AthenZ · havetisyan · Sep 9, 2024 · Sep 9, 2024 · Sep 9, 2024
diff --git a/clients/go/zms/model.go b/clients/go/zms/model.go
diff --git a/clients/go/zms/zms_schema.go b/clients/go/zms/zms_schema.go
diff --git a/core/zms/src/main/java/com/yahoo/athenz/zms/GroupMember.java b/core/zms/src/main/java/com/yahoo/athenz/zms/GroupMember.java
@@ -54,6 +54,9 @@ public class GroupMember {
     @RdlOptional
     @JsonInclude(JsonInclude.Include.NON_EMPTY)
     public String pendingState;
+    @RdlOptional
+    @JsonInclude(JsonInclude.Include.NON_EMPTY)
+    public String notifyRoles;
 
     public GroupMember setMemberName(String memberName) {
         this.memberName = memberName;
@@ -153,6 +156,13 @@ public GroupMember setPendingState(String pendingState) {
     public String getPendingState() {
         return pendingState;
     }
+    public GroupMember setNotifyRoles(String notifyRoles) {
+        this.notifyRoles = notifyRoles;
+        return this;
+    }
+    public String getNotifyRoles() {
+        return notifyRoles;
+    }
 
     @Override
     public boolean equals(Object another) {
@@ -203,6 +213,9 @@ public boolean equals(Object another) {
             if (pendingState == null ? a.pendingState != null : !pendingState.equals(a.pendingState)) {
                 return false;
             }
+            if (notifyRoles == null ? a.notifyRoles != null : !notifyRoles.equals(a.notifyRoles)) {
+                return false;
+            }
         }
         return true;
     }

diff --git a/core/zms/src/main/java/com/yahoo/athenz/zms/MemberRole.java b/core/zms/src/main/java/com/yahoo/athenz/zms/MemberRole.java
@@ -46,6 +46,9 @@ public class MemberRole {
     @RdlOptional
     @JsonInclude(JsonInclude.Include.NON_EMPTY)
     public String trustRoleName;
+    @RdlOptional
+    @JsonInclude(JsonInclude.Include.NON_EMPTY)
+    public String notifyRoles;
 
     public MemberRole setRoleName(String roleName) {
         this.roleName = roleName;
@@ -131,6 +134,13 @@ public MemberRole setTrustRoleName(String trustRoleName) {
     public String getTrustRoleName() {
         return trustRoleName;
     }
+    public MemberRole setNotifyRoles(String notifyRoles) {
+        this.notifyRoles = notifyRoles;
+        return this;
+    }
+    public String getNotifyRoles() {
+        return notifyRoles;
+    }
 
     @Override
     public boolean equals(Object another) {
@@ -175,6 +185,9 @@ public boolean equals(Object another) {
             if (trustRoleName == null ? a.trustRoleName != null : !trustRoleName.equals(a.trustRoleName)) {
                 return false;
             }
+            if (notifyRoles == null ? a.notifyRoles != null : !notifyRoles.equals(a.notifyRoles)) {
+                return false;
+            }
         }
         return true;
     }

diff --git a/core/zms/src/main/java/com/yahoo/athenz/zms/ZMSSchema.java b/core/zms/src/main/java/com/yahoo/athenz/zms/ZMSSchema.java
@@ -284,7 +284,8 @@ private static Schema build() {
             .field("requestTime", "Timestamp", true, "for pending membership requests, the request time")
             .field("systemDisabled", "Int32", true, "user disabled by system based on configured role setting")
             .field("pendingState", "String", true, "for pending membership requests, the request state - e.g. add, delete")
-            .field("trustRoleName", "ResourceName", true, "name of the role that handles the membership delegation for the role specified in roleName");
+            .field("trustRoleName", "ResourceName", true, "name of the role that handles the membership delegation for the role specified in roleName")
+            .field("notifyRoles", "String", true, "list of roles whose members should be notified for member review/approval/expiry");
 
         sb.structType("DomainRoleMember")
             .field("memberName", "MemberName", false, "name of the member")
@@ -521,7 +522,8 @@ private static Schema build() {
             .field("reviewLastNotifiedTime", "Timestamp", true, "for pending membership requests, time when last notification was sent (for file store)")
             .field("systemDisabled", "Int32", true, "user disabled by system based on configured group setting")
             .field("principalType", "Int32", true, "server use only - principal type: unknown(0), user(1) or service(2)")
-            .field("pendingState", "String", true, "for pending membership requests, the request state - e.g. add, delete");
+            .field("pendingState", "String", true, "for pending membership requests, the request state - e.g. add, delete")
+            .field("notifyRoles", "String", true, "list of roles whose members should be notified for member review/approval/expiry");
 
         sb.structType("GroupMembership")
             .comment("The representation for a group membership.")

