Merge pull request #11257 from vespa-engine/bjorncs/system-flags-access-control-dryrun

Define access control '/system-flags/v1' dry-run

5 files changed, 30 insertions, 9 deletions

diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java
index 9db896bbb88..bf89d072b75 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java
@@ -181,7 +181,11 @@ enum PathGroup {
                "/zone/v1/{*}"),
 
     /** Paths used for deploying system-wide feature flags. */
-    systemFlags("/system-flags/v1/{*}");
+    systemFlagsDeploy("/system-flags/v1/deploy"),
+
+
+    /** Paths used for "dry-running" system-wide feature flags. */
+    systemFlagsDryrun("/system-flags/v1/dryrun");
 
     final List<String> pathSpecs;
     final String prefix;
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java
index 51f29626acf..074d3ef7e95 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java
@@ -123,9 +123,14 @@ enum Policy {
                         .on(PathGroup.publicInfo)
                         .in(SystemName.all())),
 
-    /** Access to /system-flags/v1. */
-    systemFlagsDeployment(Privilege.grant(Action.all())
-                                  .on(PathGroup.systemFlags)
+    /** Access to /system-flags/v1/deploy. */
+    systemFlagsDeploy(Privilege.grant(Action.update)
+                                  .on(PathGroup.systemFlagsDeploy)
+                                  .in(SystemName.all())),
+
+    /** Access to /system-flags/v1/dryrun. */
+    systemFlagsDryrun(Privilege.grant(Action.update)
+                                  .on(PathGroup.systemFlagsDryrun)
                                   .in(SystemName.all()));
 
     private final Set<Privilege> privileges;
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java
index e1497bd686e..b53cf9162e7 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java
@@ -111,6 +111,9 @@ public abstract class Role {
     /** Returns the role for system flag deployer */
     public static UnboundRole systemFlagsDeployer() { return new UnboundRole(RoleDefinition.systemFlagsDeployer); }
 
+    /** Returns the role for system flag dryrun */
+    public static UnboundRole systemFlagsDryrunner() { return new UnboundRole(RoleDefinition.systemFlagsDryrunner); }
+
     /** Returns the role definition of this bound role. */
     public RoleDefinition definition() { return roleDefinition; }
 
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java
index a261f5c7e8f..67efdc3017d 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java
@@ -115,7 +115,9 @@ public enum RoleDefinition {
                       Policy.keyManagement,
                       Policy.developmentDeployment),
 
-    systemFlagsDeployer(hostedOperator, Policy.systemFlagsDeployment);
+    systemFlagsDeployer(Policy.systemFlagsDeploy, Policy.systemFlagsDryrun),
+
+    systemFlagsDryrunner(Policy.systemFlagsDryrun);
 
     private final Set<RoleDefinition> parents;
     private final Set<Policy> policies;
diff --git a/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/role/RoleTest.java b/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/role/RoleTest.java
index 6dd815f4f51..d153e218640 100644
--- a/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/role/RoleTest.java
+++ b/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/role/RoleTest.java
@@ -129,10 +129,17 @@ public class RoleTest {
 
     @Test
     public void system_flags() {
-        URI uri = URI.create("/system-flags/v1/deploy");
+        URI deployUri = URI.create("/system-flags/v1/deploy");
         Action action = Action.update;
-        assertTrue(mainEnforcer.allows(Role.systemFlagsDeployer(), action, uri));
-        assertTrue(mainEnforcer.allows(Role.hostedOperator(), action, uri));
-        assertFalse(mainEnforcer.allows(Role.everyone(), action, uri));
+        assertTrue(mainEnforcer.allows(Role.systemFlagsDeployer(), action, deployUri));
+        assertTrue(mainEnforcer.allows(Role.hostedOperator(), action, deployUri));
+        assertFalse(mainEnforcer.allows(Role.systemFlagsDryrunner(), action, deployUri));
+        assertFalse(mainEnforcer.allows(Role.everyone(), action, deployUri));
+
+        URI dryrunUri = URI.create("/system-flags/v1/dryrun");
+        assertTrue(mainEnforcer.allows(Role.systemFlagsDeployer(), action, dryrunUri));
+        assertTrue(mainEnforcer.allows(Role.hostedOperator(), action, dryrunUri));
+        assertTrue(mainEnforcer.allows(Role.systemFlagsDryrunner(), action, dryrunUri));
+        assertFalse(mainEnforcer.allows(Role.everyone(), action, dryrunUri));
     }
 }