Added hosted accountant role

author: Ola Aunrønning <olaa@verizonmedia.com> 2020-05-15 13:03:28 +0200
committer: Ola Aunrønning <olaa@verizonmedia.com> 2020-05-15 13:03:28 +0200
commit: 0ec7ac1ca97a0bea97e606c5d5c82f1dfb593054 (patch)
tree: 7947da05f8b189a03d2073c990fdba3b14cf7003 /controller-api
parent: d05fbb6d8eae73144cf6b5f4c5eb794f3b157389 (diff)
5 files changed, 16 insertions, 5 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/user/Roles.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/user/Roles.java
index 578f516f01e..a0c73fa7ff8 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/user/Roles.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/user/Roles.java
@@ -36,6 +36,7 @@ public class Roles {
         String[] parts = value.split("\\.");
         if (parts.length == 1 && parts[0].equals("hostedOperator")) return Role.hostedOperator();
         if (parts.length == 1 && parts[0].equals("hostedSupporter")) return Role.hostedSupporter();
+        if (parts.length == 1 && parts[0].equals("hostedAccountant")) return Role.hostedAccountant();
         if (parts.length == 2) return toRole(TenantName.from(parts[0]), parts[1]);
         if (parts.length == 3) return toRole(TenantName.from(parts[0]), ApplicationName.from(parts[1]), parts[2]);
         throw new IllegalArgumentException("Malformed or illegal role value '" + value + "'.");
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java
index 0316803558b..baa5a093eed 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java
@@ -219,8 +219,8 @@ enum PathGroup {
     /** Paths used for receiving payment callbacks */
     paymentProcessor(PathPrefix.none, "/payment/notification"),
 
-    /** Invoice management */
-    invoiceManagement(PathPrefix.none, "/billing/v1/invoice/{*}");
+    /** Paths used for invoice management */
+    hostedAccountant(PathPrefix.api, "/billing/v1/invoice/{*}");
 
 
     final List<String> pathSpecs;
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java
index 0afa0668a00..bc61ec6d97d 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java
@@ -22,12 +22,12 @@ enum Policy {
 
     /** Full access to everything. */
     operator(Privilege.grant(Action.all())
-                      .on(PathGroup.all())
+                      .on(PathGroup.allExcept(PathGroup.hostedAccountant))
                       .in(SystemName.all())),
 
     /** Full access to everything. */
     supporter(Privilege.grant(Action.read)
-                       .on(PathGroup.all())
+                       .on(PathGroup.allExcept(PathGroup.hostedAccountant))
                        .in(SystemName.all())),
 
     /** Full access to user management for a tenant in select systems. */
@@ -167,6 +167,11 @@ enum Policy {
     /** Read the generated bills */
     billingInformationRead(Privilege.grant(Action.read)
                                     .on(PathGroup.billingList)
+                                    .in(SystemName.PublicCd)),
+
+    /** Invoice management */
+    hostedAccountant(Privilege.grant(Action.all())
+                                    .on(PathGroup.hostedAccountant)
                                     .in(SystemName.PublicCd));
 
     private final Set<Privilege> privileges;
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java
index d3c5e412215..90350de5dbd 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java
@@ -76,6 +76,9 @@ public abstract class Role {
     /** Returns the role of the payment processor */
     public static UnboundRole paymentProcessor() { return new UnboundRole(RoleDefinition.paymentProcessor); }
 
+    /** Returns the role of the invoice manager */
+    public static UnboundRole hostedAccountant() { return new UnboundRole(RoleDefinition.hostedAccountant); }
+
     /** Returns the role definition of this bound role. */
     public RoleDefinition definition() { return roleDefinition; }
 
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java
index 438e79bcc4f..6467050d3f3 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java
@@ -89,7 +89,9 @@ public enum RoleDefinition {
 
     systemFlagsDryrunner(Policy.systemFlagsDryrun),
 
-    paymentProcessor(Policy.paymentProcessor);
+    paymentProcessor(Policy.paymentProcessor),
+
+    hostedAccountant(Policy.hostedAccountant);
 
     private final Set<RoleDefinition> parents;
     private final Set<Policy> policies;
author	Ola Aunrønning <olaa@verizonmedia.com>	2020-05-15 13:03:28 +0200
committer	Ola Aunrønning <olaa@verizonmedia.com>	2020-05-15 13:03:28 +0200
commit	0ec7ac1ca97a0bea97e606c5d5c82f1dfb593054 (patch)
tree	7947da05f8b189a03d2073c990fdba3b14cf7003 /controller-api
parent	d05fbb6d8eae73144cf6b5f4c5eb794f3b157389 (diff)