diff options
author | Øyvind Grønnesby <oyving@yahooinc.com> | 2023-05-23 09:56:01 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-05-23 09:56:01 +0200 |
commit | 23182f78e451491a7aa86dbf1b63611bce797736 (patch) | |
tree | b64a062cb78bac45d9961b4ff8ad9a5e80d80b64 | |
parent | f90c877a708e31303187a1f30d3e2f81bb4082fb (diff) | |
parent | 5f0d9be5c0e13db32df6fe70c8df61d04dac48ee (diff) |
Merge pull request #27171 from vespa-engine/ogronnesby/supporter-access-routing
Give operators access to routing changes
-rw-r--r-- | controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java | 12 | ||||
-rw-r--r-- | controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java | 10 |
2 files changed, 12 insertions, 10 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java index ac895022130..ccf79e7eca3 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java @@ -21,6 +21,9 @@ enum PathGroup { /** Paths exclusive to operators (including read), used for system management. */ classifiedOperator("/application/v4/notifications", + "/routing/v1/", + "/routing/v1/status/environment/{*}", + "/routing/v1/inactive/environment/{*}", "/configserver/v1/{*}", "/deployment/v1/{*}"), @@ -34,9 +37,6 @@ enum PathGroup { "/os/v1/{*}", "/provision/v2/{*}", "/zone/v2/{*}", - "/routing/v1/", - "/routing/v1/status/environment/{*}", - "/routing/v1/inactive/environment/{*}", "/state/v1/{*}", "/changemanagement/v1/{*}"), @@ -139,8 +139,10 @@ enum PathGroup { "/application/v4/tenant/{tenant}/application/{application}/environment/{environment}/region/{region}/instance/{ignored}/suspended", "/application/v4/tenant/{tenant}/application/{application}/environment/{environment}/region/{region}/instance/{ignored}/service/{*}", "/application/v4/tenant/{tenant}/application/{application}/environment/{environment}/region/{region}/instance/{ignored}/global-rotation/{*}", - "/application/v4/tenant/{tenant}/application/{application}/metering", - "/routing/v1/inactive/tenant/{tenant}/application/{application}/instance/{ignored}/environment/prod/region/{region}"), + "/application/v4/tenant/{tenant}/application/{application}/metering"), + + applicationRouting(Matcher.tenant, + Matcher.application, "/routing/v1/inactive/tenant/{tenant}/application/{application}/instance/{ignored}/environment/prod/region/{region}"), // TODO jonmv: remove /** Path used to restart development nodes. */ diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java index 9a28226c921..2f8ea368b21 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java @@ -33,10 +33,10 @@ enum Policy { /** Full access to everything. */ supporter(Privilege.grant(Action.read) - .on(PathGroup.allExcept(PathGroup.classifiedOperator)) + .on(PathGroup.allExcept(PathGroup.classifiedOperator, PathGroup.applicationRouting)) .in(SystemName.all()), Privilege.grant(Action.all()) - .on(PathGroup.classifiedOperator) + .on(PathGroup.classifiedOperator, PathGroup.applicationRouting) .in(SystemName.all())), /** Full access to user management for a tenant in select systems. */ @@ -87,12 +87,12 @@ enum Policy { /** Read access to application information and settings. */ applicationRead(Privilege.grant(Action.read) - .on(PathGroup.application, PathGroup.applicationInfo, PathGroup.reindexing, PathGroup.serviceDump, PathGroup.dropDocuments) + .on(PathGroup.application, PathGroup.applicationInfo, PathGroup.applicationRouting, PathGroup.reindexing, PathGroup.serviceDump, PathGroup.dropDocuments) .in(SystemName.all())), /** Update access to application information and settings. */ applicationUpdate(Privilege.grant(Action.update) - .on(PathGroup.application, PathGroup.applicationInfo) + .on(PathGroup.application, PathGroup.applicationInfo, PathGroup.applicationRouting) .in(SystemName.all())), /** Access to delete a certain application. */ @@ -102,7 +102,7 @@ enum Policy { /** Full access to application information and settings. */ applicationOperations(Privilege.grant(Action.write()) - .on(PathGroup.applicationInfo, PathGroup.productionRestart, PathGroup.reindexing, PathGroup.serviceDump, PathGroup.dropDocuments) + .on(PathGroup.applicationInfo, PathGroup.applicationRouting, PathGroup.productionRestart, PathGroup.reindexing, PathGroup.serviceDump, PathGroup.dropDocuments) .in(SystemName.all())), /** Access to create and delete developer and deploy keys under a tenant. */ |