Add supporter role

6 files changed, 39 insertions, 0 deletions

diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/user/Roles.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/user/Roles.java
index 77bd589f23b..f5f3ebe8f35 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/user/Roles.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/user/Roles.java
@@ -35,6 +35,7 @@ public class Roles {
     public static Role toRole(String value) {
         String[] parts = value.split("\\.");
         if (parts.length == 1 && parts[0].equals("hostedOperator")) return Role.hostedOperator();
+        if (parts.length == 1 && parts[0].equals("hostedSupporter")) return Role.hostedSupporter();
         if (parts.length == 2) return toRole(TenantName.from(parts[0]), parts[1]);
         if (parts.length == 3) return toRole(TenantName.from(parts[0]), ApplicationName.from(parts[1]), parts[2]);
         throw new IllegalArgumentException("Malformed or illegal role value '" + value + "'.");
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java
index e27fb0fbf27..0e8e3a13f9f 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java
@@ -23,6 +23,11 @@ enum Policy {
                       .on(PathGroup.all())
                       .in(SystemName.all())),
 
+    /** Full access to everything. */
+    supporter(Privilege.grant(Action.read)
+                     .on(PathGroup.all())
+                     .in(SystemName.all())),
+
     /** Full access to user management for a tenant in select systems. */
     tenantManager(Privilege.grant(Action.all())
                            .on(PathGroup.tenantUsers)
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java
index b53cf9162e7..d852e55d7fd 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java
@@ -28,6 +28,11 @@ public abstract class Role {
         return new UnboundRole(RoleDefinition.hostedOperator);
     }
 
+    /** Returns a {@link RoleDefinition#hostedSupporter for the current system. */
+    public static UnboundRole hostedSupporter() {
+        return new UnboundRole(RoleDefinition.hostedSupporter);
+    }
+
     /** Returns a {@link RoleDefinition#everyone} for the current system. */
     public static UnboundRole everyone() {
         return new UnboundRole(RoleDefinition.everyone);
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java
index 58d69512feb..848866f7c33 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java
@@ -21,6 +21,9 @@ public enum RoleDefinition {
     /** Deus ex machina. */
     hostedOperator(Policy.operator),
 
+    /** Machina autem exspiravit. */
+    hostedSupporter(Policy.supporter),
+
     /** Base role which every user is part of. */
     everyone(Policy.classifiedRead,
              Policy.classifiedApiRead,
diff --git a/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/integration/user/RolesTest.java b/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/integration/user/RolesTest.java
index cfb5462e50a..22baedd16b4 100644
--- a/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/integration/user/RolesTest.java
+++ b/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/integration/user/RolesTest.java
@@ -27,6 +27,8 @@ public class RolesTest {
 
         assertEquals(Role.hostedOperator(),
                      Roles.toRole("hostedOperator"));
+        assertEquals(Role.hostedSupporter(),
+                     Roles.toRole("hostedSupporter"));
         assertEquals(Role.tenantOperator(tenant),
                      Roles.toRole("my-tenant.tenantOperator"));
         assertEquals(Role.applicationReader(tenant, application),
diff --git a/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/role/RoleTest.java b/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/role/RoleTest.java
index d153e218640..da2f64f2893 100644
--- a/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/role/RoleTest.java
+++ b/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/role/RoleTest.java
@@ -33,6 +33,27 @@ public class RoleTest {
     }
 
     @Test
+    public void supporter_membership() {
+        Role role = Role.hostedSupporter();
+
+        // No create update or delete
+        assertFalse(mainEnforcer.allows(role, Action.create, URI.create("/not/explicitly/defined")));
+        assertFalse(mainEnforcer.allows(role, Action.create, URI.create("/controller/v1/foo")));
+        assertFalse(mainEnforcer.allows(role, Action.update, URI.create("/os/v1/bar")));
+        assertFalse(mainEnforcer.allows(role, Action.update, URI.create("/application/v4/tenant/t1/application/a1")));
+        assertFalse(mainEnforcer.allows(role, Action.update, URI.create("/application/v4/tenant/t2/application/a2")));
+        assertFalse(mainEnforcer.allows(role, Action.delete, URI.create("/application/v4/tenant/t8/application/a6/instance/i1/environment/dev/region/r1")));
+
+        // But reads is ok (but still only for valid paths)
+        assertFalse(mainEnforcer.allows(role, Action.read, URI.create("/not/explicitly/defined")));
+        assertTrue(mainEnforcer.allows(role, Action.read, URI.create("/controller/v1/foo")));
+        assertTrue(mainEnforcer.allows(role, Action.read, URI.create("/os/v1/bar")));
+        assertTrue(mainEnforcer.allows(role, Action.read, URI.create("/application/v4/tenant/t1/application/a1")));
+        assertTrue(mainEnforcer.allows(role, Action.read, URI.create("/application/v4/tenant/t2/application/a2")));
+        assertFalse(mainEnforcer.allows(role, Action.delete, URI.create("/application/v4/tenant/t8/application/a6/instance/i1/environment/dev/region/r1")));
+    }
+
+    @Test
     public void tenant_membership() {
         Role role = Role.athenzTenantAdmin(TenantName.from("t1"));
         assertFalse(mainEnforcer.allows(role, Action.create, URI.create("/not/explicitly/defined")));
@@ -133,12 +154,14 @@ public class RoleTest {
         Action action = Action.update;
         assertTrue(mainEnforcer.allows(Role.systemFlagsDeployer(), action, deployUri));
         assertTrue(mainEnforcer.allows(Role.hostedOperator(), action, deployUri));
+        assertFalse(mainEnforcer.allows(Role.hostedSupporter(), action, deployUri));
         assertFalse(mainEnforcer.allows(Role.systemFlagsDryrunner(), action, deployUri));
         assertFalse(mainEnforcer.allows(Role.everyone(), action, deployUri));
 
         URI dryrunUri = URI.create("/system-flags/v1/dryrun");
         assertTrue(mainEnforcer.allows(Role.systemFlagsDeployer(), action, dryrunUri));
         assertTrue(mainEnforcer.allows(Role.hostedOperator(), action, dryrunUri));
+        assertFalse(mainEnforcer.allows(Role.hostedSupporter(), action, dryrunUri));
         assertTrue(mainEnforcer.allows(Role.systemFlagsDryrunner(), action, dryrunUri));
         assertFalse(mainEnforcer.allows(Role.everyone(), action, dryrunUri));
     }