Example 41 with ObjectStoreConnection
use of com.yahoo.athenz.zms.store.ObjectStoreConnection in project athenz by yahoo.
the class DBService method executePutGroupMembership.
void executePutGroupMembership(ResourceContext ctx, final String domainName, Group group, GroupMember groupMember, final String auditRef) {
for (int retryCount = defaultRetryCount; ; retryCount--) {
try (ObjectStoreConnection con = store.getConnection(true, true)) {
final String principal = getPrincipalName(ctx);
// first verify that auditing requirements are met
checkDomainAuditEnabled(con, domainName, auditRef, ctx.getApiName(), principal, AUDIT_TYPE_GROUP);
// make sure the group auditing requirements are met
checkObjectAuditEnabled(con, group.getAuditEnabled(), group.getName(), auditRef, ctx.getApiName(), principal);
// now we need verify our quota check
final String groupName = ZMSUtils.extractGroupName(domainName, group.getName());
quotaCheck.checkGroupMembershipQuota(con, domainName, groupName, ctx.getApiName());
if (!con.insertGroupMember(domainName, groupName, groupMember, principal, auditRef)) {
con.rollbackChanges();
throw ZMSUtils.requestError("unable to insert group member: " + groupMember.getMemberName() + " to group: " + groupName, ctx.getApiName());
}
// update our group and domain time-stamps, and invalidate local cache entry
con.updateGroupModTimestamp(domainName, groupName);
con.updateDomainModTimestamp(domainName);
cacheStore.invalidate(domainName);
// audit log the request
StringBuilder auditDetails = new StringBuilder(ZMSConsts.STRING_BLDR_SIZE_DEFAULT);
auditLogGroupMember(auditDetails, groupMember, true);
auditLogRequest(ctx, domainName, auditRef, ctx.getApiName(), ZMSConsts.HTTP_PUT, groupName, auditDetails.toString());
// add domain change event
addDomainChangeMessage(ctx, domainName, groupName, DomainChangeMessage.ObjectType.GROUP);
return;
} catch (ResourceException ex) {
if (!shouldRetryOperation(ex, retryCount)) {
throw ex;
}
}
}
}
Also used :
ObjectStoreConnection(com.yahoo.athenz.zms.store.ObjectStoreConnection)
Example 42 with ObjectStoreConnection
use of com.yahoo.athenz.zms.store.ObjectStoreConnection in project athenz by yahoo.
the class DBService method executeDeletePolicy.
void executeDeletePolicy(ResourceContext ctx, String domainName, String policyName, String auditRef, String caller) {
for (int retryCount = defaultRetryCount; ; retryCount--) {
try (ObjectStoreConnection con = store.getConnection(false, true)) {
// first verify that auditing requirements are met
checkDomainAuditEnabled(con, domainName, auditRef, caller, getPrincipalName(ctx), AUDIT_TYPE_POLICY);
// extract the current policy for audit log purposes
List<String> versions = con.listPolicyVersions(domainName, policyName);
if (versions == null || versions.isEmpty()) {
con.rollbackChanges();
throw ZMSUtils.notFoundError(caller + ": unable to get versions for policy: " + policyName, caller);
}
List<Policy> policyVersions = new ArrayList<>();
for (String version : versions) {
Policy policy = getPolicy(con, domainName, policyName, version);
if (policy == null) {
con.rollbackChanges();
throw ZMSUtils.notFoundError(caller + ": unable to read policy: " + policyName + ", with version: " + version, caller);
}
policyVersions.add(policy);
}
StringBuilder auditDetails = new StringBuilder(ZMSConsts.STRING_BLDR_SIZE_DEFAULT);
auditLogPolicy(auditDetails, policyVersions, "deleted-policy-versions");
if (!con.deletePolicy(domainName, policyName)) {
con.rollbackChanges();
throw ZMSUtils.notFoundError(caller + ": unable to delete policy: " + policyName, caller);
}
// update our domain time-stamp and save changes
saveChanges(con, domainName);
// audit log the request
auditLogRequest(ctx, domainName, auditRef, caller, ZMSConsts.HTTP_DELETE, policyName, auditDetails.toString());
// add domain change event
addDomainChangeMessage(ctx, domainName, policyName, DomainChangeMessage.ObjectType.POLICY);
return;
} catch (ResourceException ex) {
if (!shouldRetryOperation(ex, retryCount)) {
throw ex;
}
}
}
}
Also used :
ObjectStoreConnection(com.yahoo.athenz.zms.store.ObjectStoreConnection)
Example 43 with ObjectStoreConnection
use of com.yahoo.athenz.zms.store.ObjectStoreConnection in project athenz by yahoo.
the class DBService method updateDomainModTimestamp.
void updateDomainModTimestamp(final String domainName) {
try (ObjectStoreConnection con = store.getConnection(true, true)) {
// update domain time-stamps, and invalidate local cache entry
con.updateDomainModTimestamp(domainName);
cacheStore.invalidate(domainName);
}
}
Also used :
ObjectStoreConnection(com.yahoo.athenz.zms.store.ObjectStoreConnection)
Example 44 with ObjectStoreConnection
use of com.yahoo.athenz.zms.store.ObjectStoreConnection in project athenz by yahoo.
the class DBService method executePutProviderRoles.
void executePutProviderRoles(ResourceContext ctx, String tenantDomain, String provSvcDomain, String provSvcName, String resourceGroup, List<String> roles, Boolean skipPrincipalMember, String auditRef, String caller) {
for (int retryCount = defaultRetryCount; ; retryCount--) {
try (ObjectStoreConnection con = store.getConnection(false, true)) {
final String principalName = getPrincipalName(ctx);
// first verify that auditing requirements are met
checkDomainAuditEnabled(con, tenantDomain, auditRef, caller, principalName, AUDIT_TYPE_TENANCY);
// we're going to create a separate role for each one of tenant roles returned
// based on its action and set the caller as a member in each role
// now set up the roles and policies for all the provider roles returned.
