Merge pull request #13265 from vespa-engine/olaa/invoice-manager-role

Added hosted accountant role
author: Ola Aunrønning <olaa@verizonmedia.com> 2020-05-17 23:13:51 +0200
committer: GitHub <noreply@github.com> 2020-05-17 23:13:51 +0200
commit: 9e8c7ee4f7ec74a3b7978b0b5edcdec07ab86ac8 (patch)
tree: 60e16606c3d11461e28401efbb2b50e678562521
parent: 6f98f068e0e66bfd16484baf1a29af39520a5a7a (diff)
parent: ac4379045e4ace271ec533886fe1e9a098d93f59 (diff)
5 files changed, 19 insertions, 5 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/user/Roles.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/user/Roles.java
index 578f516f01e..a0c73fa7ff8 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/user/Roles.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/user/Roles.java
@@ -36,6 +36,7 @@ public class Roles {
         String[] parts = value.split("\\.");
         if (parts.length == 1 && parts[0].equals("hostedOperator")) return Role.hostedOperator();
         if (parts.length == 1 && parts[0].equals("hostedSupporter")) return Role.hostedSupporter();
+        if (parts.length == 1 && parts[0].equals("hostedAccountant")) return Role.hostedAccountant();
         if (parts.length == 2) return toRole(TenantName.from(parts[0]), parts[1]);
         if (parts.length == 3) return toRole(TenantName.from(parts[0]), ApplicationName.from(parts[1]), parts[2]);
         throw new IllegalArgumentException("Malformed or illegal role value '" + value + "'.");
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java
index 0316803558b..baa5a093eed 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java
@@ -219,8 +219,8 @@ enum PathGroup {
     /** Paths used for receiving payment callbacks */
     paymentProcessor(PathPrefix.none, "/payment/notification"),
 
-    /** Invoice management */
-    invoiceManagement(PathPrefix.none, "/billing/v1/invoice/{*}");
+    /** Paths used for invoice management */
+    hostedAccountant(PathPrefix.api, "/billing/v1/invoice/{*}");
 
 
     final List<String> pathSpecs;
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java
index 0afa0668a00..00550387db5 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java
@@ -22,8 +22,11 @@ enum Policy {
 
     /** Full access to everything. */
     operator(Privilege.grant(Action.all())
-                      .on(PathGroup.all())
-                      .in(SystemName.all())),
+                      .on(PathGroup.allExcept(PathGroup.hostedAccountant))
+                      .in(SystemName.all()),
+            Privilege.grant(Action.read)
+                    .on(PathGroup.hostedAccountant)
+                    .in(SystemName.PublicCd)),
 
     /** Full access to everything. */
     supporter(Privilege.grant(Action.read)
@@ -167,6 +170,11 @@ enum Policy {
     /** Read the generated bills */
     billingInformationRead(Privilege.grant(Action.read)
                                     .on(PathGroup.billingList)
+                                    .in(SystemName.PublicCd)),
+
+    /** Invoice management */
+    hostedAccountant(Privilege.grant(Action.all())
+                                    .on(PathGroup.hostedAccountant)
                                     .in(SystemName.PublicCd));
 
     private final Set<Privilege> privileges;
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java
index d3c5e412215..90350de5dbd 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java
@@ -76,6 +76,9 @@ public abstract class Role {
     /** Returns the role of the payment processor */
     public static UnboundRole paymentProcessor() { return new UnboundRole(RoleDefinition.paymentProcessor); }
 
+    /** Returns the role of the invoice manager */
+    public static UnboundRole hostedAccountant() { return new UnboundRole(RoleDefinition.hostedAccountant); }
+
     /** Returns the role definition of this bound role. */
     public RoleDefinition definition() { return roleDefinition; }
 
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java
index 438e79bcc4f..6467050d3f3 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java
@@ -89,7 +89,9 @@ public enum RoleDefinition {
 
     systemFlagsDryrunner(Policy.systemFlagsDryrun),
 
-    paymentProcessor(Policy.paymentProcessor);
+    paymentProcessor(Policy.paymentProcessor),
+
+    hostedAccountant(Policy.hostedAccountant);
 
     private final Set<RoleDefinition> parents;
     private final Set<Policy> policies;
author	Ola Aunrønning <olaa@verizonmedia.com>	2020-05-17 23:13:51 +0200
committer	GitHub <noreply@github.com>	2020-05-17 23:13:51 +0200
commit	9e8c7ee4f7ec74a3b7978b0b5edcdec07ab86ac8 (patch)
tree	60e16606c3d11461e28401efbb2b50e678562521
parent	6f98f068e0e66bfd16484baf1a29af39520a5a7a (diff)
parent	ac4379045e4ace271ec533886fe1e9a098d93f59 (diff)