diff --git a/core/zms/src/main/rdl/Group.tdl b/core/zms/src/main/rdl/Group.tdl
@@ -27,6 +27,7 @@ type GroupMember Struct {
     Int32 systemDisabled (optional); //user disabled by system based on configured group setting
     Int32 principalType (optional); //server use only - principal type: unknown(0), user(1) or service(2)
     String pendingState (optional); //for pending membership requests, the request state - e.g. add, delete
+    String notifyRoles (optional); //list of roles whose members should be notified for member review/approval/expiry
 }
 
 //The representation for a group membership.

diff --git a/core/zms/src/main/rdl/Role.tdl b/core/zms/src/main/rdl/Role.tdl
@@ -123,6 +123,7 @@ type MemberRole Struct {
     Int32 systemDisabled (optional); //user disabled by system based on configured role setting
     String pendingState (optional); //for pending membership requests, the request state - e.g. add, delete
     ResourceName trustRoleName (optional); //name of the role that handles the membership delegation for the role specified in roleName
+    String notifyRoles (optional); //list of roles whose members should be notified for member review/approval/expiry
 }
 
 type DomainRoleMember Struct {

diff --git a/core/zms/src/test/java/com/yahoo/athenz/zms/GroupTest.java b/core/zms/src/test/java/com/yahoo/athenz/zms/GroupTest.java
@@ -275,7 +275,8 @@ public void testGroupMember() {
                 .setReviewLastNotifiedTime(Timestamp.fromMillis(123456789127L))
                 .setSystemDisabled(1)
                 .setPrincipalType(1)
-                .setPendingState("ADD");
+                .setPendingState("ADD")
+                .setNotifyRoles("role1,role2");
 
         assertEquals(rm, rm);
         assertNotEquals("data", rm);
@@ -298,6 +299,7 @@ public void testGroupMember() {
         assertEquals(rm.getSystemDisabled(), Integer.valueOf(1));
         assertEquals(rm.getPrincipalType(), Integer.valueOf(1));
         assertEquals(rm.getPendingState(), "ADD");
+        assertEquals(rm.getNotifyRoles(), "role1,role2");
 
         GroupMember rm2 = new GroupMember()
                 .setGroupName("group1")
@@ -313,7 +315,8 @@ public void testGroupMember() {
                 .setReviewLastNotifiedTime(Timestamp.fromMillis(123456789127L))
                 .setSystemDisabled(1)
                 .setPrincipalType(1)
-                .setPendingState("ADD");
+                .setPendingState("ADD")
+                .setNotifyRoles("role1,role2");
         assertEquals(rm, rm2);
 
         rm2.setRequestPrincipal("user.test2");
@@ -414,6 +417,13 @@ public void testGroupMember() {
         rm2.setPrincipalType(1);
         assertEquals(rm, rm2);
 
+        rm2.setNotifyRoles("role2,role3");
+        assertNotEquals(rm, rm2);
+        rm2.setNotifyRoles(null);
+        assertNotEquals(rm, rm2);
+        rm2.setNotifyRoles("role1,role2");
+        assertEquals(rm, rm2);
+
         assertNotEquals(rm2, null);
 
         GroupMember rm3 = new GroupMember();

diff --git a/core/zms/src/test/java/com/yahoo/athenz/zms/MemberRoleTest.java b/core/zms/src/test/java/com/yahoo/athenz/zms/MemberRoleTest.java
@@ -39,6 +39,7 @@ public void testMemberRole() {
         mbr1.setReviewReminder(Timestamp.fromMillis(100));
         mbr1.setPendingState("ADD");
         mbr1.setTrustRoleName("domain:role.trust");
+        mbr1.setNotifyRoles("role1,role2");
 
         assertEquals("role1", mbr1.getRoleName());
         assertEquals(Timestamp.fromMillis(100), mbr1.getExpiration());
@@ -52,6 +53,7 @@ public void testMemberRole() {
         assertEquals(Timestamp.fromMillis(100), mbr1.getReviewReminder());
         assertEquals(mbr1.getPendingState(), "ADD");
         assertEquals(mbr1.getTrustRoleName(), "domain:role.trust");
+        assertEquals(mbr1.getNotifyRoles(), "role1,role2");
 
         assertEquals(mbr1, mbr1);
         assertNotEquals(null, mbr1);
@@ -69,7 +71,8 @@ public void testMemberRole() {
                 .setSystemDisabled(1)
                 .setReviewReminder(Timestamp.fromMillis(100))
                 .setPendingState("ADD")
-                .setTrustRoleName("domain:role.trust");
+                .setTrustRoleName("domain:role.trust")
+                .setNotifyRoles("role1,role2");
 
         assertEquals(mbr1, mbr2);
 
