diff options
author | Martin Polden <mpolden@mpolden.no> | 2020-03-05 14:06:37 +0100 |
---|---|---|
committer | Martin Polden <mpolden@mpolden.no> | 2020-03-05 14:06:37 +0100 |
commit | d06aa3e0bfa0eedde1b8b937d9ca4953add6159f (patch) | |
tree | bf62d2664ba3c261042b5e655763138e9eb36f8d | |
parent | 55dd5a7e8db0cbb79802fdf8b059e8c75b6280f9 (diff) |
Remove unused tenantPipeline role
9 files changed, 20 insertions, 56 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java index 4c91238453a..4dbb16c48d5 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java @@ -211,18 +211,10 @@ enum PathGroup { this(List.of(), prefix, List.of(pathSpecs)); } - PathGroup(Matcher first, String... pathSpecs) { - this(List.of(first), Optional.empty(), List.of(pathSpecs)); - } - PathGroup(Matcher first, Optional<String> prefix, String... pathSpecs) { this(List.of(first), prefix, List.of(pathSpecs)); } - PathGroup(Matcher first, Matcher second, String... pathSpecs) { - this(List.of(first, second), Optional.empty(), List.of(pathSpecs)); - } - PathGroup(Matcher first, Matcher second, Optional<String> prefix, String... pathSpecs) { this(List.of(first, second), prefix, List.of(pathSpecs)); } diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java index 0e8e3a13f9f..c3705a31517 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java @@ -10,9 +10,11 @@ import java.util.Set; /** * Policies for REST APIs in the controller. A policy is only considered when defined in a {@link Role}. - * A policy describes a set of {@link Privilege}s, which are valid for a set of {@link SystemName}s. - * A policy is evaluated by an {@link Enforcer}, which holds the {@link SystemName} the evaluation is done in. - * A policy is evaluated with a {@link Context}, which may limit it to a specific {@link TenantName} or {@link ApplicationName}. + * + * - A policy describes a set of {@link Privilege}s, which are valid for a set of {@link SystemName}s. + * - A policy is evaluated by an {@link Enforcer}, which holds the {@link SystemName} the evaluation is done in. + * - A policy is evaluated in a {@link Context}, which may limit it to a specific {@link TenantName} or + * {@link ApplicationName}. * * @author mpolden */ @@ -25,8 +27,8 @@ enum Policy { /** Full access to everything. */ supporter(Privilege.grant(Action.read) - .on(PathGroup.all()) - .in(SystemName.all())), + .on(PathGroup.all()) + .in(SystemName.all())), /** Full access to user management for a tenant in select systems. */ tenantManager(Privilege.grant(Action.all()) @@ -98,11 +100,6 @@ enum Policy { .on(PathGroup.developmentDeployment, PathGroup.developmentRestart) .in(SystemName.all())), - /** Full access to application production deployments. */ - productionDeployment(Privilege.grant(Action.all()) - .on(PathGroup.productionDeployment) - .in(SystemName.all())), - /** Read access to all application deployments. */ deploymentRead(Privilege.grant(Action.read) .on(PathGroup.developmentDeployment, PathGroup.productionDeployment) @@ -113,11 +110,6 @@ enum Policy { .on(PathGroup.submission) .in(SystemName.all())), - /** Full access to the additional tasks needed for continuous deployment. */ - deploymentPipeline(Privilege.grant(Action.all()) // TODO remove when everyone is on new pipeline. - .on(PathGroup.buildService, PathGroup.productionRestart) - .in(SystemName.all())), - /** Read access to all information in select systems. */ classifiedRead(Privilege.grant(Action.read) .on(PathGroup.allExcept(PathGroup.classifiedOperator)) diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java index beeb340647c..532088e94aa 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java @@ -42,11 +42,6 @@ public abstract class Role { return new TenantRole(RoleDefinition.athenzTenantAdmin, tenant); } - /** Returns a {@link RoleDefinition#tenantPipeline} for the current system and given tenant and application. */ - public static ApplicationRole tenantPipeline(TenantName tenant, ApplicationName application) { - return new ApplicationRole(RoleDefinition.tenantPipeline, tenant, application); - } - /** Returns a {@link RoleDefinition#reader} for the current system and given tenant. */ public static TenantRole reader(TenantName tenant) { return new TenantRole(RoleDefinition.reader, tenant); diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java index a350cb002b3..af4511b6eae 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java @@ -61,12 +61,6 @@ public enum RoleDefinition { /** Headless — the application specific role identified by deployment keys for production */ headless(Policy.submission), - /** Build and continuous delivery service. */ // TODO replace with buildService, when everyone is on new pipeline. - tenantPipeline(everyone, - Policy.submission, - Policy.deploymentPipeline, - Policy.productionDeployment), - /** Tenant administrator with full access to all child resources. */ athenzTenantAdmin(everyone, Policy.tenantRead, @@ -90,12 +84,8 @@ public enum RoleDefinition { this(Set.of(), policies); } - RoleDefinition(RoleDefinition first, Policy... policies) { - this(Set.of(first), policies); - } - - RoleDefinition(RoleDefinition first, RoleDefinition second, Policy... policies) { - this(Set.of(first, second), policies); + RoleDefinition(RoleDefinition parent, Policy... policies) { + this(Set.of(parent), policies); } RoleDefinition(Set<RoleDefinition> parents, Policy... policies) { diff --git a/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/integration/user/RolesTest.java b/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/integration/user/RolesTest.java index 