Example 1 with Tenant
use of com.yahoo.athenz.provider.Tenant in project athenz by yahoo.
the class ZMSImpl method getTenancy.
public Tenancy getTenancy(ResourceContext ctx, String tenantDomain, String providerService) {
final String caller = "gettenancy";
metric.increment(ZMSConsts.HTTP_GET);
logPrincipal(ctx);
validateRequest(ctx.request(), caller);
validate(tenantDomain, TYPE_DOMAIN_NAME, caller);
// fully qualified provider's service name
validate(providerService, TYPE_SERVICE_NAME, caller);
// for consistent handling of all requests, we're going to convert
// all incoming object values into lower case (e.g. domain, role,
// policy, service, etc name)
tenantDomain = tenantDomain.toLowerCase();
providerService = providerService.toLowerCase();
metric.increment(ZMSConsts.HTTP_REQUEST, tenantDomain);
metric.increment(caller, tenantDomain);
Object timerMetric = metric.startTiming("gettenancy_timing", tenantDomain);
// first verify that we have a valid tenant domain with policies
Domain domain = dbService.getDomain(tenantDomain, false);
if (domain == null) {
throw ZMSUtils.notFoundError("getTenancy: No such tenant domain: " + tenantDomain, caller);
}
// we need to contact the provider to retrieve tenancy details
// since we don't know if the provider supports resource groups
// and as such the policies we have are for tenant's subdomains
// or for tenant's domain with resource groups.
String provSvcDomain = providerServiceDomain(providerService);
String provSvcName = providerServiceName(providerService);
Domain providerDomain = dbService.getDomain(provSvcDomain, false);
if (providerDomain == null) {
throw ZMSUtils.requestError("getTenancy: No such provider domain: " + provSvcDomain, caller);
}
// now retrieve our provider service object
ServiceIdentity service = dbService.getServiceIdentity(provSvcDomain, provSvcName);
if (service == null) {
throw ZMSUtils.requestError("getTenancy: unable to retrieve service=" + providerService, caller);
}
if (LOG.isDebugEnabled()) {
LOG.debug("getTenancy: serviceIdentity: provider=" + service);
}
// contact the provider and get the tenant object
String url = service.getProviderEndpoint();
if (url == null || url.isEmpty()) {
throw ZMSUtils.requestError("getTenancy: cannot get tenancy on provider service=" + providerService + " -- not a provider service", caller);
}
Principal tenantAdmin = ((RsrcCtxWrapper) ctx).principal();
Tenant tenant = null;
try {
ProviderClient prov = getProviderClient(url, tenantAdmin);
tenant = prov.getTenant(provSvcName, tenantDomain);
} catch (com.yahoo.athenz.provider.ResourceException ex) {
LOG.error("getTenancy: ProviderClient exception code: {} message: {}", ex.getCode(), ex.getMessage());
throw ZMSUtils.error(ex.getCode(), ex.getMessage(), caller);
}
if (tenant == null) {
throw ZMSUtils.notFoundError("getTenancy: Provider reports no such tenant: " + tenantDomain, caller);
}
if (LOG.isInfoEnabled()) {
LOG.info("getTenancy: ---- result of provider.getTenant: " + tenant);
}
// now we are going to verify to make sure that both tenant
// and provider domains have the appropriate policies. however we
// are not going to reject any requests because of missing policies
// and instead for resource group support we'll just not report
// the resource group as a valid provisioned one.
Tenancy tenancy = new Tenancy();
tenancy.setDomain(tenantDomain).setService(providerService);
List<String> resourceGroups = tenant.getResourceGroups();
if (resourceGroups != null) {
List<String> tenantPolicies = dbService.listPolicies(tenantDomain);
Set<String> providerPolicies = new HashSet<>(dbService.listPolicies(provSvcDomain));
List<String> tenancyResouceGroups = new ArrayList<>();
for (String resourceGroup : resourceGroups) {
if (!verifyTenancyPolicies(tenantDomain, tenantPolicies, providerPolicies, provSvcDomain, provSvcName, resourceGroup)) {
if (LOG.isInfoEnabled()) {
LOG.info("getTenancy: Invalid Resource Group: " + resourceGroup + " for tenant: " + tenantDomain);
}
} else {
tenancyResouceGroups.add(resourceGroup);
}
}
tenancy.setResourceGroups(tenancyResouceGroups);
}
metric.stopTiming(timerMetric);
return tenancy;
}
Also used :
ArrayList(java.util.ArrayList)
Tenant(com.yahoo.athenz.provider.Tenant)
ProviderClient(com.yahoo.athenz.provider.ProviderClient)
AthenzDomain(com.yahoo.athenz.zms.store.AthenzDomain)
SimplePrincipal(com.yahoo.athenz.auth.impl.SimplePrincipal)
Principal(com.yahoo.athenz.auth.Principal)
HashSet(java.util.HashSet)
Example 2 with Tenant
use of com.yahoo.athenz.provider.Tenant in project athenz by yahoo.
the class ZMSImpl method putTenancy.
