Merge pull request #13082 from vespa-engine/jonmv/no-sandbox-in-prod

Disallow Screwdriver from submitting to the sandbox tenant

1 files changed, 4 insertions, 1 deletions

diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java
index 48118087a54..25ee95e6d80 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java
@@ -105,7 +105,10 @@ public class AthenzRoleFilter extends JsonSecurityRequestFilterBase {
                   .forEach(accessibleTenant -> roleMemberships.add(Role.athenzTenantAdmin(accessibleTenant.name())));
         }));
 
-        if (identity.getDomain().equals(SCREWDRIVER_DOMAIN) && application.isPresent() && tenant.isPresent())
+        if (     identity.getDomain().equals(SCREWDRIVER_DOMAIN)
+            &&   application.isPresent()
+            &&   tenant.isPresent()
+            && ! tenant.get().name().value().equals("sandbox"))
             futures.add(executor.submit(() -> {
                 if (   tenant.get().type() == Tenant.Type.athenz
                     && hasDeployerAccess(identity, ((AthenzTenant) tenant.get()).domain(), application.get()))