diff --git a/cerberus-web/src/main/java/com/nike/cerberus/service/AuthenticationService.java b/cerberus-web/src/main/java/com/nike/cerberus/service/AuthenticationService.java index c998d7c15..425619b60 100644 --- a/cerberus-web/src/main/java/com/nike/cerberus/service/AuthenticationService.java +++ b/cerberus-web/src/main/java/com/nike/cerberus/service/AuthenticationService.java @@ -92,7 +92,7 @@ public class AuthenticationService { private final KmsService kmsService; private final KmsClientFactory kmsClientFactory; private final ObjectMapper objectMapper; - private final String adminGroup; + private final List adminGroups; private final DateTimeSupplier dateTimeSupplier; private final AwsIamRoleArnParser awsIamRoleArnParser; private final AuthTokenService authTokenService; @@ -116,7 +116,7 @@ public AuthenticationService( KmsClientFactory kmsClientFactory, ObjectMapper objectMapper, @Value("${cerberus.admin.roles:#{null}}") String adminRoleArns, - @Value("${cerberus.admin.group}") String adminGroup, + @Value("#{'${cerberus.admin.groups}'.split(',')}") List adminGroups, @Value("${cerberus.auth.user.token.maxRefreshCount:#{0}}") int maxTokenRefreshCount, DateTimeSupplier dateTimeSupplier, AwsIamRoleArnParser awsIamRoleArnParser, @@ -133,7 +133,7 @@ public AuthenticationService( this.kmsClientFactory = kmsClientFactory; this.objectMapper = objectMapper; this.adminRoleArns = adminRoleArns; - this.adminGroup = adminGroup; + this.adminGroups = adminGroups; this.dateTimeSupplier = dateTimeSupplier; this.awsIamRoleArnParser = awsIamRoleArnParser; this.maxTokenRefreshCount = maxTokenRefreshCount; @@ -525,8 +525,11 @@ private AuthTokenResponse generateToken( meta.put(CerberusPrincipal.METADATA_KEY_USERNAME, username); boolean isAdmin = false; - if (userGroups.contains(this.adminGroup)) { - isAdmin = true; + for (String group : this.adminGroups) { + if (userGroups.contains(group)) { + isAdmin = true; + break; + } } meta.put(METADATA_KEY_IS_ADMIN, String.valueOf(isAdmin)); meta.put(CerberusPrincipal.METADATA_KEY_GROUPS, StringUtils.join(userGroups, ',')); diff --git a/cerberus-web/src/main/resources/cerberus.yaml b/cerberus-web/src/main/resources/cerberus.yaml index 2cf036b9c..22feed4a9 100644 --- a/cerberus-web/src/main/resources/cerberus.yaml +++ b/cerberus-web/src/main/resources/cerberus.yaml @@ -57,9 +57,11 @@ cerberus: environmentName: TODO admin: # These are aws principal that you want to allow to use the admin API + # comma-separated string roles: ~ - # The user group that the Cerberus operators belong to, this unlocks admin API perms - group: ~ + # The user groups that the Cerberus operators belong to, this unlocks admin API perms + # comma-separated string + groups: ~ encryption: # comma delimited list of the CMKs for a KMS key that the iam role that Cerberus runs as has access to. diff --git a/cerberus-web/src/test/java/com/nike/cerberus/service/AuthenticationServiceTest.java b/cerberus-web/src/test/java/com/nike/cerberus/service/AuthenticationServiceTest.java index 1dcb26b87..cc55c06a7 100644 --- a/cerberus-web/src/test/java/com/nike/cerberus/service/AuthenticationServiceTest.java +++ b/cerberus-web/src/test/java/com/nike/cerberus/service/AuthenticationServiceTest.java @@ -30,6 +30,7 @@ import com.fasterxml.jackson.core.JsonProcessingException; import com.fasterxml.jackson.databind.ObjectMapper; +import com.google.common.collect.Lists; import com.nike.backstopper.exception.ApiException; import com.nike.cerberus.PrincipalType; import com.nike.cerberus.auth.connector.AuthConnector; @@ -96,7 +97,7 @@ public void setup() { kmsClientFactory, objectMapper, "foo", - "groups", + Lists.newArrayList("group1", "group2", "group3"), MAX_LIMIT, dateTimeSupplier, awsIamRoleArnParser,