AthenZ · TakuyaMatsu · Oct 3, 2025 · Oct 3, 2025
diff --git a/servers/zms/src/main/java/com/yahoo/athenz/zms/DBService.java b/servers/zms/src/main/java/com/yahoo/athenz/zms/DBService.java
@@ -5168,7 +5168,7 @@ boolean addSolutionTemplate(ResourceContext ctx, ObjectStoreConnection con, Stri
                 firstEntry = auditLogSeparator(auditDetails, firstEntry);
                 auditDetails.append(" \"add-role\": ");
                 if (!processRole(con, originalRole, domainName, roleName, templateRole,
-                        admin, null, auditRef, true, auditDetails)) {
+                        admin, null, auditRef, StringUtil.isEmpty(templateRole.getTrust()), auditDetails)) {
                     return false;
                 }
 
@@ -5460,7 +5460,7 @@ Role updateTemplateRole(ObjectStoreConnection con, Role role, String domainName,
 
         List<RoleMember> roleMembers = role.getRoleMembers();
         List<RoleMember> newMembers = new ArrayList<>();
-        if (roleMembers != null && !roleMembers.isEmpty()) {
+        if (StringUtil.isEmpty(templateRoleTrust) && roleMembers != null && !roleMembers.isEmpty()) {
             for (RoleMember roleMember : roleMembers) {
                 RoleMember newRoleMember = new RoleMember();
 

diff --git a/servers/zms/src/test/java/com/yahoo/athenz/zms/DBServiceTest.java b/servers/zms/src/test/java/com/yahoo/athenz/zms/DBServiceTest.java
@@ -4034,6 +4034,121 @@ public void testApplySolutionTemplateExistingRoles() throws ServerResourceExcept
         zms.deleteTopLevelDomain(mockDomRsrcCtx, domainName, auditRef, null);
     }
 
+    @Test
+    public void testApplySolutionTemplateRoleWithBothTrustAndMembers() throws ServerResourceException {
+
+        String caller = "testApplySolutionTemplateRoleWithBothTrustAndMembers";
+        String domainName = "solutiontemplate-withtrustrole";
+        TopLevelDomain dom1 = createTopLevelDomainObject(domainName,
+                "Test Domain1", "testOrg", adminUser);
+        zms.postTopLevelDomain(mockDomRsrcCtx, auditRef, null, dom1);
+
+        SubDomain domSysNetwork = createSubDomainObject("network", "sys", "Test Domain", "testOrg",
+                adminUser, mockDomRsrcCtx.principal().getFullName());
+        zms.postSubDomain(mockDomRsrcCtx, "sys", auditRef, null, domSysNetwork);
+
+        // apply the template
+
+        List<String> templates = new ArrayList<>();
+        templates.add("template_role_with_both_trust_and_members");
+        DomainTemplate domainTemplate = new DomainTemplate().setTemplateNames(templates);
+        zms.dbService.executePutDomainTemplate(mockDomRsrcCtx, domainName, domainTemplate, auditRef, caller);
+
+        DomainTemplateList domainTemplateList = zms.dbService.listDomainTemplates(domainName);
+        assertEquals(domainTemplateList.getTemplateNames().size(), 1);
+
+        // verify that our role collection includes the expected roles
+
+        List<String> names = zms.dbService.listRoles(domainName);
+        assertEquals(names.size(), 2);
+        assertTrue(names.contains("trust-and-members"));
+
+        // this should be our own role that we created previously
+
+        Role role = zms.dbService.getRole(domainName, "trust-and-members", false, false, false);
+        assertEquals(role.getName(), domainName + ":role.trust-and-members");
+        assertEquals(role.getTrust(), "sys.network");
+        assertNull(role.getRoleMembers());
+
+        // remove the template_role_with_both_trust_and_members template
+
+        zms.dbService.executeDeleteDomainTemplate(mockDomRsrcCtx, domainName, "template_role_with_both_trust_and_members",
+                auditRef, caller);
+        assertNull(zms.dbService.getRole(domainName, "trust-and-members", false, false, false));
+
+        domainTemplateList = zms.dbService.listDomainTemplates(domainName);
+        assertTrue(domainTemplateList.getTemplateNames().isEmpty());
+
+        zms.deleteSubDomain(mockDomRsrcCtx, "sys", "network", auditRef, null);
+        zms.deleteTopLevelDomain(mockDomRsrcCtx, domainName, auditRef, null);
+    }
+
+    @Test
+    public void testApplySolutionTemplateUpdateRoleByTrustRole() throws ServerResourceException {
+
+        String caller = "testApplySolutionTemplateRoleWithBothTrustAndMembers";
+        String domainName = "solutiontemplate-withtrustrole";
+        TopLevelDomain dom1 = createTopLevelDomainObject(domainName,
+                "Test Domain1", "testOrg", adminUser);
+        zms.postTopLevelDomain(mockDomRsrcCtx, auditRef, null, dom1);
+
+        SubDomain domSysNetwork = createSubDomainObject("network", "sys", "Test Domain", "testOrg",
+                adminUser, mockDomRsrcCtx.principal().getFullName());
+        zms.postSubDomain(mockDomRsrcCtx, "sys", auditRef, null, domSysNetwork);
+
+        Role role1 = createRoleObject(domainName, "target-role", null, "user.joe",
+                "user.jane");
+        zms.putRole(mockDomRsrcCtx, domainName, "target-role", auditRef, false, null, role1);
+
+        // apply the template
+
+        List<String> templates = new ArrayList<>();
+        templates.add("template_trust_role");
+        DomainTemplate domainTemplate = new DomainTemplate().setTemplateNames(templates);
+        zms.dbService.executePutDomainTemplate(mockDomRsrcCtx, domainName, domainTemplate, auditRef, caller);
+
+        DomainTemplateList domainTemplateList = zms.dbService.listDomainTemplates(domainName);
+        assertEquals(domainTemplateList.getTemplateNames().size(), 1);
+
+        // verify that our role collection includes the expected roles
+
+        List<String> names = zms.dbService.listRoles(domainName);
+        assertEquals(names.size(), 2);
+        assertTrue(names.contains("target-role"));
+
+        // this should be our own role that we created previously
+
+        Role role = zms.dbService.getRole(domainName, "target-role", false, false, false);
+        assertEquals(role.getName(), domainName + ":role.target-role");
+        assertEquals(role.getTrust(), "sys.network");
+        assertNull(role.getRoleMembers());
+
+        // check the response from the modified_domains API
+
+        AthenzDomain athenzDomain = zms.dbService.getAthenzDomain(domainName, true);
+        List<Role> roles = athenzDomain.getRoles();
+        Role targetRole = roles.stream()
+            .filter(r -> r.getName().equals(domainName + ":role.target-role"))
+            .findFirst()
+            .orElseGet(() -> {
+                fail("Role not found: target-role");
+                return null;
+            });
+        assertNull(targetRole.getRoleMembers());
+
+        // remove the template_role_with_both_trust_and_members template
+
+        zms.dbService.executeDeleteDomainTemplate(mockDomRsrcCtx, domainName, "template_trust_role",
+                auditRef, caller);
+        assertNull(zms.dbService.getRole(domainName, "target-role", false, false, false));
+
+        domainTemplateList = zms.dbService.listDomainTemplates(domainName);
+        assertTrue(domainTemplateList.getTemplateNames().isEmpty());
+
+        zms.deleteSubDomain(mockDomRsrcCtx, "sys", "network", auditRef, null);
+        zms.deleteTopLevelDomain(mockDomRsrcCtx, domainName, auditRef, null);
+    }
+
     @Test
     public void testApplySolutionTemplateExistingGroups() throws ServerResourceException {
 

