Example 6 with ProviderClient
use of com.yahoo.athenz.provider.ProviderClient in project athenz by yahoo.
the class ZMSImpl method putTenancy.
public Tenancy putTenancy(ResourceContext ctx, String tenantDomain, String provider, String auditRef, Tenancy detail) {
final String caller = "puttenancy";
metric.increment(ZMSConsts.HTTP_PUT);
logPrincipal(ctx);
if (readOnlyMode) {
throw ZMSUtils.requestError("Server in Maintenance Read-Only mode. Please try your request later", caller);
}
validateRequest(ctx.request(), caller);
validate(tenantDomain, TYPE_DOMAIN_NAME, caller);
// the fully qualified service name to provision on
validate(provider, TYPE_SERVICE_NAME, caller);
// for consistent handling of all requests, we're going to convert
// all incoming object values into lower case (e.g. domain, role,
// policy, service, etc name)
tenantDomain = tenantDomain.toLowerCase();
provider = provider.toLowerCase();
AthenzObject.TENANCY.convertToLowerCase(detail);
metric.increment(ZMSConsts.HTTP_REQUEST, tenantDomain);
metric.increment(caller, tenantDomain);
Object timerMetric = metric.startTiming("puttenancy_timing", tenantDomain);
// verify that request is properly authenticated for this request
String authorizedService = ((RsrcCtxWrapper) ctx).principal().getAuthorizedService();
verifyAuthorizedServiceOperation(authorizedService, caller);
final String logPrefix = "putTenancy: tenant domain(" + tenantDomain + "): ";
if (LOG.isInfoEnabled()) {
LOG.info("---- BEGIN put Tenant on provider(" + provider + ", ...)");
}
// provider service domain
String provSvcDomain = providerServiceDomain(provider);
// provider service name
String provSvcName = providerServiceName(provider);
ServiceIdentity ent = dbService.getServiceIdentity(provSvcDomain, provSvcName);
if (ent == null) {
throw ZMSUtils.requestError(logPrefix + "Unable to retrieve service=" + provider, caller);
}
if (LOG.isDebugEnabled()) {
LOG.debug("serviceIdentity: provider=" + ent);
}
// we are going to allow the authorize service token owner to call
// put tenancy on its own service without configuring a controller
// end point
boolean authzServiceTokenOperation = isAuthorizedProviderService(authorizedService, provSvcDomain, provSvcName, tenantDomain, auditRef);
String url = ent.getProviderEndpoint();
if ((url == null || url.isEmpty()) && !authzServiceTokenOperation) {
throw ZMSUtils.requestError(logPrefix + "Cannot put tenancy on provider service=" + provider + " -- not a provider service", caller);
}
if (LOG.isInfoEnabled()) {
LOG.info("let's talk to the provider on this endpoint: " + url);
}
if (LOG.isInfoEnabled()) {
LOG.info("---- set up the ASSUME_ROLE for admin, so provider can check I'm an admin");
}
// set up our tenant admin policy so provider can check admin's access
dbService.setupTenantAdminPolicy(ctx, tenantDomain, provSvcDomain, provSvcName, auditRef, caller);
if (authzServiceTokenOperation) {
List<TenantRoleAction> roles = new ArrayList<>();
TenantRoleAction roleAction = new TenantRoleAction().setAction("*").setRole(ADMIN_ROLE_NAME);
roles.add(roleAction);
dbService.executePutTenantRoles(ctx, provSvcDomain, provSvcName, tenantDomain, null, roles, auditRef, caller);
} else {
Principal tenantAdmin = ((RsrcCtxWrapper) ctx).principal();
if (LOG.isInfoEnabled()) {
LOG.info("---- now tell the provider to setTenant, as " + tenantAdmin.getFullName() + ", creds = " + tenantAdmin.getCredentials());
}
Tenant tenant = new Tenant().setService(provSvcName).setName(tenantDomain);
Tenant tenantWithRoles = null;
try {
ProviderClient prov = getProviderClient(url, tenantAdmin);
tenantWithRoles = prov.putTenant(provSvcName, tenantDomain, auditRef, tenant);
} catch (com.yahoo.athenz.provider.ResourceException ex) {
throw ZMSUtils.error(ex.getCode(), ex.getMessage(), caller);
}
if (LOG.isInfoEnabled()) {
LOG.info("---- result of provider.putTenant: " + tenantWithRoles);
}
// now set up the roles and policies for all the provider roles returned
// if the provider supports resource groups, during the putTenant call
// we're just setting up tenancy and as such we won't get back any roles
List<String> providerRoles = tenantWithRoles.getRoles();
if (providerRoles != null && !providerRoles.isEmpty()) {
// we're going to create a separate role for each one of tenant roles returned
// based on its action and set the caller as a member in each role
dbService.executePutProviderRoles(ctx, tenantDomain, provSvcDomain, provSvcName, null, providerRoles, auditRef, caller);
}
}
if (LOG.isInfoEnabled()) {
LOG.info("---- END put Tenant -> " + detail);
}
metric.stopTiming(timerMetric);
return null;
}
Also used :
ArrayList(java.util.ArrayList)
Tenant(com.yahoo.athenz.provider.Tenant)
ProviderClient(com.yahoo.athenz.provider.ProviderClient)
SimplePrincipal(com.yahoo.athenz.auth.impl.SimplePrincipal)
Principal(com.yahoo.athenz.auth.Principal)
Aggregations
ProviderClient (com.yahoo.athenz.provider.ProviderClient)6
Principal (com.yahoo.athenz.auth.Principal)5
SimplePrincipal (com.yahoo.athenz.auth.impl.SimplePrincipal)5
IOException (java.io.IOException)3
URISyntaxException (java.net.URISyntaxException)3
ParseException (java.text.ParseException)3
Tenant (com.yahoo.athenz.provider.Tenant)2
ArrayList (java.util.ArrayList)2
TenantResourceGroup (com.yahoo.athenz.provider.TenantResourceGroup)1
AthenzDomain (com.yahoo.athenz.zms.store.AthenzDomain)1
HashSet (java.util.HashSet)1
