diff options
Diffstat (limited to 'controller-api/src')
4 files changed, 36 insertions, 0 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AccessControlService.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AccessControlService.java index a08319055ff..b270c27092f 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AccessControlService.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AccessControlService.java @@ -19,5 +19,7 @@ public interface AccessControlService { boolean approveSshAccess(TenantName tenantName, Instant expiry, OAuthCredentials oAuthCredentials); boolean requestSshAccess(TenantName tenantName); boolean hasPendingAccessRequests(TenantName tenantName); + boolean hasPreapprovedAccess(TenantName tenantName); + void setPreapprovedAccess(TenantName tenantName, boolean preapproved); Collection<AthenzUser> listMembers(); } diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java index a3f789149cf..6b91f49af8e 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java @@ -110,6 +110,25 @@ public class AthenzAccessControlService implements AccessControlService { return true; } + public boolean hasPreapprovedAccess(TenantName tenantName) { + var role = sshRole(tenantName); + + if (!vespaZmsClient.listRoles(role.domain()).contains(role)) + return true; // true by default + + return !vespaZmsClient.isSelfServeRole(role); + } + + public void setPreapprovedAccess(TenantName tenantName, boolean preapprovedAccess) { + var role = sshRole(tenantName); + + var attributes = Map.<String, Object>of( + "selfServe", !preapprovedAccess, + "reviewEnabled", !preapprovedAccess + ); + vespaZmsClient.createRole(role, attributes); + } + private AthenzRole sshRole(TenantName tenantName) { return new AthenzRole(getOrCreateTenantDomain(tenantName), "ssh_access"); } diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/MockAccessControlService.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/MockAccessControlService.java index b8106450705..505ee97bdf5 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/MockAccessControlService.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/MockAccessControlService.java @@ -45,6 +45,16 @@ public class MockAccessControlService implements AccessControlService { return false; } + @Override + public boolean hasPreapprovedAccess(TenantName tenantName) { + return false; + } + + @Override + public void setPreapprovedAccess(TenantName tenantName, boolean preapproved) { + + } + public void addPendingMember(AthenzUser user) { pendingMembers.add(user); } diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java index 38b2a36a348..62a999bb7a6 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java @@ -256,6 +256,11 @@ public class ZmsClientMock implements ZmsClient { public void createSubdomain(AthenzDomain parent, String name) {} @Override + public boolean isSelfServeRole(AthenzRole role) { + return false; + } + + @Override public void close() {} private static AthenzDomain getTenantDomain(AthenzResourceName resource) { |