summaryrefslogtreecommitdiffstats
path: root/controller-api
diff options
context:
space:
mode:
Diffstat (limited to 'controller-api')
-rw-r--r--controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzClientFactory.java3
-rw-r--r--controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/configserver/Node.java31
-rw-r--r--controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/zone/ZoneRegistry.java3
-rw-r--r--controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Context.java7
-rw-r--r--controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java45
-rw-r--r--controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java8
-rw-r--r--controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/SecurityContext.java7
7 files changed, 78 insertions, 26 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzClientFactory.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzClientFactory.java
index aba3b5f3ab7..fffa849f7d3 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzClientFactory.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzClientFactory.java
@@ -1,6 +1,7 @@
// Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
package com.yahoo.vespa.hosted.controller.api.integration.athenz;
+import com.yahoo.vespa.athenz.api.AthenzIdentity;
import com.yahoo.vespa.athenz.api.AthenzService;
import com.yahoo.vespa.athenz.client.zms.ZmsClient;
import com.yahoo.vespa.athenz.client.zts.ZtsClient;
@@ -10,7 +11,7 @@ import com.yahoo.vespa.athenz.client.zts.ZtsClient;
*/
public interface AthenzClientFactory {
- AthenzService getControllerIdentity();
+ AthenzIdentity getControllerIdentity();
ZmsClient createZmsClient();
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/configserver/Node.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/configserver/Node.java
index d166bb0d3fb..d618464fc2a 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/configserver/Node.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/configserver/Node.java
@@ -31,10 +31,14 @@ public class Node {
private final long wantedRestartGeneration;
private final long rebootGeneration;
private final long wantedRebootGeneration;
+ private final String canonicalFlavor;
+ private final String clusterId;
+ private final ClusterType clusterType;
public Node(HostName hostname, State state, NodeType type, Optional<ApplicationId> owner,
Version currentVersion, Version wantedVersion, Version currentOsVersion, Version wantedOsVersion, ServiceState serviceState,
- long restartGeneration, long wantedRestartGeneration, long rebootGeneration, long wantedRebootGeneration) {
+ long restartGeneration, long wantedRestartGeneration, long rebootGeneration, long wantedRebootGeneration,
+ String canonicalFlavor, String clusterId, ClusterType clusterType) {
this.hostname = hostname;
this.state = state;
this.type = type;
@@ -48,13 +52,17 @@ public class Node {
this.wantedRestartGeneration = wantedRestartGeneration;
this.rebootGeneration = rebootGeneration;
this.wantedRebootGeneration = wantedRebootGeneration;
+ this.canonicalFlavor = canonicalFlavor;
+ this.clusterId = clusterId;
+ this.clusterType = clusterType;
}
@TestOnly
public Node(HostName hostname, State state, NodeType type, Optional<ApplicationId> owner,
Version currentVersion, Version wantedVersion) {
this(hostname, state, type, owner, currentVersion, wantedVersion,
- Version.emptyVersion, Version.emptyVersion, ServiceState.unorchestrated, 0, 0, 0, 0);
+ Version.emptyVersion, Version.emptyVersion, ServiceState.unorchestrated, 0, 0, 0, 0,
+ "d-2-8-50", "cluster", ClusterType.container);
}
public HostName hostname() {
@@ -107,6 +115,18 @@ public class Node {
return wantedRebootGeneration;
}
+ public String canonicalFlavor() {
+ return canonicalFlavor;
+ }
+
+ public String clusterId() {
+ return clusterId;
+ }
+
+ public ClusterType clusterType() {
+ return clusterType;
+ }
+
@Override
public boolean equals(Object o) {
if (this == o) return true;
@@ -139,4 +159,11 @@ public class Node {
unorchestrated
}
+ /** Known cluster types. */
+ public enum ClusterType {
+ admin,
+ container,
+ content
+ }
+
}
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/zone/ZoneRegistry.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/zone/ZoneRegistry.java
index c168ddf6caf..db9291cd651 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/zone/ZoneRegistry.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/zone/ZoneRegistry.java
@@ -9,6 +9,7 @@ import com.yahoo.config.provision.SystemName;
import com.yahoo.config.provision.zone.UpgradePolicy;
import com.yahoo.config.provision.zone.ZoneFilter;
import com.yahoo.config.provision.zone.ZoneId;
+import com.yahoo.vespa.athenz.api.AthenzIdentity;
import com.yahoo.vespa.athenz.api.AthenzService;
import com.yahoo.vespa.hosted.controller.api.identifiers.DeploymentId;
import com.yahoo.vespa.hosted.controller.api.integration.deployment.RunId;
@@ -53,7 +54,7 @@ public interface ZoneRegistry {
SystemName system();
/** Return the configserver's Athenz service identity */
- AthenzService getConfigServerAthenzService(ZoneId zoneId);
+ AthenzIdentity getConfigServerAthenzIdentity(ZoneId zoneId);
/** Returns the Vespa upgrade policy to use for zones in this registry */
UpgradePolicy upgradePolicy();
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Context.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Context.java
index 3ba0367a00c..14d8d06d0c6 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Context.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Context.java
@@ -9,7 +9,7 @@ import java.util.Objects;
import java.util.Optional;
/**
- * The context in which a role is valid.
