diff options
author | Ola Aunrønning <olaa@verizonmedia.com> | 2021-03-01 12:33:52 +0100 |
---|---|---|
committer | Ola Aunrønning <olaa@verizonmedia.com> | 2021-03-01 12:33:52 +0100 |
commit | cfbe4fbe1b5978a501334140904e58c2c332ed03 (patch) | |
tree | 970c5f2881f5aa51ed5765f0e54741707e2ab69a /controller-api | |
parent | 244acd815bb018dc3138a7566fbc71bd30a4f18c (diff) |
Add separate secret store path group
Diffstat (limited to 'controller-api')
3 files changed, 12 insertions, 4 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java index 2a8dc34ea72..f5753e4eb5c 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java @@ -58,7 +58,6 @@ enum PathGroup { tenantInfo(Matcher.tenant, PathPrefix.api, "/application/v4/tenant/{tenant}/application/", - "/application/v4/tenant/{tenant}/secret-store/", "/application/v4/tenant/{tenant}/info/", "/routing/v1/status/tenant/{tenant}/{*}"), @@ -244,7 +243,10 @@ enum PathGroup { "/billing/v1/billing"), /** Path used for listing endpoint certificate request info */ - endpointCertificateRequestInfo(PathPrefix.none, "/certificateRequests/"); + endpointCertificateRequestInfo(PathPrefix.none, "/certificateRequests/"), + + /** Path used for secret store management */ + secretStore(Matcher.tenant, PathPrefix.api, "/application/v4/tenant/{tenant}/secret-store/{*}"); final List<String> pathSpecs; final PathPrefix prefix; diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java index 12bae955c20..ecf3d29bc1a 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java @@ -186,7 +186,12 @@ enum Policy { /** Listing endpoint certificate request info */ endpointCertificateRequestInfo(Privilege.grant(Action.read) .on(PathGroup.endpointCertificateRequestInfo) - .in(SystemName.all())); + .in(SystemName.all())), + + /** Secret store operations */ + secretStoreOperations(Privilege.grant(Action.all()) + .on(PathGroup.secretStore) + .in(SystemName.PublicCd, SystemName.Public)); private final Set<Privilege> privileges; diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java index 85db447dfbd..3b861c607b1 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java @@ -68,7 +68,8 @@ public enum RoleDefinition { Policy.paymentInstrumentDelete, Policy.paymentInstrumentCreate, Policy.planUpdate, - Policy.billingInformationRead), + Policy.billingInformationRead, + Policy.secretStoreOperations), /** Headless — the application specific role identified by deployment keys for production */ headless(Policy.submission), |