summaryrefslogtreecommitdiffstats
path: root/controller-api
diff options
context:
space:
mode:
authorOla Aunrønning <olaa@verizonmedia.com>2021-03-01 12:33:52 +0100
committerOla Aunrønning <olaa@verizonmedia.com>2021-03-01 12:33:52 +0100
commitcfbe4fbe1b5978a501334140904e58c2c332ed03 (patch)
tree970c5f2881f5aa51ed5765f0e54741707e2ab69a /controller-api
parent244acd815bb018dc3138a7566fbc71bd30a4f18c (diff)
Add separate secret store path group
Diffstat (limited to 'controller-api')
-rw-r--r--controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java6
-rw-r--r--controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java7
-rw-r--r--controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java3
3 files changed, 12 insertions, 4 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java
index 2a8dc34ea72..f5753e4eb5c 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java
@@ -58,7 +58,6 @@ enum PathGroup {
tenantInfo(Matcher.tenant,
PathPrefix.api,
"/application/v4/tenant/{tenant}/application/",
- "/application/v4/tenant/{tenant}/secret-store/",
"/application/v4/tenant/{tenant}/info/",
"/routing/v1/status/tenant/{tenant}/{*}"),
@@ -244,7 +243,10 @@ enum PathGroup {
"/billing/v1/billing"),
/** Path used for listing endpoint certificate request info */
- endpointCertificateRequestInfo(PathPrefix.none, "/certificateRequests/");
+ endpointCertificateRequestInfo(PathPrefix.none, "/certificateRequests/"),
+
+ /** Path used for secret store management */
+ secretStore(Matcher.tenant, PathPrefix.api, "/application/v4/tenant/{tenant}/secret-store/{*}");
final List<String> pathSpecs;
final PathPrefix prefix;
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java
index 12bae955c20..ecf3d29bc1a 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java
@@ -186,7 +186,12 @@ enum Policy {
/** Listing endpoint certificate request info */
endpointCertificateRequestInfo(Privilege.grant(Action.read)
.on(PathGroup.endpointCertificateRequestInfo)
- .in(SystemName.all()));
+ .in(SystemName.all())),
+
+ /** Secret store operations */
+ secretStoreOperations(Privilege.grant(Action.all())
+ .on(PathGroup.secretStore)
+ .in(SystemName.PublicCd, SystemName.Public));
private final Set<Privilege> privileges;
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java
index 85db447dfbd..3b861c607b1 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java
@@ -68,7 +68,8 @@ public enum RoleDefinition {
Policy.paymentInstrumentDelete,
Policy.paymentInstrumentCreate,
Policy.planUpdate,
- Policy.billingInformationRead),
+ Policy.billingInformationRead,
+ Policy.secretStoreOperations),
/** Headless — the application specific role identified by deployment keys for production */
headless(Policy.submission),