diff options
author | Martin Polden <mpolden@mpolden.no> | 2020-02-17 12:53:29 +0100 |
---|---|---|
committer | Martin Polden <mpolden@mpolden.no> | 2020-02-17 14:37:11 +0100 |
commit | 350797fb677fd5936bf4bec50dfb250fea9b1886 (patch) | |
tree | 511d5630b989fc3d788def903222c9a87e643934 /controller-api | |
parent | b1c702d576acc700d2c47bd7dd84d222cd3b8e6e (diff) |
Add tenant access rules for /routing/v1/
Diffstat (limited to 'controller-api')
-rw-r--r-- | controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java | 10 | ||||
-rw-r--r-- | controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/role/RoleTest.java | 32 |
2 files changed, 39 insertions, 3 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java index 998af030b6b..67a6faac606 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java @@ -31,7 +31,9 @@ enum PathGroup { "/os/v1/{*}", "/provision/v2/{*}", "/zone/v2/{*}", - "/routing/v1/{*}"), + "/routing/v1/", + "/routing/v1/status/environment/{*}", + "/routing/v1/inactive/environment/{*}"), /** Paths used for creating and reading user resources. */ user(Optional.of("/api"), @@ -53,7 +55,8 @@ enum PathGroup { Optional.of("/api"), "/application/v4/tenant/{tenant}/application/", "/application/v4/tenant/{tenant}/cost", - "/application/v4/tenant/{tenant}/cost/{date}"), + "/application/v4/tenant/{tenant}/cost/{date}", + "/routing/v1/status/tenant/{tenant}/{*}"), tenantKeys(Matcher.tenant, Optional.of("/api"), @@ -97,7 +100,8 @@ enum PathGroup { "/application/v4/tenant/{tenant}/application/{application}/environment/{environment}/region/{region}/instance/{ignored}/suspended", "/application/v4/tenant/{tenant}/application/{application}/environment/{environment}/region/{region}/instance/{ignored}/service/{*}", "/application/v4/tenant/{tenant}/application/{application}/environment/{environment}/region/{region}/instance/{ignored}/global-rotation/{*}", - "/application/v4/tenant/{tenant}/application/{application}/metering"), + "/application/v4/tenant/{tenant}/application/{application}/metering", + "/routing/v1/inactive/tenant/{tenant}/application/{application}/instance/{ignored}/environment/prod/region/{region}"), // TODO jonmv: remove /** Path used to restart development nodes. */ diff --git a/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/role/RoleTest.java b/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/role/RoleTest.java index da2f64f2893..5348185c276 100644 --- a/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/role/RoleTest.java +++ b/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/role/RoleTest.java @@ -8,6 +8,7 @@ import com.yahoo.config.provision.TenantName; import org.junit.Test; import java.net.URI; +import java.util.List; import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertTrue; @@ -30,6 +31,10 @@ public class RoleTest { assertTrue(mainEnforcer.allows(role, Action.update, URI.create("/os/v1/bar"))); assertTrue(mainEnforcer.allows(role, Action.update, URI.create("/application/v4/tenant/t1/application/a1"))); assertTrue(mainEnforcer.allows(role, Action.update, URI.create("/application/v4/tenant/t2/application/a2"))); + assertTrue(mainEnforcer.allows(role, Action.read, URI.create("/routing/v1/"))); + assertTrue(mainEnforcer.allows(role, Action.read, URI.create("/routing/v1/status/environment/"))); + assertTrue(mainEnforcer.allows(role, Action.read, URI.create("/routing/v1/status/environment/prod"))); + assertTrue(mainEnforcer.allows(role, Action.create, URI.create("/routing/v1/inactive/environment/prod/region/us-north-1"))); } @Test @@ -165,4 +170,31 @@ public class RoleTest { assertTrue(mainEnforcer.allows(Role.systemFlagsDryrunner(), action, dryrunUri)); assertFalse(mainEnforcer.allows(Role.everyone(), action, dryrunUri)); } + + @Test + public void routing() { + var tenantUrl = URI.create("/routing/v1/status/tenant/t1"); + var applicationUrl = URI.create("/routing/v1/status/tenant/t1/application/a1"); + var instanceUrl = URI.create("/routing/v1/status/tenant/t1/application/a1/instance/i1"); + var deploymentUrl = URI.create("/routing/v1/status/tenant/t1/application/a1/instance/i1/environment/prod/region/us-north-1"); + // Read + for (var url : List.of(tenantUrl, applicationUrl, instanceUrl, deploymentUrl)) { + var allowedRole = Role.reader(TenantName.from("t1")); + var disallowedRole = Role.reader(TenantName.from("t2")); + assertTrue(allowedRole + " can read " + url, mainEnforcer.allows(allowedRole, Action.read, url)); + assertFalse(disallowedRole + " cannot read " + url, mainEnforcer.allows(disallowedRole, Action.read, url)); + } + + // Write + { + var url = URI.create("/routing/v1/inactive/tenant/t1/application/a1/instance/i1/environment/prod/region/us-north-1"); + var allowedRole = Role.applicationAdmin(TenantName.from("t1"), ApplicationName.from("a1")); + var disallowedRole = Role.applicationAdmin(TenantName.from("t2"), ApplicationName.from("a2")); + assertTrue(allowedRole + " can override status at " + url, mainEnforcer.allows(allowedRole, Action.create, url)); + assertTrue(allowedRole + " can clear status at " + url, mainEnforcer.allows(allowedRole, Action.delete, url)); + assertFalse(disallowedRole + " cannot override status at " + url, mainEnforcer.allows(disallowedRole, Action.create, url)); + assertFalse(disallowedRole + " cannot clear status at " + url, mainEnforcer.allows(disallowedRole, Action.delete, url)); + } + } + } |