provide option to skip adding principal when onboarding a resource gr…

…oup (#1787) Signed-off-by: Henry Avetisyan <[email protected]> Co-authored-by: Henry Avetisyan <[email protected]>
AthenZ · Feb 18, 2022 · f422912 · f422912
1 parent 8528fb1
commit f422912
Show file tree

Hide file tree

Showing 8 changed files with 53 additions and 9 deletions.
diff --git a/clients/go/zms/model.go b/clients/go/zms/model.go
diff --git a/clients/go/zms/zms_schema.go b/clients/go/zms/zms_schema.go
diff --git a/core/zms/src/main/java/com/yahoo/athenz/zms/ProviderResourceGroupRoles.java b/core/zms/src/main/java/com/yahoo/athenz/zms/ProviderResourceGroupRoles.java
@@ -22,6 +22,9 @@ public class ProviderResourceGroupRoles {
     @RdlOptional
     @JsonInclude(JsonInclude.Include.NON_EMPTY)
     public Boolean createAdminRole;
+    @RdlOptional
+    @JsonInclude(JsonInclude.Include.NON_EMPTY)
+    public Boolean skipPrincipalMember;
 
     public ProviderResourceGroupRoles setDomain(String domain) {
         this.domain = domain;
@@ -65,6 +68,13 @@ public ProviderResourceGroupRoles setCreateAdminRole(Boolean createAdminRole) {
     public Boolean getCreateAdminRole() {
         return createAdminRole;
     }
+    public ProviderResourceGroupRoles setSkipPrincipalMember(Boolean skipPrincipalMember) {
+        this.skipPrincipalMember = skipPrincipalMember;
+        return this;
+    }
+    public Boolean getSkipPrincipalMember() {
+        return skipPrincipalMember;
+    }
 
     @Override
     public boolean equals(Object another) {
@@ -91,6 +101,9 @@ public boolean equals(Object another) {
             if (createAdminRole == null ? a.createAdminRole != null : !createAdminRole.equals(a.createAdminRole)) {
                 return false;
             }
+            if (skipPrincipalMember == null ? a.skipPrincipalMember != null : !skipPrincipalMember.equals(a.skipPrincipalMember)) {
+                return false;
+            }
         }
         return true;
     }
@@ -102,6 +115,9 @@ public ProviderResourceGroupRoles init() {
         if (createAdminRole == null) {
             createAdminRole = true;
         }
+        if (skipPrincipalMember == null) {
+            skipPrincipalMember = false;
+        }
         return this;
     }
 }
diff --git a/core/zms/src/main/java/com/yahoo/athenz/zms/ZMSSchema.java b/core/zms/src/main/java/com/yahoo/athenz/zms/ZMSSchema.java
@@ -519,7 +519,8 @@ private static Schema build() {
             .field("tenant", "DomainName", false, "name of the tenant domain")
             .arrayField("roles", "TenantRoleAction", false, "the role/action pairs to provision")
             .field("resourceGroup", "EntityName", false, "tenant resource group")
-            .field("createAdminRole", "Bool", true, "optional flag indicating whether to create a default tenancy admin role", true);
+            .field("createAdminRole", "Bool", true, "optional flag indicating whether to create a default tenancy admin role", true)
+            .field("skipPrincipalMember", "Bool", true, "optional flag indicating to skip adding the caller principal into the resource role", false);
 
         sb.structType("Access")
             .comment("Access can be checked and returned as this resource.")

diff --git a/core/zms/src/main/rdl/Tenancy.rdli b/core/zms/src/main/rdl/Tenancy.rdli
@@ -35,6 +35,7 @@ type ProviderResourceGroupRoles Struct {
     Array<TenantRoleAction> roles; //the role/action pairs to provision
     EntityName resourceGroup; //tenant resource group
     Bool createAdminRole (optional, default=true); //optional flag indicating whether to create a default tenancy admin role
+    Bool skipPrincipalMember (optional, default=false); //optional flag indicating to skip adding the caller principal into the resource role
 }
 
 //Register the provider service in the tenant's domain.

diff --git a/core/zms/src/test/java/com/yahoo/athenz/zms/ZMSCoreTest.java b/core/zms/src/test/java/com/yahoo/athenz/zms/ZMSCoreTest.java
@@ -3026,30 +3026,45 @@ public void testProviderResourceGroupRolesMethod() {
         assertNull(prgr2.getCreateAdminRole());
         prgr2.init();
         assertTrue(prgr2.getCreateAdminRole());
+        assertFalse(prgr2.getSkipPrincipalMember());
 
         assertTrue(prgr2.equals(prgr));
         assertTrue(prgr.equals(prgr));
 
