use of com.yahoo.athenz.zms.store.ObjectStoreConnection in project athenz by yahoo.
the class DBService method enforceRoleUserAuthorityRestrictions.
void enforceRoleUserAuthorityRestrictions(final String domainName, final String roleName, final String domainUserAuthorityFilter) {
final String caller = "enforceRoleUserAuthorityRestrictions";
try (ObjectStoreConnection con = store.getConnection(true, true)) {
// get the role from the storage system
Role role = getRole(con, domainName, roleName, false, false, false);
if (role == null) {
return;
}
// update the role membership
List<RoleMember> roleMembers = role.getRoleMembers();
if (roleMembers == null) {
return;
}
// first process the authority expiration restriction
boolean expiryDBUpdated = false;
final String userAuthorityExpiry = role.getUserAuthorityExpiration();
if (userAuthorityExpiry != null) {
List<RoleMember> updatedMembers = new ArrayList<>();
for (RoleMember roleMember : roleMembers) {
if (updateUserAuthorityExpiry(roleMember, userAuthorityExpiry)) {
updatedMembers.add(roleMember);
}
}
expiryDBUpdated = insertRoleMembers(null, con, updatedMembers, domainName, roleName, ZMSConsts.SYS_AUTH_MONITOR, AUDIT_REF, caller);
}
// now process authority filter restriction
boolean filterDBUpdated = false;
final String userAuthorityFilter = ZMSUtils.combineUserAuthorityFilters(role.getUserAuthorityFilter(), domainUserAuthorityFilter);
if (userAuthorityFilter != null) {
List<RoleMember> updatedMembers = new ArrayList<>();
for (RoleMember roleMember : roleMembers) {
if (updateUserAuthorityFilter(roleMember, userAuthorityFilter)) {
updatedMembers.add(roleMember);
}
}
filterDBUpdated = updateRoleMemberDisabledState(null, con, updatedMembers, domainName, roleName, ZMSConsts.SYS_AUTH_MONITOR, AUDIT_REF, caller);
}
if (expiryDBUpdated || filterDBUpdated) {
// update our role and domain time-stamps, and invalidate local cache entry
con.updateRoleModTimestamp(domainName, roleName);
con.updateDomainModTimestamp(domainName);
cacheStore.invalidate(domainName);
}
}
}
use of com.yahoo.athenz.zms.store.ObjectStoreConnection in project athenz by yahoo.
the class DBService method enforceGroupUserAuthorityRestrictions.
void enforceGroupUserAuthorityRestrictions(final String domainName, final String groupName, final String domainUserAuthorityFilter) {
final String caller = "enforceGroupUserAuthorityRestrictions";
try (ObjectStoreConnection con = store.getConnection(true, true)) {
// get the role from the storage system
Group group = getGroup(con, domainName, groupName, false, false);
if (group == null) {
return;
}
// update the group membership
List<GroupMember> groupMembers = group.getGroupMembers();
if (groupMembers == null) {
return;
}
// first process the authority expiration restriction
boolean expiryDBUpdated = false;
final String userAuthorityExpiry = group.getUserAuthorityExpiration();
if (userAuthorityExpiry != null) {
List<GroupMember> updatedMembers = new ArrayList<>();
for (GroupMember groupMember : groupMembers) {
if (updateUserAuthorityExpiry(groupMember, userAuthorityExpiry)) {
updatedMembers.add(groupMember);
}
}
expiryDBUpdated = insertGroupMembers(null, con, updatedMembers, domainName, groupName, ZMSConsts.SYS_AUTH_MONITOR, AUDIT_REF, caller);
}
// now process authority filter restriction
boolean filterDBUpdated = false;
final String userAuthorityFilter = ZMSUtils.combineUserAuthorityFilters(group.getUserAuthorityFilter(), domainUserAuthorityFilter);
if (userAuthorityFilter != null) {
List<GroupMember> updatedMembers = new ArrayList<>();
for (GroupMember groupMember : groupMembers) {
if (updateUserAuthorityFilter(groupMember, userAuthorityFilter)) {
updatedMembers.add(groupMember);
}
}
filterDBUpdated = updateGroupMemberDisabledState(null, con, updatedMembers, domainName, groupName, ZMSConsts.SYS_AUTH_MONITOR, AUDIT_REF, caller);
}
if (expiryDBUpdated || filterDBUpdated) {
// update our group and domain time-stamps, and invalidate local cache entry
con.updateGroupModTimestamp(domainName, groupName);
con.updateDomainModTimestamp(domainName);
cacheStore.invalidate(domainName);
}
}
}
use of com.yahoo.athenz.zms.store.ObjectStoreConnection in project athenz by yahoo.
the class DBService method getMembership.
Membership getMembership(String domainName, String roleName, String principal) {
try (ObjectStoreConnection con = store.getConnection(true, false)) {
Membership membership = con.getRoleMember(domainName, roleName, principal);
Timestamp expiration = membership.getExpiration();
if (expiration != null && expiration.millis() < System.currentTimeMillis()) {
membership.setIsMember(false);
}
return membership;
}
}
use of com.yahoo.athenz.zms.store.ObjectStoreConnection in project athenz by yahoo.
the class DBService method executePutProviderRoles.
void executePutProviderRoles(ResourceContext ctx, String tenantDomain, String provSvcDomain, String provSvcName, String resourceGroup, List<String> roles, String auditRef, String caller) {
int retryCount = defaultRetryCount;
do {
try (ObjectStoreConnection con = store.getConnection(false, true)) {
// first verify that auditing requirements are met
checkDomainAuditEnabled(con, tenantDomain, auditRef, caller);
// we're going to create a separate role for each one of tenant roles returned
// based on its action and set the caller as a member in each role
String principalName = getPrincipalName(ctx);
List<RoleMember> roleMembers = new ArrayList<>();
if (principalName != null) {
RoleMember roleMember = new RoleMember();
roleMember.setMemberName(principalName);
roleMembers.add(roleMember);
}
// now set up the roles and policies for all the provider roles returned.
