diff options
author | Jon Marius Venstad <jvenstad@yahoo-inc.com> | 2019-03-27 18:10:02 +0100 |
---|---|---|
committer | Jon Marius Venstad <jvenstad@yahoo-inc.com> | 2019-03-28 10:26:36 +0100 |
commit | 2b200ec51b9fa98dd4cdb01d1a775dcc0bf61ded (patch) | |
tree | b1c9a6ab937d32128fdf672db4d09dd439149534 | |
parent | c100f2edcfec5bf9ab900be62f17579e340c516c (diff) |
Define new roles
-rw-r--r-- | controller-server/src/main/java/com/yahoo/vespa/hosted/controller/role/Policy.java | 16 | ||||
-rw-r--r-- | controller-server/src/main/java/com/yahoo/vespa/hosted/controller/role/Role.java | 26 |
2 files changed, 35 insertions, 7 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/role/Policy.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/role/Policy.java index 86f170bd84e..c22e7adf9d7 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/role/Policy.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/role/Policy.java @@ -47,6 +47,11 @@ public enum Policy { .on(PathGroup.application) .in(SystemName.all())), + /** Full access to application information, settings and jobs. */ + applicationModify(Privilege.grant(Action.update) + .on(PathGroup.application) + .in(SystemName.all())), + /** Read access to application information and settings. */ applicationRead(Privilege.grant(Action.read) .on(PathGroup.application) @@ -58,9 +63,14 @@ public enum Policy { .in(SystemName.all())), /** Full access to application production deployments. */ - deployment(Privilege.grant(Action.all()) - .on(PathGroup.deployment) - .in(SystemName.all())), + production(Privilege.grant(Action.all()) + .on(PathGroup.deployment) + .in(SystemName.all())), + + /** Read access to allapplication deployments. */ + deploymentRead(Privilege.grant(Action.read) + .on(PathGroup.development, PathGroup.deployment) + .in(SystemName.all())), /** Full access to submissions for continuous deployment. */ submission(Privilege.grant(Action.all()) diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/role/Role.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/role/Role.java index af1388ae0df..38349565357 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/role/Role.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/role/Role.java @@ -12,16 +12,34 @@ import java.util.Set; */ public enum Role { + /** Deus ex machina. */ hostedOperator(Policy.operator), - tenantAdmin(Policy.tenant, - Policy.application, - Policy.development), + /** Tenant administrator with full access to all child resources. */ + tenantAdmin(Policy.manager, + Policy.tenant, + Policy.application), + /** Build and continuous delivery service. */ tenantPipelineOperator(Policy.buildService, Policy.submission, - Policy.deployment), + Policy.production), + /** Application administrator with full access to an already existing application. */ + applicationAdmin(Policy.tenantRead, + Policy.applicationModify, + Policy.development, + Policy.production), + + /** Application operator with read access to all information about an application. */ + applicationOperator(Policy.tenantRead, + Policy.applicationRead, + Policy.deploymentRead), + + /** Build service which may submit new applications for continuous deployment. */ + buildService(Policy.submission), + + /** Base role which everyone is part of. */ everyone(Policy.classifiedRead, Policy.publicRead, Policy.onboardUser, |