aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMartin Polden <mpolden@mpolden.no>2020-03-05 14:06:37 +0100
committerMartin Polden <mpolden@mpolden.no>2020-03-05 14:06:37 +0100
commitd06aa3e0bfa0eedde1b8b937d9ca4953add6159f (patch)
treebf62d2664ba3c261042b5e655763138e9eb36f8d
parent55dd5a7e8db0cbb79802fdf8b059e8c75b6280f9 (diff)
Remove unused tenantPipeline role
Diffstat
-rw-r--r--controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java8
-rw-r--r--controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java22
-rw-r--r--controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java5
-rw-r--r--controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java14
-rw-r--r--controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/integration/user/RolesTest.java5
-rw-r--r--controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/role/RoleTest.java4
-rw-r--r--controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java2
-rw-r--r--controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiTest.java10
-rw-r--r--controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilterTest.java6
9 files changed, 20 insertions, 56 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java
index 4c91238453a..4dbb16c48d5 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java
@@ -211,18 +211,10 @@ enum PathGroup {
this(List.of(), prefix, List.of(pathSpecs));
}
- PathGroup(Matcher first, String... pathSpecs) {
- this(List.of(first), Optional.empty(), List.of(pathSpecs));
- }
-
PathGroup(Matcher first, Optional<String> prefix, String... pathSpecs) {
this(List.of(first), prefix, List.of(pathSpecs));
}
- PathGroup(Matcher first, Matcher second, String... pathSpecs) {
- this(List.of(first, second), Optional.empty(), List.of(pathSpecs));
- }
-
PathGroup(Matcher first, Matcher second, Optional<String> prefix, String... pathSpecs) {
this(List.of(first, second), prefix, List.of(pathSpecs));
}
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java
index 0e8e3a13f9f..c3705a31517 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java
@@ -10,9 +10,11 @@ import java.util.Set;
/**
* Policies for REST APIs in the controller. A policy is only considered when defined in a {@link Role}.
- * A policy describes a set of {@link Privilege}s, which are valid for a set of {@link SystemName}s.
- * A policy is evaluated by an {@link Enforcer}, which holds the {@link SystemName} the evaluation is done in.
- * A policy is evaluated with a {@link Context}, which may limit it to a specific {@link TenantName} or {@link ApplicationName}.
+ *
+ * - A policy describes a set of {@link Privilege}s, which are valid for a set of {@link SystemName}s.
+ * - A policy is evaluated by an {@link Enforcer}, which holds the {@link SystemName} the evaluation is done in.
+ * - A policy is evaluated in a {@link Context}, which may limit it to a specific {@link TenantName} or
+ * {@link ApplicationName}.
*
* @author mpolden
*/
@@ -25,8 +27,8 @@ enum Policy {
/** Full access to everything. */
supporter(Privilege.grant(Action.read)
- .on(PathGroup.all())
- .in(SystemName.all())),
+ .on(PathGroup.all())
+ .in(SystemName.all())),
/** Full access to user management for a tenant in select systems. */
tenantManager(Privilege.grant(Action.all())
@@ -98,11 +100,6 @@ enum Policy {
.on(PathGroup.developmentDeployment, PathGroup.developmentRestart)
.in(SystemName.all())),
- /** Full access to application production deployments. */
- productionDeployment(Privilege.grant(Action.all())
- .on(PathGroup.productionDeployment)
- .in(SystemName.all())),
-
/** Read access to all application deployments. */
deploymentRead(Privilege.grant(Action.read)
.on(PathGroup.developmentDeployment, PathGroup.productionDeployment)
@@ -113,11 +110,6 @@ enum Policy {
.on(PathGroup.submission)
.in(SystemName.all())),
- /** Full access to the additional tasks needed for continuous deployment. */
- deploymentPipeline(Privilege.grant(Action.all()) // TODO remove when everyone is on new pipeline.