2e7308e41e1..636825573f1 100644 --- a/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/integration/user/RolesTest.java +++ b/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/integration/user/RolesTest.java @@ -46,11 +46,6 @@ public class RolesTest { } @Test(expected = IllegalArgumentException.class) - public void illegalRole() { - Roles.valueOf(Role.tenantPipeline(TenantName.from("my-tenant"), ApplicationName.from("my-app"))); - } - - @Test(expected = IllegalArgumentException.class) public void illegalRoleValue() { Roles.toRole("my-tenant.awesomePerson"); } diff --git a/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/role/RoleTest.java b/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/role/RoleTest.java index f78ae24df9e..52e0f3c8a8e 100644 --- a/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/role/RoleTest.java +++ b/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/role/RoleTest.java @@ -73,10 +73,10 @@ public class RoleTest { @Test public void build_service_membership() { - Role role = Role.tenantPipeline(TenantName.from("t1"), ApplicationName.from("a1")); + Role role = Role.buildService(TenantName.from("t1"), ApplicationName.from("a1")); assertFalse(publicEnforcer.allows(role, Action.create, URI.create("/not/explicitly/defined"))); assertFalse(publicEnforcer.allows(role, Action.update, URI.create("/application/v4/tenant/t1/application/a1"))); - assertTrue(publicEnforcer.allows(role, Action.create, URI.create("/application/v4/tenant/t1/application/a1/jobreport"))); + assertTrue(publicEnforcer.allows(role, Action.create, URI.create("/application/v4/tenant/t1/application/a1/submit"))); assertFalse("No global read access", publicEnforcer.allows(role, Action.read, URI.create("/controller/v1/foo"))); } diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java index 30f0d545ffe..4ae3c38bdf2 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java @@ -110,7 +110,7 @@ public class AthenzRoleFilter extends JsonSecurityRequestFilterBase { futures.add(executor.submit(() -> { if ( tenant.get().type() != Tenant.Type.athenz || hasDeployerAccess(identity, ((AthenzTenant) tenant.get()).domain(), application.get())) - roleMemberships.add(Role.tenantPipeline(tenant.get().name(), application.get())); + roleMemberships.add(Role.buildService(tenant.get().name(), application.get())); })); futures.add(executor.submit(() -> { diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiTest.java index b488c0f9d0a..ac0d188fe37 100644 --- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiTest.java +++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/application/ApplicationApiTest.java @@ -576,9 +576,11 @@ public class ApplicationApiTest extends ControllerContainerTest { // POST a 'restart application' command tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1/environment/prod/region/us-central-1/instance/instance1/restart", POST) - .screwdriverIdentity(SCREWDRIVER_ID), + .userIdentity(HOSTED_VESPA_OPERATOR), "{\"message\":\"Requested restart of tenant1.application1.instance1 in prod.us-central-1\"}"); + addUserToHostedOperatorRole(HostedAthenzIdentities.from(SCREWDRIVER_ID)); + // POST a 'restart application' in staging environment command tester.assertResponse(request("/application/v4/tenant/tenant1/application/application1/environment/staging/region/us-central-1/instance/instance1/restart", POST) .screwdriverIdentity(SCREWDRIVER_ID), @@ -929,10 +931,8 @@ public class ApplicationApiTest extends ControllerContainerTest { .oktaAccessToken(OKTA_AT).oktaIdentityToken(OKTA_IT), new File("instance-reference.json")); - // Grant deploy access - addScrewdriverUserToDeployRole(SCREWDRIVER_ID, - ATHENZ_TENANT_DOMAIN, - ApplicationName.from("application1")); + // Add build service to operator role + addUserToHostedOperatorRole(HostedAthenzIdentities.from(SCREWDRIVER_ID)); // POST (deploy) an application to a prod zone - allowed when project ID is not specified MultiPartStreamer entity = createApplicationDeployData(applicationPackageInstance1, true); diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilterTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilterTest.java index 4e06afea50d..c49f7a90194 100644 --- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilterTest.java +++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilterTest.java @@ -95,14 +95,14 @@ public class AthenzRoleFilterTest { assertEquals(Set.of(Role.athenzTenantAdmin(TENANT)), filter.roles(TENANT_ADMIN, APPLICATION2_CONTEXT_PATH)); - // Build services are members of the tenantPipeline role within their application subtree. + // Build services are members of the buildService role within their application subtree. assertEquals(Set.of(Role.everyone()), filter.roles(TENANT_PIPELINE, NO_CONTEXT_PATH)); assertEquals(Set.of(Role.everyone()), filter.roles(TENANT_PIPELINE, TENANT_CONTEXT_PATH)); - assertEquals(Set.of(Role.tenantPipeline(TENANT, APPLICATION)), + assertEquals(Set.of(Role.buildService(TENANT, APPLICATION)), filter.roles(TENANT_PIPELINE, APPLICATION_CONTEXT_PATH)); assertEquals(Set.of(Role.everyone()), @@ -112,7 +112,7 @@ public class AthenzRoleFilterTest { assertEquals(Set.of(Role.athenzTenantAdmin(TENANT)), filter.roles(TENANT_ADMIN_AND_PIPELINE, TENANT_CONTEXT_PATH)); - assertEquals(Set.of(Role.athenzTenantAdmin(TENANT), Role.tenantPipeline(TENANT, APPLICATION)), + assertEquals(Set.of(Role.athenzTenantAdmin(TENANT), Role.buildService(TENANT, APPLICATION)), filter.roles(TENANT_ADMIN_AND_PIPELINE, APPLICATION_CONTEXT_PATH)); // Users have nothing special under their instance |