Give operators access to routing changes

author: Øyvind Grønnesby <oyving@yahooinc.com> 2023-05-22 15:27:39 +0200
committer: Øyvind Grønnesby <oyving@yahooinc.com> 2023-05-22 15:29:05 +0200
commit: 5f0d9be5c0e13db32df6fe70c8df61d04dac48ee (patch)
tree: b65c1adeecc9f5ecd0aca121e72d951c304e7364
parent: 38601194dc7ece53e180005f10f26c3858956ce6 (diff)
2 files changed, 12 insertions, 10 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java
index ac895022130..ccf79e7eca3 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java
@@ -21,6 +21,9 @@ enum PathGroup {
 
     /** Paths exclusive to operators (including read), used for system management. */
     classifiedOperator("/application/v4/notifications",
+                       "/routing/v1/",
+                       "/routing/v1/status/environment/{*}",
+                       "/routing/v1/inactive/environment/{*}",
                        "/configserver/v1/{*}",
                        "/deployment/v1/{*}"),
 
@@ -34,9 +37,6 @@ enum PathGroup {
              "/os/v1/{*}",
              "/provision/v2/{*}",
              "/zone/v2/{*}",
-             "/routing/v1/",
-             "/routing/v1/status/environment/{*}",
-             "/routing/v1/inactive/environment/{*}",
              "/state/v1/{*}",
              "/changemanagement/v1/{*}"),
 
@@ -139,8 +139,10 @@ enum PathGroup {
                     "/application/v4/tenant/{tenant}/application/{application}/environment/{environment}/region/{region}/instance/{ignored}/suspended",
                     "/application/v4/tenant/{tenant}/application/{application}/environment/{environment}/region/{region}/instance/{ignored}/service/{*}",
                     "/application/v4/tenant/{tenant}/application/{application}/environment/{environment}/region/{region}/instance/{ignored}/global-rotation/{*}",
-                    "/application/v4/tenant/{tenant}/application/{application}/metering",
-                    "/routing/v1/inactive/tenant/{tenant}/application/{application}/instance/{ignored}/environment/prod/region/{region}"),
+                    "/application/v4/tenant/{tenant}/application/{application}/metering"),
+
+    applicationRouting(Matcher.tenant,
+                       Matcher.application, "/routing/v1/inactive/tenant/{tenant}/application/{application}/instance/{ignored}/environment/prod/region/{region}"),
 
     // TODO jonmv: remove
     /** Path used to restart development nodes. */
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java
index 9a28226c921..2f8ea368b21 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java
@@ -33,10 +33,10 @@ enum Policy {
 
     /** Full access to everything. */
     supporter(Privilege.grant(Action.read)
-                       .on(PathGroup.allExcept(PathGroup.classifiedOperator))
+                       .on(PathGroup.allExcept(PathGroup.classifiedOperator, PathGroup.applicationRouting))
                        .in(SystemName.all()),
               Privilege.grant(Action.all())
-                       .on(PathGroup.classifiedOperator)
+                       .on(PathGroup.classifiedOperator, PathGroup.applicationRouting)
                        .in(SystemName.all())),
 
     /** Full access to user management for a tenant in select systems. */
@@ -87,12 +87,12 @@ enum Policy {
 
     /** Read access to application information and settings. */
     applicationRead(Privilege.grant(Action.read)
-                             .on(PathGroup.application, PathGroup.applicationInfo, PathGroup.reindexing, PathGroup.serviceDump, PathGroup.dropDocuments)
+                             .on(PathGroup.application, PathGroup.applicationInfo, PathGroup.applicationRouting, PathGroup.reindexing, PathGroup.serviceDump, PathGroup.dropDocuments)
                              .in(SystemName.all())),
 
     /** Update access to application information and settings. */
     applicationUpdate(Privilege.grant(Action.update)
-                               .on(PathGroup.application, PathGroup.applicationInfo)
+                               .on(PathGroup.application, PathGroup.applicationInfo, PathGroup.applicationRouting)
                                .in(SystemName.all())),
 
     /** Access to delete a certain application. */
@@ -102,7 +102,7 @@ enum Policy {
 
     /** Full access to application information and settings. */
     applicationOperations(Privilege.grant(Action.write())
-                                   .on(PathGroup.applicationInfo, PathGroup.productionRestart, PathGroup.reindexing, PathGroup.serviceDump, PathGroup.dropDocuments)
+                                   .on(PathGroup.applicationInfo, PathGroup.applicationRouting, PathGroup.productionRestart, PathGroup.reindexing, PathGroup.serviceDump, PathGroup.dropDocuments)
                                    .in(SystemName.all())),
 
     /** Access to create and delete developer and deploy keys under a tenant. */
author	Øyvind Grønnesby <oyving@yahooinc.com>	2023-05-22 15:27:39 +0200
committer	Øyvind Grønnesby <oyving@yahooinc.com>	2023-05-22 15:29:05 +0200
commit	5f0d9be5c0e13db32df6fe70c8df61d04dac48ee (patch)
tree	b65c1adeecc9f5ecd0aca121e72d951c304e7364
parent	38601194dc7ece53e180005f10f26c3858956ce6 (diff)