Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

support max member limit on roles and groups #2424

Merged
merged 2 commits into from
Nov 28, 2023
Merged

support max member limit on roles and groups #2424

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
bb7b931
support max member limit on roles and groups
havetisyan Nov 21, 2023
541eb6c
test cases for no limit value
havetisyan Nov 22, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 40 additions & 0 deletions libs/go/zmscli/cli.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -983,6 +983,14 @@ func (cli Zms) EvalCommand(params []string) (*string, error) {
}
return cli.SetRoleSelfServe(dn, args[0], selfServe)
}
case "set-role-max-members":
if argc == 2 {
days, err := cli.getInt32(args[1])
if err != nil {
return nil, err
}
return cli.SetRoleMaxMembers(dn, args[0], days)
}
case "set-role-member-expiry-days":
if argc == 2 {
days, err := cli.getInt32(args[1])
Expand Down Expand Up @@ -1117,6 +1125,14 @@ func (cli Zms) EvalCommand(params []string) (*string, error) {
}
return cli.SetGroupSelfServe(dn, args[0], selfServe)
}
case "set-group-max-members":
if argc == 2 {
days, err := cli.getInt32(args[1])
if err != nil {
return nil, err
}
return cli.SetGroupMaxMembers(dn, args[0], days)
}
case "set-group-member-expiry-days":
if argc == 2 {
days, err := cli.getInt32(args[1])
Expand Down Expand Up @@ -2749,6 +2765,17 @@ func (cli Zms) HelpSpecificCommand(interactive bool, cmd string) string {
buf.WriteString(" delete-protection : enable/disable protection flag for the role\n")
buf.WriteString(" examples:\n")
buf.WriteString(" " + domainExample + " set-role-delete-protection readers true\n")
case "set-role-max-members":
buf.WriteString(" syntax:\n")
buf.WriteString(" " + domainParam + " set-role-max-members role max-members\n")
buf.WriteString(" parameters:\n")
if !interactive {
buf.WriteString(" domain : name of the domain being updated\n")
}
buf.WriteString(" role : name of the role to be modified\n")
buf.WriteString(" max-members : number of max members in the role\n")
buf.WriteString(" examples:\n")
buf.WriteString(" " + domainExample + " set-role-max-members writers 5\n")
case "set-role-member-expiry-days":
buf.WriteString(" syntax:\n")
buf.WriteString(" " + domainParam + " set-role-member-expiry-days role days\n")
Expand Down Expand Up @@ -2967,6 +2994,17 @@ func (cli Zms) HelpSpecificCommand(interactive bool, cmd string) string {
buf.WriteString(" delete-protection : enable/disable protection flag for the group\n")
buf.WriteString(" examples:\n")
buf.WriteString(" " + domainExample + " set-group-delete-protection readers true\n")
case "set-group-max-members":
buf.WriteString(" syntax:\n")
buf.WriteString(" " + domainParam + " set-group-max-members role max-members\n")
buf.WriteString(" parameters:\n")
if !interactive {
buf.WriteString(" domain : name of the domain being updated\n")
}
buf.WriteString(" group : name of the group to be modified\n")
buf.WriteString(" max-members : number of max members in the group\n")
buf.WriteString(" examples:\n")
buf.WriteString(" " + domainExample + " set-group-max-members writers 5\n")
case "set-group-member-expiry-days":
buf.WriteString(" syntax:\n")
buf.WriteString(" " + domainParam + " set-group-member-expiry-days group days\n")
Expand Down Expand Up @@ -3317,6 +3355,7 @@ func (cli Zms) HelpListCommand() string {
buf.WriteString(" set-role-review-enabled regular_role review-enabled\n")
buf.WriteString(" set-role-delete-protection regular_role delete-protection\n")
buf.WriteString(" set-role-self-serve regular_role self-serve\n")
buf.WriteString(" set-role-max-members regular_role max-members\n")
buf.WriteString(" set-role-member-expiry-days regular_role user-member-expiry-days\n")
buf.WriteString(" set-role-service-expiry-days regular_role service-member-expiry-days\n")
buf.WriteString(" set-role-group-expiry-days regular_role group-member-expiry-days\n")
Expand Down Expand Up @@ -3351,6 +3390,7 @@ func (cli Zms) HelpListCommand() string {
buf.WriteString(" set-group-review-enabled group review-enabled\n")
buf.WriteString(" set-group-delete-protection group delete-protection\n")
buf.WriteString(" set-group-self-serve group self-serve\n")
buf.WriteString(" set-group-max-members group max-members\n")
buf.WriteString(" set-group-member-expiry-days group user-member-expiry-days\n")
buf.WriteString(" set-group-service-expiry-days group service-member-expiry-days\n")
buf.WriteString(" set-group-notify-roles group rolename[,rolename...]\n")
Expand Down
22 changes: 22 additions & 0 deletions libs/go/zmscli/group.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,27 @@ func (cli Zms) ShowUpdatedGroup(group *zms.Group, auditLog bool) (*string, error
return cli.dumpByFormat(group, oldYamlConverter)
}