final String rolePrefix = ZMSUtils.getProviderResourceGroupRolePrefix(provSvcDomain, provSvcName, resourceGroup);
final String trustedRolePrefix = ZMSUtils.getTrustedResourceGroupRolePrefix(provSvcDomain, provSvcName, tenantDomain, resourceGroup);
StringBuilder auditDetails = new StringBuilder(ZMSConsts.STRING_BLDR_SIZE_DEFAULT);
auditDetails.append("{\"put-provider-roles\": [");
boolean firstEntry = true;
for (String role : roles) {
// we need to create a new object for each role since the list is updated
// in case the role already has existing members, but we don't want to
// add those members to other roles in our list
List<RoleMember> roleMembers = new ArrayList<>();
if (principalName != null && skipPrincipalMember != Boolean.TRUE) {
RoleMember roleMember = new RoleMember();
roleMember.setMemberName(principalName);
roleMembers.add(roleMember);
}
role = role.toLowerCase();
if (LOG.isInfoEnabled()) {
LOG.info("executePutProviderRoles: provision ASSUME_ROLE policy for access remote role in " + provSvcDomain + "." + provSvcName + ": " + resourceGroup + "." + role);
}
firstEntry = auditLogSeparator(auditDetails, firstEntry);
addAssumeRolePolicy(ctx, con, rolePrefix, trustedRolePrefix, role, roleMembers, tenantDomain, principalName, auditRef, auditDetails, caller);
}
auditDetails.append("]}");
// update our domain time-stamp and save changes
saveChanges(con, tenantDomain);
// audit log the request
auditLogRequest(ctx, tenantDomain, auditRef, caller, ZMSConsts.HTTP_PUT, provSvcDomain, auditDetails.toString());
return;
} catch (ResourceException ex) {
if (!shouldRetryOperation(ex, retryCount)) {
throw ex;
}
}
}
}
Also used :
ObjectStoreConnection(com.yahoo.athenz.zms.store.ObjectStoreConnection)
Example 45 with ObjectStoreConnection
use of com.yahoo.athenz.zms.store.ObjectStoreConnection in project athenz by yahoo.
the class DBService method executeDeletePendingMembership.
void executeDeletePendingMembership(ResourceContext ctx, String domainName, String roleName, String normalizedMember, String auditRef, String caller) {
for (int retryCount = defaultRetryCount; ; retryCount--) {
try (ObjectStoreConnection con = store.getConnection(true, true)) {
final String principal = getPrincipalName(ctx);
// first verify that auditing requirements are met
checkDomainAuditEnabled(con, domainName, auditRef, caller, principal, AUDIT_TYPE_ROLE);
if (!con.deletePendingRoleMember(domainName, roleName, normalizedMember, principal, auditRef)) {
con.rollbackChanges();
throw ZMSUtils.notFoundError(caller + ": unable to delete pending role member: " + normalizedMember + " from role: " + roleName, caller);
}
// update our role and domain time-stamps, and invalidate local cache entry
con.updateRoleModTimestamp(domainName, roleName);
con.updateDomainModTimestamp(domainName);
cacheStore.invalidate(domainName);
// audit log the request
auditLogRequest(ctx, domainName, auditRef, caller, ZMSConsts.HTTP_DELETE, roleName, "{\"pending-member\": \"" + normalizedMember + "\"}");
// add domain change event
addDomainChangeMessage(ctx, domainName, roleName, DomainChangeMessage.ObjectType.ROLE);
return;
} catch (ResourceException ex) {
if (!shouldRetryOperation(ex, retryCount)) {
throw ex;
}
}
}
}
Also used :
ObjectStoreConnection(com.yahoo.athenz.zms.store.ObjectStoreConnection)
Aggregations
ObjectStoreConnection (com.yahoo.athenz.zms.store.ObjectStoreConnection)173
Test (org.testng.annotations.Test)96
ObjectStore (com.yahoo.athenz.zms.store.ObjectStore)38
AthenzDomain (com.yahoo.athenz.zms.store.AthenzDomain)34
Authority (com.yahoo.athenz.auth.Authority)23
Timestamp (com.yahoo.rdl.Timestamp)17
ArrayList (java.util.ArrayList)16
MemberDueDays (com.yahoo.athenz.zms.config.MemberDueDays)11
Principal (com.yahoo.athenz.auth.Principal)7
SimplePrincipal (com.yahoo.athenz.auth.impl.SimplePrincipal)7
EmbeddedMysql (com.wix.mysql.EmbeddedMysql)5
FilePrivateKeyStore (com.yahoo.athenz.auth.impl.FilePrivateKeyStore)5
Crypto (com.yahoo.athenz.auth.util.Crypto)5
AuditReferenceValidator (com.yahoo.athenz.common.server.audit.AuditReferenceValidator)5
NotificationManager (com.yahoo.athenz.common.server.notification.NotificationManager)5
ResourceUtils (com.yahoo.athenz.common.server.util.ResourceUtils)5
DataCache (com.yahoo.athenz.zms.DBService.DataCache)5
MockAuditReferenceValidatorImpl (com.yahoo.athenz.zms.audit.MockAuditReferenceValidatorImpl)5
JDBCConnection (com.yahoo.athenz.zms.store.impl.jdbc.JDBCConnection)5
ZMSUtils (com.yahoo.athenz.zms.utils.ZMSUtils)5
