Store developer keys <-> developers, and modify through application/v4

author: Jon Marius Venstad <venstad@gmail.com> 2019-10-01 15:02:43 +0200
committer: Jon Marius Venstad <venstad@gmail.com> 2019-10-01 15:02:43 +0200
commit: d426ec174d9c57a62b68017fe4121f1d7ad7bc79 (patch)
tree: d0a2f4910e2f8dba5e9dcec16a4b233fc0ffbfbb /controller-api/src
parent: 6b2569ff15587d53037820089b9f90c31422dac4 (diff)
5 files changed, 19 insertions, 2 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/stubs/MockUserManagement.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/stubs/MockUserManagement.java
index 5ebea6c8d87..03eda33233d 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/stubs/MockUserManagement.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/stubs/MockUserManagement.java
@@ -43,7 +43,7 @@ public class MockUserManagement implements UserManagement {
 
     @Override
     public void removeUsers(Role role, Collection<UserId> users) {
-        memberships.get(role).removeAll(users);
+        memberships.get(role).removeIf(user -> users.contains(new UserId(user.email())));
     }
 
     @Override
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java
index 08702027264..958ded06c78 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java
@@ -46,6 +46,15 @@ enum PathGroup {
                Optional.of("/api"),
                "/application/v4/tenant/{tenant}/application/"),
 
+    tenantKeys(Matcher.tenant,
+               Optional.of("/api"),
+               "/application/v4/tenant/{tenant}/key/"),
+
+    applicationKeys(Matcher.tenant,
+                    Matcher.application,
+                    Optional.of("/api"),
+                    "/application/v4/tenant/{tenant}/application/{application}/key/"),
+
     /** Path for the base application resource. */
     application(Matcher.tenant,
                 Matcher.application,
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java
index 290382c6e6c..db7dd5909b3 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java
@@ -83,6 +83,11 @@ enum Policy {
                                    .on(PathGroup.applicationInfo, PathGroup.productionRestart)
                                    .in(SystemName.all())),
 
+    /** Access to create and delete developer and deploy keys under a tenant. */
+    keyManagement(Privilege.grant(Action.write())
+                           .on(PathGroup.tenantKeys, PathGroup.applicationKeys)
+                           .in(SystemName.all())),
+
     /** Full access to application development deployments. */
     developmentDeployment(Privilege.grant(Action.all())
                                    .on(PathGroup.developmentDeployment, PathGroup.developmentRestart)
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java
index 980b8bd316f..7bbd89404c7 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java
@@ -56,7 +56,8 @@ public enum RoleDefinition {
     /** Tenant operator with access to create application under a tenant, and to read the tenant's and public data. */
     tenantOperator(everyone,
                    Policy.tenantRead,
-                   Policy.applicationCreate),
+                   Policy.applicationCreate,
+                   Policy.keyManagement),
 
     /** Tenant admin with full access to all tenant resources, except deleting the tenant. */
     tenantAdmin(tenantOperator,
@@ -84,6 +85,7 @@ public enum RoleDefinition {
                       Policy.applicationUpdate,
                       Policy.applicationDelete,
                       Policy.applicationOperations,
+                      Policy.keyManagement,
                       Policy.developmentDeployment);
 
     private final Set<RoleDefinition> parents;
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/SecurityContext.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/SecurityContext.java
index 3378f9e0061..92f902dc0f7 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/SecurityContext.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/SecurityContext.java
@@ -49,4 +49,5 @@ public class SecurityContext {
                ", roles=" + roles +
                '}';
     }
+
 }
author	Jon Marius Venstad <venstad@gmail.com>	2019-10-01 15:02:43 +0200
committer	Jon Marius Venstad <venstad@gmail.com>	2019-10-01 15:02:43 +0200
commit	d426ec174d9c57a62b68017fe4121f1d7ad7bc79 (patch)
tree	d0a2f4910e2f8dba5e9dcec16a4b233fc0ffbfbb /controller-api/src
parent	6b2569ff15587d53037820089b9f90c31422dac4 (diff)