Skip to content

Add an automatic cleanup feature for delegated roles. #3027

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
havetisyan merged 15 commits into from
Sep 14, 2025
Merged

Add an automatic cleanup feature for delegated roles. #3027

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
fb5ddd8
Automatic cleanup function for delegated roles
gyakami Aug 1, 2025
55a2c26
zms.properties - disable automatic deletion of tenant assume role ass…
gyakami Aug 1, 2025
1310972
update schema : auto_delete_tenant_assume_role_assertions
gyakami Aug 8, 2025
8b933e9
DomainTest - add autoDeleteTenantAssumeRoleAssertions validation and …
gyakami Aug 8, 2025
0cb8979
ZMSCoreTest - add autoDeleteTenantAssumeRoleAssertions handling and a…
gyakami Aug 8, 2025
778d394
DBServiceTest - add test for executeDeleteRoleWithAssumeRoleAssertion…
gyakami Aug 8, 2025
2d7ce10
update zms_server.mwb
gyakami Aug 28, 2025
33aaf9a
JDBCConnection - refactor provider role resource name handling in del…
gyakami Aug 28, 2025
f837269
ZMSImpl - Delete role only when trust domain is empty
gyakami Aug 28, 2025
23e6a4f
DBService - Remove executeDeleteRoleWithAssumeRoleAssertions method a…
gyakami Aug 28, 2025
ce6c00f
DBService - Group audit logs by policy
gyakami Aug 28, 2025
d4b58b9
Merge branch 'master' into feature/automatic_cleanup_function_for_del…
gyakami Aug 28, 2025
0be68fe
DBServiceTest - Remove test for executeDeleteRoleWithAssumeRoleAssert…
gyakami Aug 29, 2025
666f758
DBServiceTest - Add multiple assertions to policy in deleteAssumeRole…
gyakami Aug 29, 2025
10e9061
JDBCConnection - Optimize policy modified timestamp update for bulk p…
gyakami Sep 2, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
60 changes: 60 additions & 0 deletions clients/go/zms/model.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions clients/go/zms/zms_schema.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

13 changes: 13 additions & 0 deletions core/zms/src/main/java/com/yahoo/athenz/zms/Domain.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -117,6 +117,9 @@ public class Domain {
@RdlOptional
@JsonInclude(JsonInclude.Include.NON_NULL)
public String onCall;
@RdlOptional
@JsonInclude(JsonInclude.Include.NON_EMPTY)
public Boolean autoDeleteTenantAssumeRoleAssertions;
public String name;
@RdlOptional
@JsonInclude(JsonInclude.Include.NON_EMPTY)
Expand Down Expand Up @@ -356,6 +359,13 @@ public Domain setOnCall(String onCall) {
public String getOnCall() {
return onCall;
}
public Domain setAutoDeleteTenantAssumeRoleAssertions(Boolean autoDeleteTenantAssumeRoleAssertions) {
this.autoDeleteTenantAssumeRoleAssertions = autoDeleteTenantAssumeRoleAssertions;
return this;
}
public Boolean getAutoDeleteTenantAssumeRoleAssertions() {
return autoDeleteTenantAssumeRoleAssertions;
}
public Domain setName(String name) {
this.name = name;
return this;
Expand Down Expand Up @@ -484,6 +494,9 @@ public boolean equals(Object another) {
if (onCall == null ? a.onCall != null : !onCall.equals(a.onCall)) {
return false;
}
if (autoDeleteTenantAssumeRoleAssertions == null ? a.autoDeleteTenantAssumeRoleAssertions != null : !autoDeleteTenantAssumeRoleAssertions.equals(a.autoDeleteTenantAssumeRoleAssertions)) {
return false;
}
if (name == null ? a.name != null : !name.equals(a.name)) {
return false;
}
Expand Down
13 changes: 13 additions & 0 deletions core/zms/src/main/java/com/yahoo/athenz/zms/DomainData.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -113,6 +113,9 @@ public class DomainData {
@RdlOptional
@JsonInclude(JsonInclude.Include.NON_NULL)
public String onCall;
@RdlOptional
@JsonInclude(JsonInclude.Include.NON_EMPTY)
public Boolean autoDeleteTenantAssumeRoleAssertions;
public String name;
public List<Role> roles;
public SignedPolicies policies;
Expand Down Expand Up @@ -352,6 +355,13 @@ public DomainData setOnCall(String onCall) {
public String getOnCall() {
return onCall;
}
public DomainData setAutoDeleteTenantAssumeRoleAssertions(Boolean autoDeleteTenantAssumeRoleAssertions) {
this.autoDeleteTenantAssumeRoleAssertions = autoDeleteTenantAssumeRoleAssertions;
return this;
}
public Boolean getAutoDeleteTenantAssumeRoleAssertions() {
return autoDeleteTenantAssumeRoleAssertions;
}
public DomainData setName(String name) {
this.name = name;
return this;
Expand Down Expand Up @@ -508,6 +518,9 @@ public boolean equals(Object another) {
if (onCall == null ? a.onCall != null : !onCall.equals(a.onCall)) {
return false;
}
if (autoDeleteTenantAssumeRoleAssertions == null ? a.autoDeleteTenantAssumeRoleAssertions != null : !autoDeleteTenantAssumeRoleAssertions.equals(a.autoDeleteTenantAssumeRoleAssertions)) {
return false;
}
if (name == null ? a.name != null : !name.equals(a.name)) {
return false;
}
Expand Down
16 changes: 16 additions & 0 deletions core/zms/src/main/java/com/yahoo/athenz/zms/DomainMeta.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -113,6 +113,9 @@ public class DomainMeta {
@RdlOptional
@JsonInclude(JsonInclude.Include.NON_NULL)
public String onCall;
@RdlOptional
@JsonInclude(JsonInclude.Include.NON_EMPTY)
public Boolean autoDeleteTenantAssumeRoleAssertions;

