Skip to content

Commit

Permalink
use configured identity instead of hard-coded sys.auth.monitor identi…
Browse files Browse the repository at this point in the history 
…ty (#2780)

Signed-off-by: Henry Avetisyan <[email protected]>
  • Loading branch information
@havetisyan
havetisyan authored Oct 25, 2024
1 parent 275a496 commit 2da140b
Showing 1 changed file with 9 additions and 6 deletions.
15 changes: 9 additions & 6 deletions servers/zms/src/main/java/com/yahoo/athenz/zms/DBService.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,7 @@ public class DBService implements RolesProvider, DomainProvider {
int defaultRetryCount;
int defaultOpTimeout;
ZMSConfig zmsConfig;
String monitorIdentity;
private final int maxPolicyVersions;
long maxLastReviewDateOffsetMillisForNewObjects;
long maxLastReviewDateOffsetMillisForUpdatedObjects;
Expand Down Expand Up @@ -117,6 +118,8 @@ public DBService(ObjectStore store, AuditLogger auditLogger, ZMSConfig zmsConfig
gcpAssumeServiceAction = System.getProperty(ZMSConsts.ZMS_PROP_GCP_ASSUME_SERVICE_ACTION,
ZMSConsts.ACTION_ASSUME_GCP_SERVICE);

monitorIdentity = System.getProperty(ZMSConsts.ZMS_PROP_MONITOR_IDENTITY, ZMSConsts.SYS_AUTH_MONITOR);

// default timeout in seconds for object store commands

defaultOpTimeout = Integer.parseInt(System.getProperty(ZMSConsts.ZMS_PROP_STORE_OP_TIMEOUT, "60"));
Expand Down Expand Up @@ -8717,7 +8720,7 @@ void enforceRoleUserAuthorityRestrictions(final String domainName, final String
}

expiryDBUpdated = insertRoleMembers(null, con, updatedMembers, domainName, roleName,
ZMSConsts.SYS_AUTH_MONITOR, AUDIT_REF_USER_AUTHORITY, caller);
monitorIdentity, AUDIT_REF_USER_AUTHORITY, caller);
}

// now process authority filter restriction
Expand All @@ -8740,7 +8743,7 @@ void enforceRoleUserAuthorityRestrictions(final String domainName, final String
}

filterDBUpdated = updateRoleMemberDisabledState(null, con, updatedMembers, domainName,
roleName, ZMSConsts.SYS_AUTH_MONITOR, AUDIT_REF_USER_AUTHORITY, caller);
roleName, monitorIdentity, AUDIT_REF_USER_AUTHORITY, caller);
}
}

Expand Down Expand Up @@ -8791,7 +8794,7 @@ void enforceGroupUserAuthorityRestrictions(final String domainName, final String
}

expiryDBUpdated = insertGroupMembers(null, con, updatedMembers, domainName, groupName,
ZMSConsts.SYS_AUTH_MONITOR, AUDIT_REF_USER_AUTHORITY, caller);
monitorIdentity, AUDIT_REF_USER_AUTHORITY, caller);
}

// now process authority filter restriction
Expand All @@ -8814,7 +8817,7 @@ void enforceGroupUserAuthorityRestrictions(final String domainName, final String
}

filterDBUpdated = updateGroupMemberDisabledState(null, con, updatedMembers, domainName,
groupName, ZMSConsts.SYS_AUTH_MONITOR, AUDIT_REF_USER_AUTHORITY, caller);
groupName, monitorIdentity, AUDIT_REF_USER_AUTHORITY, caller);
}
}

Expand Down Expand Up @@ -9606,7 +9609,7 @@ private void updateGroupMembershipByPrincipalState(ObjectStoreConnection con, Pr

// Following method does Audit entry as well
if (updateGroupMemberDisabledState(null, con, groupMembersWithUpdatedState, memberGroup.getDomainName(),
memberGroup.getGroupName(), ZMSConsts.SYS_AUTH_MONITOR, auditRef, caller)) {
memberGroup.getGroupName(), monitorIdentity, auditRef, caller)) {
con.updateGroupModTimestamp(memberGroup.getDomainName(), memberGroup.getGroupName());
updatedDomains.add(memberGroup.getDomainName());
}
Expand Down Expand Up @@ -9642,7 +9645,7 @@ private void updateRoleMembershipsByPrincipalState(ObjectStoreConnection con, Pr

// Following method does Audit entry as well
if (updateRoleMemberDisabledState(null, con, roleMembersWithUpdatedState, memberRole.getDomainName(),
memberRole.getRoleName(), ZMSConsts.SYS_AUTH_MONITOR, auditRef, caller)) {
memberRole.getRoleName(), monitorIdentity, auditRef, caller)) {
con.updateRoleModTimestamp(memberRole.getDomainName(), memberRole.getRoleName());
updatedDomains.add(memberRole.getDomainName());
}
Expand Down

0 comments on commit 2da140b

Please sign in to comment.