- .on(PathGroup.buildService, PathGroup.productionRestart)
- .in(SystemName.all())),
-
/** Read access to all information in select systems. */
classifiedRead(Privilege.grant(Action.read)
.on(PathGroup.allExcept(PathGroup.classifiedOperator))
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java
index beeb340647c..532088e94aa 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java
@@ -42,11 +42,6 @@ public abstract class Role {
return new TenantRole(RoleDefinition.athenzTenantAdmin, tenant);
}
- /** Returns a {@link RoleDefinition#tenantPipeline} for the current system and given tenant and application. */
- public static ApplicationRole tenantPipeline(TenantName tenant, ApplicationName application) {
- return new ApplicationRole(RoleDefinition.tenantPipeline, tenant, application);
- }
-
/** Returns a {@link RoleDefinition#reader} for the current system and given tenant. */
public static TenantRole reader(TenantName tenant) {
return new TenantRole(RoleDefinition.reader, tenant);
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java
index a350cb002b3..af4511b6eae 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java
@@ -61,12 +61,6 @@ public enum RoleDefinition {
/** Headless — the application specific role identified by deployment keys for production */
headless(Policy.submission),
- /** Build and continuous delivery service. */ // TODO replace with buildService, when everyone is on new pipeline.
- tenantPipeline(everyone,
- Policy.submission,
- Policy.deploymentPipeline,
- Policy.productionDeployment),
-
/** Tenant administrator with full access to all child resources. */
athenzTenantAdmin(everyone,
Policy.tenantRead,
@@ -90,12 +84,8 @@ public enum RoleDefinition {
this(Set.of(), policies);
}
- RoleDefinition(RoleDefinition first, Policy... policies) {
- this(Set.of(first), policies);
- }
-
- RoleDefinition(RoleDefinition first, RoleDefinition second, Policy... policies) {
- this(Set.of(first, second), policies);
+ RoleDefinition(RoleDefinition parent, Policy... policies) {
+ this(Set.of(parent), policies);
}
RoleDefinition(Set<RoleDefinition> parents, Policy... policies) {
diff --git a/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/integration/user/RolesTest.java b/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/integration/user/RolesTest.java
index 2e7308e41e1..636825573f1 100644
--- a/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/integration/user/RolesTest.java
+++ b/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/integration/user/RolesTest.java
@@ -46,11 +46,6 @@ public class RolesTest {
}
@Test(expected = IllegalArgumentException.class)
- public void illegalRole() {
- Roles.valueOf(Role.tenantPipeline(TenantName.from("my-tenant"), ApplicationName.from("my-app")));
- }
-
- @Test(expected = IllegalArgumentException.class)
public void illegalRoleValue() {
Roles.toRole("my-tenant.awesomePerson");
}
diff --git a/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/role/RoleTest.java b/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/role/RoleTest.java
index f78ae24df9e..52e0f3c8a8e 100644
--- a/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/role/RoleTest.java
+++ b/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/role/RoleTest.java
@@ -73,10 +73,10 @@ public class RoleTest {
@Test
public void build_service_membership() {
- Role role = Role.tenantPipeline(TenantName.from("t1"), ApplicationName.from("a1"));
+ Role role = Role.buildService(TenantName.from("t1"), ApplicationName.from("a1"));
assertFalse(publicEnforcer.allows(role, Action.create, URI.create("/not/explicitly/defined")));
assertFalse(publicEnforcer.allows(role, Action.update, URI.create("/application/v4/tenant/t1/application/a1")));
- assertTrue(publicEnforcer.allows(role, Action.create, URI.create("/application/v4/tenant/t1/application/a1/jobreport")));
+ assertTrue(publicEnforcer.allows(role, Action.create, URI.create("/application/v4/tenant/t1/application/a1/submit")));