func (cli Zms) SetGroupMaxMembers(dn string, rn string, maxMembers int32) (*string, error) {
group, err := cli.Zms.GetGroup(zms.DomainName(dn), zms.EntityName(rn), nil, nil)
if err != nil {
return nil, err
}
meta := getGroupMetaObject(group)
meta.MaxMembers = &maxMembers

err = cli.Zms.PutGroupMeta(zms.DomainName(dn), zms.EntityName(rn), cli.AuditRef, &meta)
if err != nil {
return nil, err
}
s := "[domain " + dn + " group " + rn + " group-max-members attribute successfully updated]\n"
message := SuccessMessage{
Status: 200,
Message: s,
}

return cli.dumpByFormat(message, cli.buildYAMLOutput)
}

func (cli Zms) SetGroupMemberExpiryDays(dn string, rn string, days int32) (*string, error) {
group, err := cli.Zms.GetGroup(zms.DomainName(dn), zms.EntityName(rn), nil, nil)
if err != nil {
Expand Down Expand Up @@ -312,6 +333,7 @@ func getGroupMetaObject(group *zms.Group) zms.GroupMeta {
MemberExpiryDays: group.MemberExpiryDays,
ServiceExpiryDays: group.ServiceExpiryDays,
Tags: group.Tags,
MaxMembers: group.MaxMembers,
}
}

Expand Down
22 changes: 22 additions & 0 deletions libs/go/zmscli/role.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -472,6 +472,7 @@ func getRoleMetaObject(role *zms.Role) zms.RoleMeta {
UserAuthorityExpiration: role.UserAuthorityExpiration,
UserAuthorityFilter: role.UserAuthorityFilter,
Tags: role.Tags,
MaxMembers: role.MaxMembers,
}
}

Expand Down Expand Up @@ -779,6 +780,27 @@ func (cli Zms) SetRoleTokenExpiryMins(dn string, rn string, mins int32) (*string
return cli.dumpByFormat(message, cli.buildYAMLOutput)
}

func (cli Zms) SetRoleMaxMembers(dn string, rn string, maxMembers int32) (*string, error) {
role, err := cli.Zms.GetRole(zms.DomainName(dn), zms.EntityName(rn), nil, nil, nil)
if err != nil {
return nil, err
}
meta := getRoleMetaObject(role)
meta.MaxMembers = &maxMembers

err = cli.Zms.PutRoleMeta(zms.DomainName(dn), zms.EntityName(rn), cli.AuditRef, &meta)
if err != nil {
return nil, err
}
s := "[domain " + dn + " role " + rn + " role-max-members attribute successfully updated]\n"
message := SuccessMessage{
Status: 200,
Message: s,
}

