public boolean requestSshAccess(TenantName tenantName) { + return false; + } + + @Override + public boolean hasPendingAccessRequests(TenantName tenantName) { + return false; + } + public void addPendingMember(AthenzUser user) { pendingMembers.add(user); } diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java index 1b00368b73e..d960c46cacd 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java @@ -205,7 +205,7 @@ public class ZmsClientMock implements ZmsClient { } @Override - public void approvePendingRoleMembership(AthenzRole athenzRole, AthenzUser athenzUser, Instant expiry, Optional<String> reason) { + public void approvePendingRoleMembership(AthenzRole athenzRole, AthenzIdentity athenzIdentity, Instant expiry, Optional<String> reason) { } @Override |