diff options
Diffstat (limited to 'node-repository/src')
2 files changed, 22 insertions, 2 deletions
diff --git a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/Authorizer.java b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/Authorizer.java index da8f5be142f..ad078e09c45 100644 --- a/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/Authorizer.java +++ b/node-repository/src/main/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/Authorizer.java @@ -7,7 +7,6 @@ import com.yahoo.vespa.athenz.api.AthenzIdentity; import com.yahoo.vespa.athenz.api.AthenzService; import com.yahoo.vespa.hosted.provision.Node; import com.yahoo.vespa.hosted.provision.NodeRepository; -import com.yahoo.vespa.hosted.provision.restapi.v2.filter.NodePrincipal; import org.apache.http.NameValuePair; import org.apache.http.client.utils.URLEncodedUtils; @@ -52,6 +51,11 @@ public class Authorizer implements BiPredicate<NodePrincipal, URI> { return true; } if (principal.getHostname().isPresent()) { + String hostname = principal.getHostname().get(); + if (isAthenzProviderApi(uri)) { + return hostname.equals(NodeIdentifier.ZTS_AWS_IDENTITY) || hostname.equals(NodeIdentifier.ZTS_ON_PREM_IDENTITY); + } + // Individual nodes can only access their own resources if (canAccessAll(hostnamesFrom(uri), principal, this::isSelfOrParent)) { return true; @@ -63,13 +67,18 @@ public class Authorizer implements BiPredicate<NodePrincipal, URI> { } // The host itself can access all resources - if (whitelistedHostnames.contains(principal.getHostname().get())) { + if (whitelistedHostnames.contains(hostname)) { return true; } } return false; } + private static boolean isAthenzProviderApi(URI uri) { + return "/athenz/v1/provider/instance".equals(uri.getPath()) || + "/athenz/v1/provider/refresh".equals(uri.getPath()); + } + /** Returns whether principal is the node itself or the parent of the node */ private boolean isSelfOrParent(String hostname, NodePrincipal principal) { // Node can always access itself @@ -153,6 +162,9 @@ public class Authorizer implements BiPredicate<NodePrincipal, URI> { "/nodes/v2/node/".equals(uri.getPath())) { return hostnamesFromQuery(uri); } + if (isChildOf("/athenz/v1/provider/identity-document", uri.getPath())) { + return Collections.singletonList(lastChildOf(uri.getPath())); + } return Collections.emptyList(); } diff --git a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizerTest.java b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizerTest.java index 9dc57507b8c..38128e66861 100644 --- a/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizerTest.java +++ b/node-repository/src/test/java/com/yahoo/vespa/hosted/provision/restapi/v2/filter/AuthorizerTest.java @@ -101,6 +101,8 @@ public class AuthorizerTest { assertTrue(authorizedTenantHostNode("host1", "/nodes/v2/node/host1")); assertTrue(authorizedTenantHostNode("host1", "/nodes/v2/node/child1-1")); assertTrue(authorizedTenantHostNode("host1", "/nodes/v2/command/reboot?hostname=child1-1")); + assertTrue(authorizedTenantHostNode("host1", "/athenz/v1/provider/identity-document/tenant/host1")); + assertTrue(authorizedTenantHostNode("host1", "/athenz/v1/provider/identity-document/node/child1-1")); // Trusted services can access everything in their own system assertFalse(authorizedController("vespa.vespa.cd.hosting", "/")); // Wrong system @@ -151,6 +153,12 @@ public class AuthorizerTest { assertTrue(authorizedLegacyNode("cfghost1", "/application/v2")); } + @Test + public void zts_allowed_for_athenz_provider_api() { + assertTrue(authorizedLegacyNode(NodeIdentifier.ZTS_AWS_IDENTITY, "/athenz/v1/provider/refresh")); + assertTrue(authorizedLegacyNode(NodeIdentifier.ZTS_ON_PREM_IDENTITY, "/athenz/v1/provider/instance")); + } + private boolean authorizedTenantNode(String hostname, String path) { return authorized(NodePrincipal.withAthenzIdentity("vespa.vespa.tenant", hostname, emptyList()), path); } |