return cli.dumpByFormat(message, cli.buildYAMLOutput)
}

func (cli Zms) SetRoleCertExpiryMins(dn string, rn string, mins int32) (*string, error) {
role, err := cli.Zms.GetRole(zms.DomainName(dn), zms.EntityName(rn), nil, nil, nil)
if err != nil {
Expand Down
2 changes: 2 additions & 0 deletions servers/zms/schema/updates/update-20231120.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
ALTER TABLE `zms_server`.`role` ADD `max_members` INT NOT NULL DEFAULT 0;
ALTER TABLE `zms_server`.`principal_group` ADD `max_members` INT NOT NULL DEFAULT 0;
Binary file modified servers/zms/schema/zms_server.mwb
View file
Open in desktop
Binary file not shown.
4 changes: 3 additions & 1 deletion servers/zms/schema/zms_server.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
-- MySQL Script generated by MySQL Workbench
-- Sun Jul 23 14:00:31 2023
-- Sun Nov 20 17:00:31 2023
-- Model: New Model Version: 1.0
-- MySQL Workbench Forward Engineering

Expand Down Expand Up @@ -90,6 +90,7 @@ CREATE TABLE IF NOT EXISTS `zms_server`.`role` (
`group_expiry_days` INT NOT NULL DEFAULT 0,
`description` VARCHAR(4096) NOT NULL DEFAULT '',
`delete_protection` TINYINT(1) NOT NULL DEFAULT 0,
`max_members` INT NOT NULL DEFAULT 0,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we have some other numbers as the default value instead of 0?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, we can't introduce backward incompatible changes. Value of 0 indicates there is no limit which is the current behavior.

PRIMARY KEY (`role_id`),
UNIQUE INDEX `uq_domain_role` (`domain_id` ASC, `name` ASC),
CONSTRAINT `fk_role_domain`
Expand Down Expand Up @@ -394,6 +395,7 @@ CREATE TABLE IF NOT EXISTS `zms_server`.`principal_group` (
`member_expiry_days` INT NOT NULL DEFAULT 0,
`service_expiry_days` INT NOT NULL DEFAULT 0,
`delete_protection` TINYINT(1) NOT NULL DEFAULT 0,
`max_members` INT NOT NULL DEFAULT 0,
PRIMARY KEY (`group_id`),
UNIQUE INDEX `uq_domain_group` (`domain_id` ASC, `name` ASC),
CONSTRAINT `fk_group_domain`
Expand Down
29 changes: 23 additions & 6 deletions servers/zms/src/main/java/com/yahoo/athenz/zms/DBService.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -943,6 +943,9 @@ void mergeOriginalRoleAndMetaRoleAttributes(Role originalRole, Role templateRole
if (templateRole.getUserAuthorityExpiration() == null) {
templateRole.setUserAuthorityExpiration(originalRole.getUserAuthorityExpiration());
}
if (templateRole.getMaxMembers() == null) {
templateRole.setMaxMembers(originalRole.getMaxMembers());
}
templateRole.setLastReviewedDate(originalRole.getLastReviewedDate());
}

Expand Down Expand Up @@ -1888,7 +1891,8 @@ Membership executePutMembership(ResourceContext ctx, String domainName, String r

// now we need verify our quota check

quotaCheck.checkRoleMembershipQuota(con, domainName, roleName, caller);
quotaCheck.checkRoleMembershipQuota(con, domainName, roleName, roleMember.getMemberName(),
originalRole.getMaxMembers(), caller);

// process our insert role member support. since this is a "single"
// operation, we are not using any transactions.
Expand Down Expand Up @@ -1954,7 +1958,8 @@ GroupMembership executePutGroupMembership(ResourceContext ctx, final String doma
// now we need verify our quota check

final String groupName = ZMSUtils.extractGroupName(domainName, group.getName());
quotaCheck.checkGroupMembershipQuota(con, domainName, groupName, ctx.getApiName());
quotaCheck.checkGroupMembershipQuota(con, domainName, groupName, groupMember.getMemberName(),
group.getMaxMembers(), ctx.getApiName());

// process our insert group member support. since this is a "single"
// operation, we are not using any transactions.
Expand Down Expand Up @@ -5898,6 +5903,7 @@ void auditLogRoleMeta(StringBuilder auditDetails, Role role, String roleName) {
.append("\", \"description\": \"").append(role.getDescription())
.append("\", \"deleteProtection\": \"").append(role.getDeleteProtection())
.append("\", \"lastReviewedDate\": \"").append(role.getLastReviewedDate())
.append("\", \"maxMembers\": \"").append(role.getMembers())
.append("\"}");
}