@@ -156,6 +159,13 @@ public void testMemberRole() {
         assertNotEquals(mbr1, mbr2);
         mbr2.setTrustRoleName("domain:role.trust");
         assertEquals(mbr1, mbr2);
+
+        mbr2.setNotifyRoles("role2,role3");
+        assertNotEquals(mbr1, mbr2);
+        mbr2.setNotifyRoles(null);
+        assertNotEquals(mbr1, mbr2);
+        mbr2.setNotifyRoles("role1,role2");
+        assertEquals(mbr1, mbr2);
     }
 
 }
diff --git a/...n/src/main/java/com/yahoo/athenz/common/server/notification/DomainRoleMembersFetcher.java b/...n/src/main/java/com/yahoo/athenz/common/server/notification/DomainRoleMembersFetcher.java
@@ -19,6 +19,7 @@
 import com.yahoo.athenz.auth.AuthorityConsts;
 import com.yahoo.athenz.common.server.db.RolesProvider;
 
+import com.yahoo.athenz.common.server.util.ResourceUtils;
 import com.yahoo.athenz.zms.Role;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -49,21 +50,33 @@ public Set<String> getDomainRoleMembers(String domainName, String roleName) {
         // provider does not support this interface then we're going
         // fall back to the old method of getting the role members
 
-        try {
-            // our given role name is the full arn, so first we need to
-            // extract the local role component from the role name
+        // if our given role name is the full arn, so first we need to
+        // extract the local role component from the role name
+
+        String roleLocalName;
+        int idx = roleName.indexOf(AuthorityConsts.ROLE_SEP);
+        if (idx == -1) {
+            roleLocalName = roleName;
+        } else {
+            roleLocalName = roleName.substring(idx + AuthorityConsts.ROLE_SEP.length());
+        }
 
-            int idx = roleName.indexOf(AuthorityConsts.ROLE_SEP);
-            Role role = rolesProvider.getRole(domainName, roleName.substring(idx + AuthorityConsts.ROLE_SEP.length()),
-                    Boolean.FALSE, Boolean.TRUE, Boolean.FALSE);
+        try {
+            Role role = rolesProvider.getRole(domainName, roleLocalName, Boolean.FALSE, Boolean.TRUE, Boolean.FALSE);
             return domainRoleMembersFetcherCommon.getDomainRoleMembers(role);
         } catch (Exception ex) {
             if (ex instanceof UnsupportedOperationException) {
-                return domainRoleMembersFetcherCommon.getDomainRoleMembers(roleName,
+                String roleFullName;
+                if (idx == -1) {
+                    roleFullName = ResourceUtils.roleResourceName(domainName, roleName);
+                } else {
+                    roleFullName = roleName;
+                }
+                return domainRoleMembersFetcherCommon.getDomainRoleMembers(roleFullName,
                         rolesProvider.getRolesByDomain(domainName));
             }
             LOGGER.error("unable to fetch members for role: {} in domain: {} error: {}",
-                    roleName, domainName, ex.getMessage());
+                    roleName, domainName, ex.getMessage(), ex);
             return new HashSet<>();
         }
     }

diff --git a/..._common/src/main/java/com/yahoo/athenz/common/server/notification/NotificationCommon.java b/..._common/src/main/java/com/yahoo/athenz/common/server/notification/NotificationCommon.java
@@ -19,7 +19,6 @@
 import com.yahoo.athenz.auth.AuthorityConsts;
 import com.yahoo.athenz.auth.util.AthenzUtils;
 import com.yahoo.athenz.common.ServerCommonConsts;
-import com.yahoo.athenz.common.server.util.ResourceUtils;
 import com.yahoo.athenz.zms.ResourceException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -114,15 +113,16 @@ void addNotificationRecipient(Notification notification, final String recipient,
 
