Remove unused tenantPipeline role

author: Martin Polden <mpolden@mpolden.no> 2020-03-05 14:06:37 +0100
committer: Martin Polden <mpolden@mpolden.no> 2020-03-05 14:06:37 +0100
commit: d06aa3e0bfa0eedde1b8b937d9ca4953add6159f (patch)
tree: bf62d2664ba3c261042b5e655763138e9eb36f8d /controller-api
parent: 55dd5a7e8db0cbb79802fdf8b059e8c75b6280f9 (diff)
6 files changed, 11 insertions, 47 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java
index 4c91238453a..4dbb16c48d5 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java
@@ -211,18 +211,10 @@ enum PathGroup {
         this(List.of(), prefix, List.of(pathSpecs));
     }
 
-    PathGroup(Matcher first, String... pathSpecs) {
-        this(List.of(first), Optional.empty(), List.of(pathSpecs));
-    }
-
     PathGroup(Matcher first, Optional<String> prefix, String... pathSpecs) {
         this(List.of(first), prefix, List.of(pathSpecs));
     }
 
-    PathGroup(Matcher first, Matcher second, String... pathSpecs) {
-        this(List.of(first, second), Optional.empty(), List.of(pathSpecs));
-    }
-
     PathGroup(Matcher first, Matcher second, Optional<String> prefix, String... pathSpecs) {
         this(List.of(first, second), prefix, List.of(pathSpecs));
     }
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java
index 0e8e3a13f9f..c3705a31517 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java
@@ -10,9 +10,11 @@ import java.util.Set;
 
 /**
  * Policies for REST APIs in the controller. A policy is only considered when defined in a {@link Role}.
- * A policy describes a set of {@link Privilege}s, which are valid for a set of {@link SystemName}s.
- * A policy is evaluated by an {@link Enforcer}, which holds the {@link SystemName} the evaluation is done in.
- * A policy is evaluated with a {@link Context}, which may limit it to a specific {@link TenantName} or {@link ApplicationName}.
+ *
+ * - A policy describes a set of {@link Privilege}s, which are valid for a set of {@link SystemName}s.
+ * - A policy is evaluated by an {@link Enforcer}, which holds the {@link SystemName} the evaluation is done in.
+ * - A policy is evaluated in a {@link Context}, which may limit it to a specific {@link TenantName} or
+ *   {@link ApplicationName}.
  *
  * @author mpolden
  */
@@ -25,8 +27,8 @@ enum Policy {
 
     /** Full access to everything. */
     supporter(Privilege.grant(Action.read)
-                     .on(PathGroup.all())
-                     .in(SystemName.all())),
+                       .on(PathGroup.all())
+                       .in(SystemName.all())),
 
     /** Full access to user management for a tenant in select systems. */
     tenantManager(Privilege.grant(Action.all())
@@ -98,11 +100,6 @@ enum Policy {
                                    .on(PathGroup.developmentDeployment, PathGroup.developmentRestart)
                                    .in(SystemName.all())),
 
-    /** Full access to application production deployments. */
-    productionDeployment(Privilege.grant(Action.all())
-                                  .on(PathGroup.productionDeployment)
-                                  .in(SystemName.all())),
-
     /** Read access to all application deployments. */
     deploymentRead(Privilege.grant(Action.read)
                             .on(PathGroup.developmentDeployment, PathGroup.productionDeployment)
@@ -113,11 +110,6 @@ enum Policy {
                         .on(PathGroup.submission)
                         .in(SystemName.all())),
 
-    /** Full access to the additional tasks needed for continuous deployment. */
-    deploymentPipeline(Privilege.grant(Action.all()) // TODO remove when everyone is on new pipeline.
-                                .on(PathGroup.buildService, PathGroup.productionRestart)
-                                .in(SystemName.all())),
-
     /** Read access to all information in select systems. */
     classifiedRead(Privilege.grant(Action.read)
                             .on(PathGroup.allExcept(PathGroup.classifiedOperator))
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java
index beeb340647c..532088e94aa 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java
@@ -42,11 +42,6 @@ public abstract class Role {
         return new TenantRole(RoleDefinition.athenzTenantAdmin, tenant);
     }
 
