Merge pull request #16759 from vespa-engine/ogronnesby/admin-can-revoke-keys

Give tenant admin the right to revoke keys

2 files changed, 6 insertions, 0 deletions

diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java
index ecf3d29bc1a..ad739d16ff8 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java
@@ -102,6 +102,11 @@ enum Policy {
                            .on(PathGroup.tenantKeys, PathGroup.applicationKeys)
                            .in(SystemName.all())),
 
+    /** Access to revoke keys from the tenant */
+    keyRevokal(Privilege.grant(Action.delete)
+                        .on(PathGroup.tenantKeys, PathGroup.applicationKeys)
+                        .in(SystemName.all())),
+
     /** Full access to application development deployments. */
     developmentDeployment(Privilege.grant(Action.all())
                                    .on(PathGroup.developmentDeployment, PathGroup.developmentRestart)
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java
index 3b861c607b1..40903b02465 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java
@@ -63,6 +63,7 @@ public enum RoleDefinition {
                   Policy.tenantManager,
                   Policy.tenantDelete,
                   Policy.applicationManager,
+                  Policy.keyRevokal,
                   Policy.paymentInstrumentRead,
                   Policy.paymentInstrumentUpdate,
                   Policy.paymentInstrumentDelete,