public DomainMeta setDescription(String description) {
this.description = description;
Expand Down Expand Up @@ -345,6 +348,13 @@ public DomainMeta setOnCall(String onCall) {
public String getOnCall() {
return onCall;
}
public DomainMeta setAutoDeleteTenantAssumeRoleAssertions(Boolean autoDeleteTenantAssumeRoleAssertions) {
this.autoDeleteTenantAssumeRoleAssertions = autoDeleteTenantAssumeRoleAssertions;
return this;
}
public Boolean getAutoDeleteTenantAssumeRoleAssertions() {
return autoDeleteTenantAssumeRoleAssertions;
}

@Override
public boolean equals(Object another) {
Expand Down Expand Up @@ -452,6 +462,9 @@ public boolean equals(Object another) {
if (onCall == null ? a.onCall != null : !onCall.equals(a.onCall)) {
return false;
}
if (autoDeleteTenantAssumeRoleAssertions == null ? a.autoDeleteTenantAssumeRoleAssertions != null : !autoDeleteTenantAssumeRoleAssertions.equals(a.autoDeleteTenantAssumeRoleAssertions)) {
return false;
}
}
return true;
}
Expand All @@ -466,6 +479,9 @@ public DomainMeta init() {
if (auditEnabled == null) {
auditEnabled = false;
}
if (autoDeleteTenantAssumeRoleAssertions == null) {
autoDeleteTenantAssumeRoleAssertions = false;
}
return this;
}
}
13 changes: 13 additions & 0 deletions core/zms/src/main/java/com/yahoo/athenz/zms/SubDomain.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -113,6 +113,9 @@ public class SubDomain {
@RdlOptional
@JsonInclude(JsonInclude.Include.NON_NULL)
public String onCall;
@RdlOptional
@JsonInclude(JsonInclude.Include.NON_EMPTY)
public Boolean autoDeleteTenantAssumeRoleAssertions;
public String name;
public List<String> adminUsers;
@RdlOptional
Expand Down Expand Up @@ -351,6 +354,13 @@ public SubDomain setOnCall(String onCall) {
public String getOnCall() {
return onCall;
}
public SubDomain setAutoDeleteTenantAssumeRoleAssertions(Boolean autoDeleteTenantAssumeRoleAssertions) {
this.autoDeleteTenantAssumeRoleAssertions = autoDeleteTenantAssumeRoleAssertions;
return this;
}
public Boolean getAutoDeleteTenantAssumeRoleAssertions() {
return autoDeleteTenantAssumeRoleAssertions;
}
public SubDomain setName(String name) {
this.name = name;
return this;
Expand Down Expand Up @@ -486,6 +496,9 @@ public boolean equals(Object another) {
if (onCall == null ? a.onCall != null : !onCall.equals(a.onCall)) {
return false;
}
if (autoDeleteTenantAssumeRoleAssertions == null ? a.autoDeleteTenantAssumeRoleAssertions != null : !autoDeleteTenantAssumeRoleAssertions.equals(a.autoDeleteTenantAssumeRoleAssertions)) {
return false;
}
if (name == null ? a.name != null : !name.equals(a.name)) {
return false;
}
Expand Down
13 changes: 13 additions & 0 deletions core/zms/src/main/java/com/yahoo/athenz/zms/TopLevelDomain.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -114,6 +114,9 @@ public class TopLevelDomain {
@RdlOptional
@JsonInclude(JsonInclude.Include.NON_NULL)
public String onCall;
@RdlOptional
@JsonInclude(JsonInclude.Include.NON_EMPTY)
public Boolean autoDeleteTenantAssumeRoleAssertions;
public String name;
public List<String> adminUsers;
@RdlOptional
Expand Down Expand Up @@ -351,6 +354,13 @@ public TopLevelDomain setOnCall(String onCall) {
public String getOnCall() {
return onCall;
}
public TopLevelDomain setAutoDeleteTenantAssumeRoleAssertions(Boolean autoDeleteTenantAssumeRoleAssertions) {
this.autoDeleteTenantAssumeRoleAssertions = autoDeleteTenantAssumeRoleAssertions;
return this;
}
public Boolean getAutoDeleteTenantAssumeRoleAssertions() {
return autoDeleteTenantAssumeRoleAssertions;
}
public TopLevelDomain setName(String name) {
this.name = name;
return this;
Expand Down Expand Up @@ -479,6 +489,9 @@ public boolean equals(Object another) {
if (onCall == null ? a.onCall != null : !onCall.equals(a.onCall)) {
