diff options
| author | Jon Marius Venstad <jvenstad@yahoo-inc.com> | 2019-04-08 14:34:57 +0200 |
|---|---|---|
| committer | Jon Marius Venstad <jvenstad@yahoo-inc.com> | 2019-04-09 13:05:40 +0200 |
| commit | 28b25da428ec2ff417b794e0833b8f420f56dfa6 (patch) | |
| tree | cbbdd887538dd647261c3e00634ee4f21d834bb2 /controller-api | |
| parent | 4e341affb723f19d813ecc2f8d94124bfd832bbd (diff) | |
Fine-grained user management access control
Diffstat (limited to 'controller-api')
3 files changed, 20 insertions, 8 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java index edf3f4e8711..5be1fd442e1 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java @@ -27,9 +27,6 @@ public enum PathGroup { "/provision/v2/{*}", "/zone/v2/{*}"), - /** Paths used for user management. */ - userManagement("/user/v1/{*}"), // TODO probably add tenant and application levels. - /** Paths used for creating user tenants. */ user("/application/v4/user"), @@ -37,6 +34,10 @@ public enum PathGroup { tenant(Matcher.tenant, "/application/v4/tenant/{tenant}"), + /** Paths used for user management on the tenant level. */ + tenantUsers(Matcher.tenant, + "/user/v1/tenant/{tenant}"), + /** Paths used by tenant administrators. */ tenantInfo(Matcher.tenant, "/application/v4/tenant/{tenant}/application/"), @@ -46,6 +47,11 @@ public enum PathGroup { Matcher.application, "/application/v4/tenant/{tenant}/application/{application}"), + /** Paths used for user management on the application level. */ + applicationUsers(Matcher.tenant, + Matcher.application, + "/user/v1/tenant/{tenant}/application/{application}"), + /** Paths used by application administrators. */ applicationInfo(Matcher.tenant, Matcher.application, diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java index 970717b14a3..85b9fb63b2a 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java @@ -23,10 +23,15 @@ public enum Policy { .on(PathGroup.all()) .in(SystemName.all())), - /** Full access to user management in select systems. */ - manager(Privilege.grant(Action.all()) - .on(PathGroup.userManagement) - .in(SystemName.Public)), + /** Full access to user management for a tenant in select systems. */ + tenantManager(Privilege.grant(Action.all()) + .on(PathGroup.tenantUsers) + .in(SystemName.Public)), + + /** Full access to user management for an application in select systems. */ + applicationManager(Privilege.grant(Action.all()) + .on(PathGroup.applicationUsers) + .in(SystemName.Public)), /** Access to create a user tenant in select systems. */ userCreate(Privilege.grant(Action.update) diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java index 75d491a0a84..d3049500e4c 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java @@ -48,6 +48,7 @@ public enum RoleDefinition { applicationAdmin(applicationDeveloper, applicationOperator, Policy.applicationUpdate, + Policy.applicationManager, Policy.productionDeployment, Policy.submission), @@ -60,7 +61,7 @@ public enum RoleDefinition { tenantAdmin(tenantOperator, applicationAdmin, Policy.applicationDelete, - Policy.manager, + Policy.tenantManager, Policy.tenantUpdate), /** Tenant admin with full access to all tenant resources. */ |