public Tenancy putTenancy(ResourceContext ctx, String tenantDomain, String provider, String auditRef, Tenancy detail) {
final String caller = "puttenancy";
metric.increment(ZMSConsts.HTTP_PUT);
logPrincipal(ctx);
if (readOnlyMode) {
throw ZMSUtils.requestError("Server in Maintenance Read-Only mode. Please try your request later", caller);
}
validateRequest(ctx.request(), caller);
validate(tenantDomain, TYPE_DOMAIN_NAME, caller);
// the fully qualified service name to provision on
validate(provider, TYPE_SERVICE_NAME, caller);
// for consistent handling of all requests, we're going to convert
// all incoming object values into lower case (e.g. domain, role,
// policy, service, etc name)
tenantDomain = tenantDomain.toLowerCase();
provider = provider.toLowerCase();
AthenzObject.TENANCY.convertToLowerCase(detail);
metric.increment(ZMSConsts.HTTP_REQUEST, tenantDomain);
metric.increment(caller, tenantDomain);
Object timerMetric = metric.startTiming("puttenancy_timing", tenantDomain);
// verify that request is properly authenticated for this request
String authorizedService = ((RsrcCtxWrapper) ctx).principal().getAuthorizedService();
verifyAuthorizedServiceOperation(authorizedService, caller);
final String logPrefix = "putTenancy: tenant domain(" + tenantDomain + "): ";
if (LOG.isInfoEnabled()) {
LOG.info("---- BEGIN put Tenant on provider(" + provider + ", ...)");
}
// provider service domain
String provSvcDomain = providerServiceDomain(provider);
// provider service name
String provSvcName = providerServiceName(provider);
ServiceIdentity ent = dbService.getServiceIdentity(provSvcDomain, provSvcName);
if (ent == null) {
throw ZMSUtils.requestError(logPrefix + "Unable to retrieve service=" + provider, caller);
}
if (LOG.isDebugEnabled()) {
LOG.debug("serviceIdentity: provider=" + ent);
}
// we are going to allow the authorize service token owner to call
// put tenancy on its own service without configuring a controller
// end point
boolean authzServiceTokenOperation = isAuthorizedProviderService(authorizedService, provSvcDomain, provSvcName, tenantDomain, auditRef);
String url = ent.getProviderEndpoint();
if ((url == null || url.isEmpty()) && !authzServiceTokenOperation) {
throw ZMSUtils.requestError(logPrefix + "Cannot put tenancy on provider service=" + provider + " -- not a provider service", caller);
}
if (LOG.isInfoEnabled()) {
LOG.info("let's talk to the provider on this endpoint: " + url);
}
if (LOG.isInfoEnabled()) {
LOG.info("---- set up the ASSUME_ROLE for admin, so provider can check I'm an admin");
}
// set up our tenant admin policy so provider can check admin's access
dbService.setupTenantAdminPolicy(ctx, tenantDomain, provSvcDomain, provSvcName, auditRef, caller);
if (authzServiceTokenOperation) {
List<TenantRoleAction> roles = new ArrayList<>();
TenantRoleAction roleAction = new TenantRoleAction().setAction("*").setRole(ADMIN_ROLE_NAME);
roles.add(roleAction);
dbService.executePutTenantRoles(ctx, provSvcDomain, provSvcName, tenantDomain, null, roles, auditRef, caller);
} else {
Principal tenantAdmin = ((RsrcCtxWrapper) ctx).principal();
if (LOG.isInfoEnabled()) {
LOG.info("---- now tell the provider to setTenant, as " + tenantAdmin.getFullName() + ", creds = " + tenantAdmin.getCredentials());
}
Tenant tenant = new Tenant().setService(provSvcName).setName(tenantDomain);
Tenant tenantWithRoles = null;
try {
ProviderClient prov = getProviderClient(url, tenantAdmin);
tenantWithRoles = prov.putTenant(provSvcName, tenantDomain, auditRef, tenant);
} catch (com.yahoo.athenz.provider.ResourceException ex) {
throw ZMSUtils.error(ex.getCode(), ex.getMessage(), caller);
}
if (LOG.isInfoEnabled()) {
LOG.info("---- result of provider.putTenant: " + tenantWithRoles);
}
// now set up the roles and policies for all the provider roles returned
// if the provider supports resource groups, during the putTenant call
// we're just setting up tenancy and as such we won't get back any roles
List<String> providerRoles = tenantWithRoles.getRoles();
if (providerRoles != null && !providerRoles.isEmpty()) {
// we're going to create a separate role for each one of tenant roles returned
// based on its action and set the caller as a member in each role
dbService.executePutProviderRoles(ctx, tenantDomain, provSvcDomain, provSvcName, null, providerRoles, auditRef, caller);
}
}
if (LOG.isInfoEnabled()) {
LOG.info("---- END put Tenant -> " + detail);
}
metric.stopTiming(timerMetric);
return null;
}
Also used :
ArrayList(java.util.ArrayList)
Tenant(com.yahoo.athenz.provider.Tenant)
ProviderClient(com.yahoo.athenz.provider.ProviderClient)
SimplePrincipal(com.yahoo.athenz.auth.impl.SimplePrincipal)
Principal(com.yahoo.athenz.auth.Principal)
Aggregations
Principal (com.yahoo.athenz.auth.Principal)2
SimplePrincipal (com.yahoo.athenz.auth.impl.SimplePrincipal)2
ProviderClient (com.yahoo.athenz.provider.ProviderClient)2
Tenant (com.yahoo.athenz.provider.Tenant)2
ArrayList (java.util.ArrayList)2
AthenzDomain (com.yahoo.athenz.zms.store.AthenzDomain)1
HashSet (java.util.HashSet)1