Expand All @@ -5912,6 +5918,7 @@ void auditLogGroupMeta(StringBuilder auditDetails, Group group, final String gro
.append("\", \"userAuthorityExpiration\": \"").append(group.getUserAuthorityExpiration())
.append("\", \"deleteProtection\": \"").append(group.getDeleteProtection())
.append("\", \"lastReviewedDate\": \"").append(group.getLastReviewedDate())
.append("\", \"maxMembers\": \"").append(group.getMaxMembers())
.append("\"}");
}

Expand Down Expand Up @@ -6079,7 +6086,8 @@ public void executePutRoleSystemMeta(ResourceContext ctx, final String domainNam
.setReviewEnabled(originalRole.getReviewEnabled())
.setDeleteProtection(originalRole.getDeleteProtection())
.setNotifyRoles(originalRole.getNotifyRoles())
.setLastReviewedDate(originalRole.getLastReviewedDate());
.setLastReviewedDate(originalRole.getLastReviewedDate())
.setMaxMembers(originalRole.getMaxMembers());

// then we're going to apply the updated fields
// from the given object
Expand Down Expand Up @@ -6152,7 +6160,8 @@ public Group executePutGroupSystemMeta(ResourceContext ctx, final String domainN
.setMemberExpiryDays(originalGroup.getMemberExpiryDays())
.setServiceExpiryDays(originalGroup.getServiceExpiryDays())
.setLastReviewedDate(originalGroup.getLastReviewedDate())
.setDeleteProtection(originalGroup.getDeleteProtection());
.setDeleteProtection(originalGroup.getDeleteProtection())
.setMaxMembers(originalGroup.getMaxMembers());

// then we're going to apply the updated fields
// from the given object
Expand Down Expand Up @@ -6293,6 +6302,9 @@ void updateRoleMetaFields(Role role, RoleMeta meta, final String caller) {
if (meta.getTags() != null) {
role.setTags(meta.getTags());
}
if (meta.getMaxMembers() != null) {
role.setMaxMembers(meta.getMaxMembers());
}
role.setLastReviewedDate(objectLastReviewDate(meta.getLastReviewedDate(),
role.getLastReviewedDate(), caller));
}
Expand Down Expand Up @@ -6335,7 +6347,8 @@ public Role executePutRoleMeta(ResourceContext ctx, String domainName, String ro
.setUserAuthorityExpiration(originalRole.getUserAuthorityExpiration())
.setDescription(originalRole.getDescription())
.setTags(originalRole.getTags())
.setLastReviewedDate(originalRole.getLastReviewedDate());
.setLastReviewedDate(originalRole.getLastReviewedDate())
.setMaxMembers(originalRole.getMaxMembers());

// then we're going to apply the updated fields
// from the given object
Expand Down Expand Up @@ -6414,6 +6427,9 @@ void updateGroupMetaFields(Group group, GroupMeta meta, final String caller) {
if (meta.getDeleteProtection() != null) {
group.setDeleteProtection(meta.getDeleteProtection());
}
if (meta.getMaxMembers() != null) {
group.setMaxMembers(meta.getMaxMembers());
}
group.setLastReviewedDate(objectLastReviewDate(meta.getLastReviewedDate(),
group.getLastReviewedDate(), caller));
}
Expand Down Expand Up @@ -6453,7 +6469,8 @@ public Group executePutGroupMeta(ResourceContext ctx, final String domainName, f
.setUserAuthorityExpiration(originalGroup.getUserAuthorityExpiration())
.setTags(originalGroup.getTags())
.setDeleteProtection(originalGroup.getDeleteProtection())
.setLastReviewedDate(originalGroup.getLastReviewedDate());
.setLastReviewedDate(originalGroup.getLastReviewedDate())
.setMaxMembers(originalGroup.getMaxMembers());

// then we're going to apply the updated fields
// from the given object
Expand Down
Loading