         prgr2.setResourceGroup(null);
         assertFalse(prgr2.equals(prgr));
         prgr2.setResourceGroup("test-group");
+
         prgr2.setRoles(null);
         assertFalse(prgr2.equals(prgr));
         prgr2.setRoles(tral);
+
         prgr2.setTenant(null);
         assertFalse(prgr2.equals(prgr));
         prgr2.setTenant("test.tenant");
+
         prgr2.setService(null);
         assertFalse(prgr2.equals(prgr));
         prgr2.setService("test-service");
+
         prgr2.setDomain(null);
         assertFalse(prgr2.equals(prgr));
         prgr2.setDomain("test.domain");
+
         prgr2.setCreateAdminRole(null);
         assertFalse(prgr2.equals(prgr));
         prgr2.setCreateAdminRole(false);
         assertFalse(prgr2.equals(prgr));
         prgr2.setCreateAdminRole(true);
+        assertTrue(prgr2.equals(prgr));
+
+        prgr2.setSkipPrincipalMember(null);
+        assertFalse(prgr2.equals(prgr));
+        prgr2.setSkipPrincipalMember(true);
+        assertFalse(prgr2.equals(prgr));
+        prgr2.setSkipPrincipalMember(false);
+        assertTrue(prgr2.equals(prgr));
+
         assertFalse(prgr2.equals(null));
         assertFalse(prgr.equals(new String()));
 

diff --git a/servers/zms/src/main/java/com/yahoo/athenz/zms/DBService.java b/servers/zms/src/main/java/com/yahoo/athenz/zms/DBService.java
@@ -4525,7 +4525,8 @@ void addAssumeRolePolicy(ResourceContext ctx, ObjectStoreConnection con, String
     }
 
     void executePutProviderRoles(ResourceContext ctx, String tenantDomain, String provSvcDomain,
-            String provSvcName, String resourceGroup, List<String> roles, String auditRef, String caller) {
+            String provSvcName, String resourceGroup, List<String> roles, Boolean skipPrincipalMember,
+            String auditRef, String caller) {
 
         // our exception handling code does the check for retry count
         // and throws the exception it had received when the retry
@@ -4561,7 +4562,7 @@ void executePutProviderRoles(ResourceContext ctx, String tenantDomain, String pr
                     // add those members to other roles in our list
 
                     List<RoleMember> roleMembers = new ArrayList<>();
-                    if (principalName != null) {
+                    if (principalName != null && skipPrincipalMember != Boolean.TRUE) {
                         RoleMember roleMember = new RoleMember();
                         roleMember.setMemberName(principalName);
                         roleMembers.add(roleMember);

diff --git a/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSImpl.java b/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSImpl.java
@@ -7398,8 +7398,8 @@ boolean isAuthorizedProviderService(String authorizedService, String provSvcDoma
     }
 
     /**
-     * This sets up the assume roles in the tenant. If the tenants admin user
-     * token has been authorized by the provider, the providers domain will be
+     * This sets up the assume roles in the tenant. If the tenant's admin user
+     * token has been authorized by the provider, the provider's domain will be
      * updated as well, thus completing the tenancy on-boarding in a single step.
     **/
     @Override
@@ -7458,11 +7458,10 @@ public ProviderResourceGroupRoles putProviderResourceGroupRoles(ResourceContext
 
         if (!Boolean.FALSE.equals(detail.getCreateAdminRole())) {
             // set up our tenant admin policy so provider can check admin's access
-
             dbService.setupTenantAdminPolicy(ctx, tenantDomain, provSvcDomain, provSvcName, auditRef, caller);
         }
 
-        // now we're going to setup our roles
+        // now we're going to set up our roles
 
         List<TenantRoleAction> roleActions = detail.getRoles();
         List<String> roles = new ArrayList<>();
@@ -7474,7 +7473,7 @@ public ProviderResourceGroupRoles putProviderResourceGroupRoles(ResourceContext
         // based on its action and set the caller as a member in each role
 
         dbService.executePutProviderRoles(ctx, tenantDomain, provSvcDomain, provSvcName, resourceGroup,
-            roles, auditRef, caller);
+            roles, detail.getSkipPrincipalMember(), auditRef, caller);
 
         // at this point the tenant side is complete. If the token was a chained
         // token signed by the provider service then we're going to process the
@@ -7483,7 +7482,7 @@ public ProviderResourceGroupRoles putProviderResourceGroupRoles(ResourceContext
         String authorizedService = ((RsrcCtxWrapper) ctx).principal().getAuthorizedService();
         if (isAuthorizedProviderService(authorizedService, provSvcDomain, provSvcName, ((RsrcCtxWrapper) ctx).principal())) {
 
-            // first we need to setup the admin roles in case this
+            // first we need to set up the admin roles in case this
             // happens to be the first resource group
 
             setupTenantAdminPolicyInProvider(ctx, provSvcDomain, provSvcName, tenantDomain,