From 065053e8efaa6941521e1ec79b7948d34d73d18e Mon Sep 17 00:00:00 2001 From: Ola Aunrønning Date: Mon, 14 Mar 2022 11:32:14 +0100 Subject: Infer managed access through assertion existence --- .../integration/athenz/AccessControlService.java | 1 + .../athenz/AthenzAccessControlService.java | 27 +++++++++++++++++----- .../athenz/MockAccessControlService.java | 5 ++++ 3 files changed, 27 insertions(+), 6 deletions(-) (limited to 'controller-api') diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AccessControlService.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AccessControlService.java index 1dd6eb543ef..f7876f9cddd 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AccessControlService.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AccessControlService.java @@ -21,5 +21,6 @@ public interface AccessControlService { boolean requestSshAccess(TenantName tenantName); AthenzRoleInformation getAccessRoleInformation(TenantName tenantName); void setPreapprovedAccess(TenantName tenantName, boolean preapproved); + boolean getPreapprovedAccess(TenantName tenantName); Collection listMembers(); } diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java index 11cace3b10e..3a42c0c6535 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java @@ -3,6 +3,7 @@ package com.yahoo.vespa.hosted.controller.api.integration.athenz; import com.yahoo.config.provision.TenantName; +import com.yahoo.vespa.athenz.api.AthenzAssertion; import com.yahoo.vespa.athenz.api.AthenzDomain; import com.yahoo.vespa.athenz.api.AthenzGroup; import com.yahoo.vespa.athenz.api.AthenzIdentity; @@ -23,6 +24,7 @@ public class AthenzAccessControlService implements AccessControlService { private static final String ALLOWED_OPERATOR_GROUPNAME = "vespa-team"; private static final String DATAPLANE_ACCESS_ROLENAME = "operator-data-plane"; private final String TENANT_DOMAIN_PREFIX = "vespa.tenant"; + private final String ACCESS_APPROVAL_POLICY = "vespa-access-requester"; private final ZmsClient zmsClient; private final AthenzRole dataPlaneAccessRole; private final AthenzGroup vespaTeam; @@ -129,18 +131,26 @@ public class AthenzAccessControlService implements AccessControlService { vespaZmsClient.ifPresentOrElse( zms -> { var role = sshRole(tenantName); - - var policyName = "vespa-access-requester"; - var action = "update_members"; - var approverRole = new AthenzRole(role.domain(), "vespa-access-approver"); + var assertion = getApprovalAssertion(role); if (preapprovedAccess) { - zms.addPolicyRule(role.domain(), policyName, action, role.toResourceName(), approverRole); + zms.addPolicyRule(role.domain(), ACCESS_APPROVAL_POLICY, assertion.action(), assertion.resource(), assertion.role()); } else { - zms.deletePolicyRule(role.domain(), policyName, action, role.toResourceName(), approverRole); + zms.deletePolicyRule(role.domain(), ACCESS_APPROVAL_POLICY, assertion.action(), assertion.resource(), assertion.role()); } },() -> { throw new UnsupportedOperationException("Only allowed in systems running Vespa Athenz instance"); }); } + public boolean getPreapprovedAccess(TenantName tenantName) { + return vespaZmsClient.map( + zms -> { + var role = sshRole(tenantName); + var approvalAssertion = getApprovalAssertion(role); + return zms.getPolicy(role.domain(), ACCESS_APPROVAL_POLICY) + .map(policy -> policy.assertions().stream().anyMatch(assertion -> assertion.satisfies(approvalAssertion))) + .orElse(false); + }).orElseThrow(() -> new UnsupportedOperationException("Only allowed in systems running Vespa Athenz instance") ); + } + private AthenzRole sshRole(TenantName tenantName) { return new AthenzRole(getTenantDomain(tenantName), "ssh_access"); } @@ -152,4 +162,9 @@ public class AthenzAccessControlService implements AccessControlService { public boolean isVespaTeamMember(AthenzUser user) { return zmsClient.getGroupMembership(vespaTeam, user); } + + private AthenzAssertion getApprovalAssertion(AthenzRole accessRole) { + var approverRole = new AthenzRole(accessRole.domain(), "vespa-access-approver"); + return AthenzAssertion.newBuilder(approverRole, accessRole.toResourceName(), "update_members").build(); + } } diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/MockAccessControlService.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/MockAccessControlService.java index c14ca2bdc80..95ebe3380d4 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/MockAccessControlService.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/MockAccessControlService.java @@ -54,6 +54,11 @@ public class MockAccessControlService implements AccessControlService { } + @Override + public boolean getPreapprovedAccess(TenantName tenant) { + return false; + } + public void addPendingMember(AthenzUser user) { pendingMembers.add(user); } -- cgit v1.2.3 From def6d57968bad732ba7f9445bb83f8f1883d9de7 Mon Sep 17 00:00:00 2001 From: Ola Aunrønning Date: Mon, 14 Mar 2022 11:57:23 +0100 Subject: Consider effect equality --- .../controller/api/integration/athenz/AthenzAccessControlService.java | 4 +++- .../src/main/java/com/yahoo/vespa/athenz/api/AthenzAssertion.java | 1 + 2 files changed, 4 insertions(+), 1 deletion(-) (limited to 'controller-api') diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java index 3a42c0c6535..317229f9e9a 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java @@ -165,6 +165,8 @@ public class AthenzAccessControlService implements AccessControlService { private AthenzAssertion getApprovalAssertion(AthenzRole accessRole) { var approverRole = new AthenzRole(accessRole.domain(), "vespa-access-approver"); - return AthenzAssertion.newBuilder(approverRole, accessRole.toResourceName(), "update_members").build(); + return AthenzAssertion.newBuilder(approverRole, accessRole.toResourceName(), "update_members") + .effect(AthenzAssertion.Effect.ALLOW) + .build(); } } diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/AthenzAssertion.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/AthenzAssertion.java index cf6f40155fc..49cc31fe8c2 100644 --- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/AthenzAssertion.java +++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/AthenzAssertion.java @@ -39,6 +39,7 @@ public class AthenzAssertion { public boolean satisfies(AthenzAssertion other) { return role.equals(other.role()) && action.equals(other.action()) && + effect().equals(other.effect()) && resource.equals(other.resource()); } -- cgit v1.2.3