         int roleDomainIndex = recipient.indexOf(AuthorityConsts.ROLE_SEP);
         if (roleDomainIndex != -1) {
-            addDomainRoleRecipients(notification, recipient.substring(0, roleDomainIndex), recipient);
+            addDomainRoleRecipients(notification, recipient.substring(0, roleDomainIndex),
+                    recipient.substring(roleDomainIndex + AuthorityConsts.ROLE_SEP.length()));
         } else if (recipient.contains(AuthorityConsts.GROUP_SEP)) {
             // Do nothing. Group members will not get individual notifications.
         } else if (recipient.startsWith(userDomainPrefix)) {
             notification.addRecipient(recipient);
         } else if (!ignoreService) {
             final String domainName = AthenzUtils.extractPrincipalDomainName(recipient);
             if (domainName != null) {
-                addDomainRoleRecipients(notification, domainName, ResourceUtils.roleResourceName(domainName, ServerCommonConsts.ADMIN_ROLE_NAME));
+                addDomainRoleRecipients(notification, domainName, ServerCommonConsts.ADMIN_ROLE_NAME);
             }
         }
     }

diff --git a/.../java/com/yahoo/athenz/common/server/notification/DomainRoleMembersFetcherCommonTest.java b/.../java/com/yahoo/athenz/common/server/notification/DomainRoleMembersFetcherCommonTest.java
@@ -132,24 +132,23 @@ public Role getRole(String domainName, String roleName, Boolean auditLog, Boolea
     public void testDomainRoleMembersFetcherNotImpl() {
 
         Role role1 = new Role();
-        role1.setName("role1");
+        role1.setName("domain1:role.role1");
         List<RoleMember> role1MemberList = Collections.singletonList(new RoleMember().setMemberName("user.user1"));
         role1.setRoleMembers(role1MemberList);
 
         List<Role> rolesList = new ArrayList<>();
         rolesList.add(role1);
 
-        RolesProvider provider = new RolesProvider() {
-            @Override
-            public List<Role> getRolesByDomain(String domainName) {
-                return rolesList;
-            }
-        };
+        RolesProvider provider = domainName -> rolesList;
 
         DomainRoleMembersFetcher fetcher = new DomainRoleMembersFetcher(provider, USER_DOMAIN_PREFIX);
         Set<String> users = fetcher.getDomainRoleMembers("domain1", "role1");
         assertEquals(1, users.size());
         assertTrue(users.contains("user.user1"));
+
+        users = fetcher.getDomainRoleMembers("domain1", "domain1:role.role1");
+        assertEquals(1, users.size());
+        assertTrue(users.contains("user.user1"));
     }
 
     @Test

diff --git a/provider/buildkite/sia-buildkite/pom.xml b/provider/buildkite/sia-buildkite/pom.xml
@@ -19,7 +19,7 @@
   <parent>
     <groupId>com.yahoo.athenz</groupId>
     <artifactId>athenz</artifactId>
-    <version>1.11.65-SNAPSHOT</version>
+    <version>1.12.1-SNAPSHOT</version>
     <relativePath>../../../pom.xml</relativePath>
   </parent>
 

diff --git a/servers/zms/conf/zms.properties b/servers/zms/conf/zms.properties
@@ -503,15 +503,6 @@ athenz.zms.no_auth_uri_list=/zms/v1/schema
 # in Athenz.
 #athenz.zms.json_max_string_length=200000000
 
-# When generating notifications for role/group member expiry/review-reminder
-# cases, this options configures the server to send a single notification to
-# the principal and domain administrator by combining all domain/principal
-# notifications. For example, if you are an administrator for 3 different
-# domains, and you have principals expiring in all 3 domains, you will get
-# a single message listing all three domains as opposed to 3 separate
-# notifications - one for each domain.
-#athenz.zms.consolidate_notifications=false
-
 # A comma separated list of supported domain contacts types (e.g. Product-Owner)
 #athenz.zms.domain_contact_types=
 

diff --git a/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSConsts.java b/servers/zms/src/main/java/com/yahoo/athenz/zms/ZMSConsts.java
@@ -367,7 +367,6 @@ public final class ZMSConsts {
     public static final String ZMS_PENDING_ROLE_MEMBER_LIFESPAN_DEFAULT = "30";
     public static final String SYS_AUTH_MONITOR = "sys.auth.monitor";
     public static final String ZMS_PROP_MONITOR_IDENTITY = "athenz.zms.monitor_identity";
-    public static final String ZMS_PROP_CONSOLIDATE_NOTIFICATIONS = "athenz.zms.consolidate_notifications";
 
     public static final String ZMS_PROP_STATUS_CHECKER_FACTORY_CLASS = "athenz.zms.status_checker_factory_class";