String rolePrefix = ZMSUtils.getProviderResourceGroupRolePrefix(provSvcDomain, provSvcName, resourceGroup);
String trustedRolePrefix = ZMSUtils.getTrustedResourceGroupRolePrefix(provSvcDomain, provSvcName, tenantDomain, resourceGroup);
StringBuilder auditDetails = new StringBuilder(ZMSConsts.STRING_BLDR_SIZE_DEFAULT);
auditDetails.append("{\"put-provider-roles\": [");
boolean firstEntry = true;
for (String role : roles) {
role = role.toLowerCase();
if (LOG.isInfoEnabled()) {
LOG.info("executePutProviderRoles: provision ASSUME_ROLE policy for access remote role in " + provSvcDomain + "." + provSvcName + ": " + resourceGroup + "." + role);
}
firstEntry = auditLogSeparator(auditDetails, firstEntry);
addAssumeRolePolicy(con, rolePrefix, trustedRolePrefix, role, roleMembers, tenantDomain, principalName, auditRef, auditDetails, caller);
}
auditDetails.append("]}");
// update our domain time-stamp and save changes
saveChanges(con, tenantDomain);
// audit log the request
auditLogRequest(ctx, tenantDomain, auditRef, caller, ZMSConsts.HTTP_PUT, provSvcDomain, auditDetails.toString());
return;
} catch (ResourceException ex) {
if (!shouldRetryOperation(ex, retryCount)) {
throw ex;
}
}
retryCount -= 1;
} while (retryCount > 0);
}
use of com.yahoo.athenz.zms.store.ObjectStoreConnection in project athenz by yahoo.
the class DBService method executePutTenantRoles.
void executePutTenantRoles(ResourceContext ctx, String provSvcDomain, String provSvcName, String tenantDomain, String resourceGroup, List<TenantRoleAction> roles, String auditRef, String caller) {
int retryCount = defaultRetryCount;
do {
try (ObjectStoreConnection con = store.getConnection(false, true)) {
// first verify that auditing requirements are met
checkDomainAuditEnabled(con, provSvcDomain, auditRef, caller);
String trustedRolePrefix = ZMSUtils.getTrustedResourceGroupRolePrefix(provSvcDomain, provSvcName, tenantDomain, resourceGroup);
StringBuilder auditDetails = new StringBuilder(ZMSConsts.STRING_BLDR_SIZE_DEFAULT);
auditDetails.append("{\"put-tenant-roles\": [");
boolean firstEntry = true;
for (TenantRoleAction ra : roles) {
String tenantRole = ra.getRole();
String tenantAction = ra.getAction();
String trustedRole = trustedRolePrefix + tenantRole;
String trustedName = trustedRole.substring((provSvcDomain + ":role.").length());
Role role = new Role().setName(trustedRole).setTrust(tenantDomain);
if (LOG.isInfoEnabled()) {
LOG.info(caller + ": add trusted Role to domain " + provSvcDomain + ": " + trustedRole + " -> " + role);
}
// retrieve our original role in case one exists
Role originalRole = getRole(con, provSvcDomain, trustedName, false, false);
// now process the request
firstEntry = auditLogSeparator(auditDetails, firstEntry);
auditDetails.append("{\"role\": ");
if (!processRole(con, originalRole, provSvcDomain, trustedName, role, getPrincipalName(ctx), auditRef, false, auditDetails)) {
con.rollbackChanges();
throw ZMSUtils.internalServerError("unable to put role: " + trustedRole, caller);
}
String policyResourceName = ZMSUtils.policyResourceName(provSvcDomain, trustedName);
StringBuilder resourceName = new StringBuilder(256);
resourceName.append(provSvcDomain).append(":service.").append(ZMSUtils.getTenantResourceGroupRolePrefix(provSvcName, tenantDomain, resourceGroup)).append('*');
List<Assertion> assertions = Arrays.asList(new Assertion().setRole(trustedRole).setResource(resourceName.toString()).setAction(tenantAction));
Policy policy = new Policy().setName(policyResourceName).setAssertions(assertions);
if (LOG.isInfoEnabled()) {
LOG.info(caller + ": add trust policy to domain " + provSvcDomain + ": " + trustedRole + " -> " + policy);
}
// retrieve our original policy
Policy originalPolicy = getPolicy(con, provSvcDomain, trustedName);
// now process the request
auditDetails.append(", \"policy\": ");
if (!processPolicy(con, originalPolicy, provSvcDomain, trustedName, policy, false, auditDetails)) {
con.rollbackChanges();
throw ZMSUtils.internalServerError("unable to put policy: " + policy.getName(), caller);
}
auditDetails.append('}');
}
// update our domain time-stamp and save changes
saveChanges(con, provSvcDomain);
// audit log the request
auditLogRequest(ctx, provSvcDomain, auditRef, caller, ZMSConsts.HTTP_PUT, tenantDomain, auditDetails.toString());
return;
} catch (ResourceException ex) {
if (!shouldRetryOperation(ex, retryCount)) {
throw ex;
}
}
retryCount -= 1;
} while (retryCount > 0);
}
Aggregations