diff --git a/servers/zms/src/test/java/com/yahoo/athenz/zms/ZMSImplTest.java b/servers/zms/src/test/java/com/yahoo/athenz/zms/ZMSImplTest.java
@@ -23821,7 +23821,7 @@ public void testGetServerTemplateDetailsList() {
         RsrcCtxWrapper ctx = zmsTestInitializer.getMockDomRsrcCtx();
 
         DomainTemplateDetailsList serverTemplateDetailsList = zmsImpl.getServerTemplateDetailsList(ctx);
-        assertEquals(serverTemplateDetailsList.getMetaData().size(), 15);
+        assertEquals(serverTemplateDetailsList.getMetaData().size(), 17);
         TemplateMetaData vipTemplateMetaData = null;
         for (TemplateMetaData templateMetaData : serverTemplateDetailsList.getMetaData()) {
             if (templateMetaData.getTemplateName().equals("vipng")) {
@@ -23840,7 +23840,7 @@ public void testGetServerTemplateDetailsListSorted() {
         RsrcCtxWrapper ctx = zmsTestInitializer.getMockDomRsrcCtx();
 
         DomainTemplateDetailsList serverTemplateDetailsList = zmsImpl.getServerTemplateDetailsList(ctx);
-        assertEquals(serverTemplateDetailsList.getMetaData().size(), 15);
+        assertEquals(serverTemplateDetailsList.getMetaData().size(), 17);
         List<TemplateMetaData> templates = serverTemplateDetailsList.getMetaData();
 
         String previousTemplateName = "";

diff --git a/servers/zms/src/test/resources/solution_templates.json b/servers/zms/src/test/resources/solution_templates.json
@@ -657,6 +657,43 @@
             ],
             "policies": [
             ]
+        },
+        "template_role_with_both_trust_and_members": {
+            "metadata":
+            {
+                "latestVersion": 1,
+                "timestamp": "2024-02-15T00:00:00.000Z",
+                "description": "TemplateRoleTest",
+                "autoUpdate": false
+            },
+            "roles": [
+                {
+                    "name": "_domain_:role.trust-and-members",
+                    "description": "Role for Testing",
+                    "trust": "sys.network",
+                    "roleMembers": [
+                            {
+                                "memberName": "sys.builder"
+                            }
+                    ]
+                }
+            ]
+        },
+        "template_trust_role": {
+            "metadata":
+            {
+                "latestVersion": 1,
+                "timestamp": "2024-02-15T00:00:00.000Z",
+                "description": "TemplateRoleTest",
+                "autoUpdate": false
+            },
+            "roles": [
+                {
+                    "name": "_domain_:role.target-role",
+                    "description": "Role for Testing",
+                    "trust": "sys.network"
+                }
+            ]
         }
     }
 }