use of com.yahoo.athenz.zms.store.ObjectStoreConnection in project athenz by yahoo.
the class DBService method executePutRoleSystemMeta.
public void executePutRoleSystemMeta(ResourceContext ctx, final String domainName, final String roleName, RoleSystemMeta meta, final String attribute, final String auditRef, final String caller) {
for (int retryCount = defaultRetryCount; ; retryCount--) {
try (ObjectStoreConnection con = store.getConnection(false, true)) {
Domain domain = con.getDomain(domainName);
if (domain == null) {
con.rollbackChanges();
throw ZMSUtils.notFoundError(caller + ": Unknown domain: " + domainName, caller);
}
// first verify that auditing requirements are met
checkDomainAuditEnabled(con, domain, auditRef, caller, getPrincipalName(ctx), AUDIT_TYPE_ROLE);
if (domain.getAuditEnabled() != Boolean.TRUE) {
throw ZMSUtils.requestError(caller + ": auditEnabled flag not set for domain: " + domainName + " to add it on the role: " + roleName, caller);
}
Role originalRole = getRole(con, domainName, roleName, false, false, false);
// now process the request. first we're going to make a
// copy of our role
Role updatedRole = new Role().setName(originalRole.getName()).setAuditEnabled(originalRole.getAuditEnabled()).setTrust(originalRole.getTrust()).setSelfServe(originalRole.getSelfServe()).setMemberExpiryDays(originalRole.getMemberExpiryDays()).setServiceExpiryDays(originalRole.getServiceExpiryDays()).setGroupExpiryDays(originalRole.getGroupExpiryDays()).setGroupReviewDays(originalRole.getGroupReviewDays()).setTokenExpiryMins(originalRole.getTokenExpiryMins()).setCertExpiryMins(originalRole.getCertExpiryMins()).setMemberReviewDays(originalRole.getMemberReviewDays()).setServiceReviewDays(originalRole.getServiceReviewDays()).setSignAlgorithm(originalRole.getSignAlgorithm()).setReviewEnabled(originalRole.getReviewEnabled()).setNotifyRoles(originalRole.getNotifyRoles());
// then we're going to apply the updated fields
// from the given object
updateRoleSystemMetaFields(con, updatedRole, originalRole, attribute, meta, ctx.getApiName());
con.updateRole(domainName, updatedRole);
saveChanges(con, domainName);
// audit log the request
StringBuilder auditDetails = new StringBuilder(ZMSConsts.STRING_BLDR_SIZE_DEFAULT);
auditLogRoleSystemMeta(auditDetails, updatedRole, roleName);
auditLogRequest(ctx, domainName, auditRef, caller, ZMSConsts.HTTP_PUT, domainName, auditDetails.toString());
// add domain change event
addDomainChangeMessage(ctx, domainName, roleName, DomainChangeMessage.ObjectType.ROLE);
return;
} catch (ResourceException ex) {
if (!shouldRetryOperation(ex, retryCount)) {
throw ex;
}
}
}
}
use of com.yahoo.athenz.zms.store.ObjectStoreConnection in project athenz by yahoo.
the class DBService method executePutPublicKeyEntry.