assertFalse("No global read access", publicEnforcer.allows(role, Action.read, URI.create("/controller/v1/foo")));
}
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java
index 30f0d545ffe..4ae3c38bdf2 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java
@@ -110,7 +110,7 @@ public class AthenzRoleFilter extends JsonSecurityRequestFilterBase {
futures.add(executor.submit(() -> {
if ( tenant.get().type() != Tenant.Type.athenz
|| hasDeployerAccess(identity, ((AthenzTenant) tenant.get()).domain(), application.get()))
- roleMemberships.add(Role.tenantPipeline(tenant.get().name(), application.get()));
+ roleMemberships.add(Role.buildService(tenant.get().name(), application.get()));
}));
futures.add(executor.submit(() -> {
diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiTest.java
index b488c0f9d0a..ac0d188fe37 100644
--- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiTest.java
+++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiTest.java
@@ -576,9 +576,11 @@ public class ApplicationApiTest extends ControllerContainerTest {
// POST a 'restart application' command
tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1/environment/prod/region/us-central-1/instance/instance1/restart", POST)
- .screwdriverIdentity(SCREWDRIVER_ID),
+ .userIdentity(HOSTED_VESPA_OPERATOR),
"{\"message\":\"Requested restart of tenant1.application1.instance1 in prod.us-central-1\"}");
+ addUserToHostedOperatorRole(HostedAthenzIdentities.from(SCREWDRIVER_ID));
+
// POST a 'restart application' in staging environment command
tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1/environment/staging/region/us-central-1/instance/instance1/restart", POST)
.screwdriverIdentity(SCREWDRIVER_ID),
@@ -929,10 +931,8 @@ public class ApplicationApiTest extends ControllerContainerTest {
.oktaAccessToken(OKTA_AT).oktaIdentityToken(OKTA_IT),
new File("instance-reference.json"));
- // Grant deploy access
- addScrewdriverUserToDeployRole(SCREWDRIVER_ID,
- ATHENZ_TENANT_DOMAIN,
- ApplicationName.from("application1"));
+ // Add build service to operator role
+ addUserToHostedOperatorRole(HostedAthenzIdentities.from(SCREWDRIVER_ID));
// POST (deploy) an application to a prod zone - allowed when project ID is not specified
MultiPartStreamer entity = createApplicationDeployData(applicationPackageInstance1, true);
diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilterTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilterTest.java
index 4e06afea50d..c49f7a90194 100644
--- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilterTest.java
+++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilterTest.java
@@ -95,14 +95,14 @@ public class AthenzRoleFilterTest {
assertEquals(Set.of(Role.athenzTenantAdmin(TENANT)),
filter.roles(TENANT_ADMIN, APPLICATION2_CONTEXT_PATH));
- // Build services are members of the tenantPipeline role within their application subtree.
+ // Build services are members of the buildService role within their application subtree.
assertEquals(Set.of(Role.everyone()),
filter.roles(TENANT_PIPELINE, NO_CONTEXT_PATH));
assertEquals(Set.of(Role.everyone()),
filter.roles(TENANT_PIPELINE, TENANT_CONTEXT_PATH));
- assertEquals(Set.of(Role.tenantPipeline(TENANT, APPLICATION)),
+ assertEquals(Set.of(Role.buildService(TENANT, APPLICATION)),
filter.roles(TENANT_PIPELINE, APPLICATION_CONTEXT_PATH));
assertEquals(Set.of(Role.everyone()),
@@ -112,7 +112,7 @@ public class AthenzRoleFilterTest {
assertEquals(Set.of(Role.athenzTenantAdmin(TENANT)),
filter.roles(TENANT_ADMIN_AND_PIPELINE, TENANT_CONTEXT_PATH));
- assertEquals(Set.of(Role.athenzTenantAdmin(TENANT), Role.tenantPipeline(TENANT, APPLICATION)),
+ assertEquals(Set.of(Role.athenzTenantAdmin(TENANT), Role.buildService(TENANT, APPLICATION)),
filter.roles(TENANT_ADMIN_AND_PIPELINE, APPLICATION_CONTEXT_PATH));
// Users have nothing special under their instance