diff options
| author | Valerij Fredriksen <valerijf@verizonmedia.com> | 2019-12-02 13:52:20 +0100 |
|---|---|---|
| committer | Valerij Fredriksen <valerijf@verizonmedia.com> | 2019-12-02 13:52:20 +0100 |
| commit | e25eba3551b703b884d9deb5169b090b58188e1a (patch) | |
| tree | 0cf3e8c58d667a64aae16ef1fa91238504449860 /controller-api | |
| parent | c68656dd94e71ec552f9a44d04eb55d99e7cdb5b (diff) | |
Include changes from #11407
Diffstat (limited to 'controller-api')
4 files changed, 18 insertions, 8 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java index a80843ad252..e44038d0185 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/ZmsClientMock.java @@ -74,6 +74,13 @@ public class ZmsClientMock implements ZmsClient { } @Override + public void addRoleMember(AthenzRole role, AthenzIdentity member) { + if ( ! role.roleName().equals("tenancy.vespa.hosting.admin")) + throw new IllegalArgumentException("Mock only supports adding tenant admins, not " + role.roleName()); + getDomainOrThrow(role.domain(), true).tenantAdmin(member); + } + + @Override public boolean getMembership(AthenzRole role, AthenzIdentity identity) { if (role.roleName().equals("admin")) { return getDomainOrThrow(role.domain(), false).admins.contains(identity); diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java index 6e16035156f..95669f7f05d 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java @@ -32,8 +32,9 @@ enum PathGroup { "/provision/v2/{*}", "/zone/v2/{*}"), - /** Paths used for creating user tenants. */ - user("/application/v4/user"), + /** Paths used for creating and reading user resources. */ + user("/application/v4/user", + "/athenz/v1/{*}"), /** Paths used for creating tenants with proper access control. */ tenant(Matcher.tenant, @@ -95,6 +96,7 @@ enum PathGroup { "/application/v4/tenant/{tenant}/application/{application}/environment/{environment}/region/{region}/instance/{ignored}/global-rotation/{*}", "/application/v4/tenant/{tenant}/application/{application}/metering"), + // TODO jonmv: remove /** Path used to restart development nodes. */ developmentRestart(Matcher.tenant, Matcher.application, @@ -105,6 +107,7 @@ enum PathGroup { "/application/v4/tenant/{tenant}/application/{application}/environment/dev/region/{region}/instance/{instance}/restart", "/application/v4/tenant/{tenant}/application/{application}/environment/perf/region/{region}/instance/{instance}/restart"), + // TODO jonmv: remove /** Path used to restart production nodes. */ productionRestart(Matcher.tenant, Matcher.application, @@ -131,6 +134,7 @@ enum PathGroup { "/application/v4/tenant/{tenant}/application/{application}/environment/perf/region/{region}/instance/{instance}", "/application/v4/tenant/{tenant}/application/{application}/environment/perf/region/{region}/instance/{instance}/deploy"), + // TODO jonmv: remove /** Paths used for production deployments. */ productionDeployment(Matcher.tenant, Matcher.application, @@ -168,8 +172,7 @@ enum PathGroup { "/application/v4/tenant/"), /** Paths which contain (not very strictly) classified information about, e.g., customers. */ - classifiedInfo("/athenz/v1/{*}", - "/cost/v1/{*}", + classifiedInfo("/cost/v1/{*}", "/deployment/v1/{*}", "/", "/d/{*}", diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java index b1587575909..e27fb0fbf27 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java @@ -34,9 +34,9 @@ enum Policy { .in(SystemName.all())), /** Access to create a user tenant in select systems. */ - userCreate(Privilege.grant(Action.update) - .on(PathGroup.user) - .in(SystemName.main, SystemName.cd, SystemName.dev)), + user(Privilege.grant(Action.create, Action.update) + .on(PathGroup.user) + .in(SystemName.main, SystemName.cd, SystemName.dev)), /** Access to create a tenant in select systems. */ tenantCreate(Privilege.grant(Action.create) diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java index 6edce9fe0db..10df7604667 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java @@ -24,7 +24,7 @@ public enum RoleDefinition { everyone(Policy.classifiedRead, Policy.classifiedApiRead, Policy.publicRead, - Policy.userCreate, + Policy.user, Policy.tenantCreate), /** Application reader which can see all information about an application, its tenant and deployments. */ |