void executePutPublicKeyEntry(ResourceContext ctx, String domainName, String serviceName, PublicKeyEntry keyEntry, String auditRef, String caller) {
for (int retryCount = defaultRetryCount; ; retryCount--) {
try (ObjectStoreConnection con = store.getConnection(false, true)) {
// first verify that auditing requirements are met
checkDomainAuditEnabled(con, domainName, auditRef, caller, getPrincipalName(ctx), AUDIT_TYPE_SERVICE);
// check to see if this key already exists or not
PublicKeyEntry originalKeyEntry = con.getPublicKeyEntry(domainName, serviceName, keyEntry.getId(), false);
if (originalKeyEntry == null) {
quotaCheck.checkServiceIdentityPublicKeyQuota(con, domainName, serviceName, caller);
}
// now process the request
boolean requestSuccess;
StringBuilder auditDetails = new StringBuilder(ZMSConsts.STRING_BLDR_SIZE_DEFAULT);
if (originalKeyEntry == null) {
requestSuccess = con.insertPublicKeyEntry(domainName, serviceName, keyEntry);
auditDetails.append("{\"added-publicKeys\": [");
} else {
requestSuccess = con.updatePublicKeyEntry(domainName, serviceName, keyEntry);
auditDetails.append("{\"updated-publicKeys\": [");
}
if (!requestSuccess) {
con.rollbackChanges();
throw ZMSUtils.internalServerError("unable to put public key: " + keyEntry.getId() + " in service " + ResourceUtils.serviceResourceName(domainName, serviceName), caller);
}
// update our service and domain time-stamp and save changes
con.updateServiceIdentityModTimestamp(domainName, serviceName);
saveChanges(con, domainName);
// audit log the request
auditLogPublicKeyEntry(auditDetails, keyEntry, true);
auditDetails.append("]}");
auditLogRequest(ctx, domainName, auditRef, caller, ZMSConsts.HTTP_PUT, serviceName, auditDetails.toString());
// add domain change event
addDomainChangeMessage(ctx, domainName, serviceName, DomainChangeMessage.ObjectType.SERVICE);
return;
} catch (ResourceException ex) {
if (!shouldRetryOperation(ex, retryCount)) {
throw ex;
}
}
}
}
use of com.yahoo.athenz.zms.store.ObjectStoreConnection in project athenz by yahoo.
the class DBService method setupTenantAdminPolicy.
void setupTenantAdminPolicy(ResourceContext ctx, String tenantDomain, String provSvcDomain, String provSvcName, String auditRef, String caller) {
for (int retryCount = defaultRetryCount; ; retryCount--) {
try (ObjectStoreConnection con = store.getConnection(false, true)) {
// first verify that auditing requirements are met
checkDomainAuditEnabled(con, tenantDomain, auditRef, caller, provSvcDomain + "." + provSvcName, AUDIT_TYPE_TENANCY);
String domainAdminRole = ResourceUtils.roleResourceName(tenantDomain, ZMSConsts.ADMIN_ROLE_NAME);
String serviceRoleResourceName = ZMSUtils.getTrustedResourceGroupRolePrefix(provSvcDomain, provSvcName, tenantDomain, null) + ZMSConsts.ADMIN_ROLE_NAME;
// our tenant admin role/policy name
final String tenancyResource = "tenancy." + provSvcDomain + '.' + provSvcName;
String adminName = tenancyResource + ".admin";
String tenantAdminRole = ResourceUtils.roleResourceName(tenantDomain, adminName);
if (con.getRole(tenantDomain, adminName) == null) {
con.insertRole(tenantDomain, new Role().setName(tenantAdminRole));
// add domain change event
addDomainChangeMessage(ctx, tenantDomain, tenantAdminRole, DomainChangeMessage.ObjectType.ROLE);
}
if (con.getPolicy(tenantDomain, adminName, null) == null) {
Policy adminPolicy = new Policy().setName(ResourceUtils.policyResourceName(tenantDomain, adminName));
adminPolicy.setVersion(null);
con.insertPolicy(tenantDomain, adminPolicy);
// we are going to create 2 assertions - one for the domain admin role
// and another for the tenant admin role
Assertion assertion = new Assertion().setRole(domainAdminRole).setResource(serviceRoleResourceName).setAction(ZMSConsts.ACTION_ASSUME_ROLE).setEffect(AssertionEffect.ALLOW);
con.insertAssertion(tenantDomain, adminName, null, assertion);
assertion = new Assertion().setRole(tenantAdminRole).setResource(serviceRoleResourceName).setAction(ZMSConsts.ACTION_ASSUME_ROLE).setEffect(AssertionEffect.ALLOW);
con.insertAssertion(tenantDomain, adminName, null, assertion);
// the tenant admin role must have the capability to provision
// new resource groups in the domain which requires update
// action capability on resource tenancy.<prov_domain>.<prov_svc>
String tenantResourceName = tenantDomain + ":" + tenancyResource;
assertion = new Assertion().setRole(tenantAdminRole).setResource(tenantResourceName).setAction(ZMSConsts.ACTION_UPDATE).setEffect(AssertionEffect.ALLOW);
con.insertAssertion(tenantDomain, adminName, null, assertion);
// add domain change event
addDomainChangeMessage(ctx, tenantDomain, adminPolicy.getName(), DomainChangeMessage.ObjectType.POLICY);
}
// update our domain time-stamp and save changes
saveChanges(con, tenantDomain);
return;
} catch (ResourceException ex) {
if (!shouldRetryOperation(ex, retryCount)) {
throw ex;
}
}
}
}
use of com.yahoo.athenz.zms.store.ObjectStoreConnection in project athenz by yahoo.