+ * The context in which a role is valid. This is immutable.
*
* @author mpolden
*/
@@ -40,11 +40,6 @@ public class Context {
return system;
}
- /** Returns whether this context is considered limited */
- public boolean limited() {
- return tenant.isPresent() || application.isPresent();
- }
-
/** Returns a context that has no restrictions on tenant or application in given system */
public static Context unlimitedIn(SystemName system) {
return new Context(Optional.empty(), Optional.empty(), system);
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java
index 797ca10ed3d..23bf8514b9c 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java
@@ -15,6 +15,7 @@ import java.util.Set;
* When creating a new API, its paths must be added here and a policy must be declared in {@link Policy}.
*
* @author mpolden
+ * @author jonmv
*/
public enum PathGroup {
@@ -32,31 +33,38 @@ public enum PathGroup {
/** Paths used for creating tenants with proper access control. */
tenant(Matcher.tenant,
+ Optional.of("/api"),
"/application/v4/tenant/{tenant}"),
/** Paths used for user management on the tenant level. */
tenantUsers(Matcher.tenant,
+ Optional.of("/api"),
"/user/v1/tenant/{tenant}"),
/** Paths used by tenant administrators. */
tenantInfo(Matcher.tenant,
+ Optional.of("/api"),
"/application/v4/tenant/{tenant}/application/"),
/** Path for the base application resource. */
application(Matcher.tenant,
Matcher.application,
+ Optional.of("/api"),
"/application/v4/tenant/{tenant}/application/{application}"),
/** Paths used for user management on the application level. */
applicationUsers(Matcher.tenant,
Matcher.application,
+ Optional.of("/api"),
"/user/v1/tenant/{tenant}/application/{application}"),
/** Paths used by application administrators. */
applicationInfo(Matcher.tenant,
Matcher.application,
+ Optional.of("/api"),
"/application/v4/tenant/{tenant}/application/{application}/deploying/{*}",
"/application/v4/tenant/{tenant}/application/{application}/instance/{*}",
+ "/application/v4/tenant/{tenant}/application/{application}/environment/{environment}/region/{region}/instance/{instance}/nodes",
"/application/v4/tenant/{tenant}/application/{application}/environment/{environment}/region/{region}/instance/{instance}/logs",
"/application/v4/tenant/{tenant}/application/{application}/environment/{environment}/region/{region}/instance/{instance}/suspended",
"/application/v4/tenant/{tenant}/application/{application}/environment/{environment}/region/{region}/instance/{instance}/service/{*}",
@@ -65,10 +73,12 @@ public enum PathGroup {
/** Path used to restart application nodes. */ // TODO move to the above when everyone is on new pipeline.
applicationRestart(Matcher.tenant,
Matcher.application,
+ Optional.of("/api"),
"/application/v4/tenant/{tenant}/application/{application}/environment/{environment}/region/{region}/instance/{ignored}/restart"),
/** Paths used for development deployments. */
developmentDeployment(Matcher.tenant,
Matcher.application,
+ Optional.of("/api"),
"/application/v4/tenant/{tenant}/application/{application}/environment/dev/region/{region}/instance/{instance}",
"/application/v4/tenant/{tenant}/application/{application}/environment/dev/region/{region}/instance/{instance}/deploy",
"/application/v4/tenant/{tenant}/application/{application}/environment/perf/region/{region}/instance/{instance}",
@@ -77,6 +87,7 @@ public enum PathGroup {
/** Paths used for production deployments. */
productionDeployment(Matcher.tenant,
Matcher.application,
+ Optional.of("/api"),
"/application/v4/tenant/{tenant}/application/{application}/environment/prod/region/{region}/instance/{instance}",
"/application/v4/tenant/{tenant}/application/{application}/environment/prod/region/{region}/instance/{instance}/deploy",
"/application/v4/tenant/{tenant}/application/{application}/environment/test/region/{region}/instance/{instance}",
@@ -87,21 +98,26 @@ public enum PathGroup {
/** Paths used for continuous deployment to production. */
submission(Matcher.tenant,
Matcher.application,
+ Optional.of("/api"),
"/application/v4/tenant/{tenant}/application/{application}/submit"),
/** Paths used for other tasks by build services. */ // TODO: This will vanish.
