diff options
author | Jon Marius Venstad <venstad@gmail.com> | 2020-06-05 12:34:20 +0200 |
---|---|---|
committer | Jon Marius Venstad <venstad@gmail.com> | 2020-06-05 12:34:20 +0200 |
commit | d77d05e77e618deea7bf656e4bf07dfaa2758f3a (patch) | |
tree | 78664710e0fe4482753ca3a543005a1a19c718ad /controller-api | |
parent | 85b18e891e0dbdde8d7d7d0ca1f3de06bb6b732a (diff) |
Let only operators read deployment/v1 API
Diffstat (limited to 'controller-api')
3 files changed, 5 insertions, 13 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java index 15eb330e308..68dff26529f 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java @@ -22,7 +22,8 @@ enum PathGroup { /** Paths exclusive to operators (including read), used for system management. */ classifiedOperator(PathPrefix.api, - "/configserver/v1/{*}"), + "/configserver/v1/{*}", + "/deployment/v1/{*}"), /** Paths used for system management by operators. */ operator(PathPrefix.none, @@ -199,15 +200,11 @@ enum PathGroup { "/", "/d/{*}"), - /** Same as classifiedInfo, but with optional /api prefix */ - classifiedApiInfo(PathPrefix.api, - "/deployment/v1/{*}", - "/user/v1/user"), - /** Paths providing public information. */ publicInfo(PathPrefix.api, - "/badge/v1/{*}", - "/zone/v1/{*}"), + "/user/v1/user", // Information about who you are. + "/badge/v1/{*}", // Badges for deployment jobs. + "/zone/v1/{*}"), // Lists environment and regions. /** Paths used for deploying system-wide feature flags. */ systemFlagsDeploy(PathPrefix.none, "/system-flags/v1/deploy"), diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java index 00550387db5..fc904b9d1a0 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java @@ -123,10 +123,6 @@ enum Policy { .on(PathGroup.allExcept(PathGroup.classifiedOperator)) .in(SystemName.main, SystemName.cd, SystemName.dev)), - classifiedApiRead(Privilege.grant(Action.read) - .on(PathGroup.classifiedApiInfo) - .in(SystemName.all())), - /** Read access to public info. */ publicRead(Privilege.grant(Action.read) .on(PathGroup.publicInfo) diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java index 6467050d3f3..ad7b3f68440 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java @@ -27,7 +27,6 @@ public enum RoleDefinition { /** Base role which every user is part of. */ everyone(Policy.classifiedRead, - Policy.classifiedApiRead, Policy.publicRead, Policy.user, Policy.tenantCreate), |