return false;
}
if (autoDeleteTenantAssumeRoleAssertions == null ? a.autoDeleteTenantAssumeRoleAssertions != null : !autoDeleteTenantAssumeRoleAssertions.equals(a.autoDeleteTenantAssumeRoleAssertions)) {
return false;
}
if (name == null ? a.name != null : !name.equals(a.name)) {
return false;
}
Expand Down
13 changes: 13 additions & 0 deletions core/zms/src/main/java/com/yahoo/athenz/zms/UserDomain.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -113,6 +113,9 @@ public class UserDomain {
@RdlOptional
@JsonInclude(JsonInclude.Include.NON_NULL)
public String onCall;
@RdlOptional
@JsonInclude(JsonInclude.Include.NON_EMPTY)
public Boolean autoDeleteTenantAssumeRoleAssertions;
public String name;
@RdlOptional
@JsonInclude(JsonInclude.Include.NON_EMPTY)
Expand Down Expand Up @@ -349,6 +352,13 @@ public UserDomain setOnCall(String onCall) {
public String getOnCall() {
return onCall;
}
public UserDomain setAutoDeleteTenantAssumeRoleAssertions(Boolean autoDeleteTenantAssumeRoleAssertions) {
this.autoDeleteTenantAssumeRoleAssertions = autoDeleteTenantAssumeRoleAssertions;
return this;
}
public Boolean getAutoDeleteTenantAssumeRoleAssertions() {
return autoDeleteTenantAssumeRoleAssertions;
}
public UserDomain setName(String name) {
this.name = name;
return this;
Expand Down Expand Up @@ -470,6 +480,9 @@ public boolean equals(Object another) {
if (onCall == null ? a.onCall != null : !onCall.equals(a.onCall)) {
return false;
}
if (autoDeleteTenantAssumeRoleAssertions == null ? a.autoDeleteTenantAssumeRoleAssertions != null : !autoDeleteTenantAssumeRoleAssertions.equals(a.autoDeleteTenantAssumeRoleAssertions)) {
return false;
}
if (name == null ? a.name != null : !name.equals(a.name)) {
return false;
}
Expand Down
3 changes: 2 additions & 1 deletion core/zms/src/main/java/com/yahoo/athenz/zms/ZMSSchema.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -157,7 +157,8 @@ private static Schema build() {
.field("x509CertSignerKeyId", "String", true, "requested x509 cert signer key id (system attribute)")
.field("sshCertSignerKeyId", "String", true, "requested ssh cert signer key id (system attribute)")
.field("slackChannel", "String", true, "slack channel for any notifications in this domain")
.field("onCall", "String", true, "oncall team name/id for any incidents in this domain");
.field("onCall", "String", true, "oncall team name/id for any incidents in this domain")
.field("autoDeleteTenantAssumeRoleAssertions", "Bool", true, "Indicates whether to automatically delete assertions for a tenant's assume role", false);

sb.structType("Domain", "DomainMeta")
.comment("A domain is an independent partition of users, roles, and resources. Its name represents the definition of a namespace; the only way a new namespace can be created, from the top, is by creating Domains. Administration of a domain is governed by the parent domain (using reverse-DNS namespaces). The top level domains are governed by the special \"sys.auth\" domain.")
Expand Down
1 change: 1 addition & 0 deletions core/zms/src/main/rdl/Domain.tdl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,7 @@ type DomainMeta Struct {
String sshCertSignerKeyId (optional, x_allowempty="true"); //requested ssh cert signer key id (system attribute)
String slackChannel (optional, x_allowempty="true"); //slack channel for any notifications in this domain
String onCall (optional, x_allowempty="true"); //oncall team name/id for any incidents in this domain
Bool autoDeleteTenantAssumeRoleAssertions (optional, default=false); // Indicates whether to automatically delete assertions for a tenant's assume role
}

//A domain is an independent partition of users, roles, and resources.
Expand Down
Loading