buildService(Matcher.tenant,
Matcher.application,
+ Optional.of("/api"),
"/application/v4/tenant/{tenant}/application/{application}/jobreport",
"/application/v4/tenant/{tenant}/application/{application}/promote",
"/application/v4/tenant/{tenant}/application/{application}/environment/{environment}/region/{region}/instance/{instance}/promote"),
+ /** Paths which contain (not very strictly) classified information about customers. */
+ classifiedTenantInfo(Optional.of("/api"),
+ "/application/v4/",
+ "/application/v4/tenant/"),
+
/** Paths which contain (not very strictly) classified information about, e.g., customers. */
classifiedInfo("/athenz/v1/{*}",
"/cost/v1/{*}",
"/deployment/v1/{*}",
- "/application/v4/",
- "/application/v4/tenant/",
"/",
"/d/{*}",
"/statuspage/v1/{*}"),
@@ -111,30 +127,43 @@ public enum PathGroup {
"/zone/v1/{*}");
final List<String> pathSpecs;
+ final String prefix;
final List<Matcher> matchers;
PathGroup(String... pathSpecs) {
- this(List.of(), List.of(pathSpecs));
+ this(List.of(), Optional.empty(), List.of(pathSpecs));
+ }
+
+ PathGroup(Optional<String> prefix, String... pathSpecs) {
+ this(List.of(), prefix, List.of(pathSpecs));
}
PathGroup(Matcher first, String... pathSpecs) {
- this(List.of(first), List.of(pathSpecs));
+ this(List.of(first), Optional.empty(), List.of(pathSpecs));
+ }
+
+ PathGroup(Matcher first, Optional<String> prefix, String... pathSpecs) {
+ this(List.of(first), prefix, List.of(pathSpecs));
}
PathGroup(Matcher first, Matcher second, String... pathSpecs) {
- this(List.of(first, second), List.of(pathSpecs));
+ this(List.of(first, second), Optional.empty(), List.of(pathSpecs));
+ }
+
+ PathGroup(Matcher first, Matcher second, Optional<String> prefix, String... pathSpecs) {
+ this(List.of(first, second), prefix, List.of(pathSpecs));
}
/** Creates a new path group, if the given context matchers are each present exactly once in each of the given specs. */
- PathGroup(List<Matcher> matchers, List<String> pathSpecs) {
+ PathGroup(List<Matcher> matchers, Optional<String> prefix, List<String> pathSpecs) {
this.matchers = matchers;
+ this.prefix = prefix.orElse("");
this.pathSpecs = pathSpecs;
}
/** Returns path if it matches any spec in this group, with match groups set by the match. */
- @SuppressWarnings("deprecation")
private Optional<Path> get(URI uri) {
- Path matcher = new Path(uri); // TODO Get URI down here.
+ Path matcher = new Path(uri, prefix);
for (String spec : pathSpecs) // Iterate to be sure the Path's state is that of the match.
if (matcher.matches(spec)) return Optional.of(matcher);
return Optional.empty();
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java
index ff535e92033..c28fa7a3fc3 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java
@@ -4,8 +4,6 @@ package com.yahoo.vespa.hosted.controller.api.role;
import java.net.URI;
import java.util.Objects;
-import static java.util.Objects.requireNonNull;
-
/**
* A role is a combination of a {@link RoleDefinition} and a {@link Context}, which allows evaluation
* of access control for a given action on a resource. Create using {@link Roles}.
@@ -18,15 +16,15 @@ public abstract class Role {
final Context context;
Role(RoleDefinition roleDefinition, Context context) {
- this.roleDefinition = requireNonNull(roleDefinition);
- this.context = requireNonNull(context);
+ this.roleDefinition = Objects.requireNonNull(roleDefinition);
+ this.context = Objects.requireNonNull(context);
}
/** Returns the role definition of this bound role. */
public RoleDefinition definition() { return roleDefinition; }
/** Returns whether this role is allowed to perform the given action on the given resource. */
- public boolean allows(Action action, URI uri) {
+ public final boolean allows(Action action, URI uri) {
return roleDefinition.policies().stream().anyMatch(policy -> policy.evaluate(action, uri, context));
}
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/SecurityContext.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/SecurityContext.java
index 41444258a68..3378f9e0061 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/SecurityContext.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/SecurityContext.java
@@ -5,8 +5,9 @@ import java.security.Principal;
import java.util.Objects;
import java.util.Set;
-import static java.util.Objects.requireNonNull;
-
+/**
+ * @author tokle
+ */
public class SecurityContext {
public static final String ATTRIBUTE_NAME = SecurityContext.class.getName();
@@ -15,7 +16,7 @@ public class SecurityContext {
private final Set<Role> roles;
public SecurityContext(Principal principal, Set<Role> roles) {
- this.principal = requireNonNull(principal);
+ this.principal = Objects.requireNonNull(principal);
this.roles = Set.copyOf(roles);
}