the class DBService method getPendingDomainGroupMembers.
DomainGroupMembership getPendingDomainGroupMembers(final String principal, final String domainName) {
DomainGroupMembership domainGroupMembership = new DomainGroupMembership();
List<DomainGroupMembers> domainGroupMembersList = new ArrayList<>();
boolean emptyDomainName = StringUtil.isEmpty(domainName);
try (ObjectStoreConnection con = store.getConnection(true, false)) {
if (!StringUtil.isEmpty(principal)) {
Map<String, List<DomainGroupMember>> domainGroupMembersMap = con.getPendingDomainGroupMembersByPrincipal(principal);
if (domainGroupMembersMap != null) {
for (String domain : domainGroupMembersMap.keySet()) {
if (emptyDomainName || domain.equals(domainName) || "*".equals(domainName)) {
domainGroupMembersList.add(getDomainGroupMembers(domain, domainGroupMembersMap));
}
}
domainGroupMembership.setDomainGroupMembersList(domainGroupMembersList);
}
} else if (!emptyDomainName) {
Map<String, List<DomainGroupMember>> domainGroupMembersMap = con.getPendingDomainGroupMembersByDomain(domainName);
if (domainGroupMembersMap != null) {
for (String domain : domainGroupMembersMap.keySet()) {
domainGroupMembersList.add(getDomainGroupMembers(domain, domainGroupMembersMap));
}
domainGroupMembership.setDomainGroupMembersList(domainGroupMembersList);
}
}
}
return domainGroupMembership;
}
use of com.yahoo.athenz.zms.store.ObjectStoreConnection in project athenz by yahoo.
the class DBService method executePutServiceIdentity.
void executePutServiceIdentity(ResourceContext ctx, String domainName, String serviceName, ServiceIdentity service, String auditRef, String caller) {
for (int retryCount = defaultRetryCount; ; retryCount--) {
try (ObjectStoreConnection con = store.getConnection(false, true)) {
// first verify that auditing requirements are met
checkDomainAuditEnabled(con, domainName, auditRef, caller, getPrincipalName(ctx), AUDIT_TYPE_SERVICE);
// check that quota is not exceeded
quotaCheck.checkServiceIdentityQuota(con, domainName, service, caller);
// retrieve our original service identity object
ServiceIdentity originalService = getServiceIdentity(con, domainName, serviceName, false);
// now process the request
StringBuilder auditDetails = new StringBuilder(ZMSConsts.STRING_BLDR_SIZE_DEFAULT);
if (!processServiceIdentity(ctx, con, originalService, domainName, serviceName, service, false, auditDetails)) {
con.rollbackChanges();
throw ZMSUtils.internalServerError("unable to put service: " + service.getName(), caller);
}
// update our domain time-stamp and save changes
saveChanges(con, domainName);
// audit log the request
auditLogRequest(ctx, domainName, auditRef, caller, ZMSConsts.HTTP_PUT, serviceName, auditDetails.toString());
// add domain change event
addDomainChangeMessage(ctx, domainName, serviceName, DomainChangeMessage.ObjectType.SERVICE);
return;
} catch (ResourceException ex) {
if (!shouldRetryOperation(ex, retryCount)) {
throw ex;
}
}
}
}
Aggregations