-    /** Returns a {@link RoleDefinition#tenantPipeline} for the current system and given tenant and application. */
-    public static ApplicationRole tenantPipeline(TenantName tenant, ApplicationName application) {
-        return new ApplicationRole(RoleDefinition.tenantPipeline, tenant, application);
-    }
-
     /** Returns a {@link RoleDefinition#reader} for the current system and given tenant. */
     public static TenantRole reader(TenantName tenant) {
         return new TenantRole(RoleDefinition.reader, tenant);
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java
index a350cb002b3..af4511b6eae 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java
@@ -61,12 +61,6 @@ public enum RoleDefinition {
     /** Headless — the application specific role identified by deployment keys for production */
     headless(Policy.submission),
 
-    /** Build and continuous delivery service. */ // TODO replace with buildService, when everyone is on new pipeline.
-    tenantPipeline(everyone,
-                   Policy.submission,
-                   Policy.deploymentPipeline,
-                   Policy.productionDeployment),
-
     /** Tenant administrator with full access to all child resources. */
     athenzTenantAdmin(everyone,
                       Policy.tenantRead,
@@ -90,12 +84,8 @@ public enum RoleDefinition {
         this(Set.of(), policies);
     }
 
-    RoleDefinition(RoleDefinition first, Policy... policies) {
-        this(Set.of(first), policies);
-    }
-
-    RoleDefinition(RoleDefinition first, RoleDefinition second, Policy... policies) {
-        this(Set.of(first, second), policies);
+    RoleDefinition(RoleDefinition parent, Policy... policies) {
+        this(Set.of(parent), policies);
     }
 
     RoleDefinition(Set<RoleDefinition> parents, Policy... policies) {
diff --git a/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/integration/user/RolesTest.java b/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/integration/user/RolesTest.java
index 2e7308e41e1..636825573f1 100644
--- a/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/integration/user/RolesTest.java
+++ b/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/integration/user/RolesTest.java
@@ -46,11 +46,6 @@ public class RolesTest {
     }
 
     @Test(expected = IllegalArgumentException.class)
-    public void illegalRole() {
-        Roles.valueOf(Role.tenantPipeline(TenantName.from("my-tenant"), ApplicationName.from("my-app")));
-    }
-
-    @Test(expected = IllegalArgumentException.class)
     public void illegalRoleValue() {
         Roles.toRole("my-tenant.awesomePerson");
     }
diff --git a/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/role/RoleTest.java b/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/role/RoleTest.java
index f78ae24df9e..52e0f3c8a8e 100644
--- a/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/role/RoleTest.java
+++ b/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/role/RoleTest.java
@@ -73,10 +73,10 @@ public class RoleTest {
 
     @Test
     public void build_service_membership() {
-        Role role = Role.tenantPipeline(TenantName.from("t1"), ApplicationName.from("a1"));
+        Role role = Role.buildService(TenantName.from("t1"), ApplicationName.from("a1"));
         assertFalse(publicEnforcer.allows(role, Action.create, URI.create("/not/explicitly/defined")));
         assertFalse(publicEnforcer.allows(role, Action.update, URI.create("/application/v4/tenant/t1/application/a1")));
-        assertTrue(publicEnforcer.allows(role, Action.create, URI.create("/application/v4/tenant/t1/application/a1/jobreport")));
+        assertTrue(publicEnforcer.allows(role, Action.create, URI.create("/application/v4/tenant/t1/application/a1/submit")));
         assertFalse("No global read access", publicEnforcer.allows(role, Action.read, URI.create("/controller/v1/foo")));
     }
author	Martin Polden <mpolden@mpolden.no>	2020-03-05 14:06:37 +0100
committer	Martin Polden <mpolden@mpolden.no>	2020-03-05 14:06:37 +0100
commit	d06aa3e0bfa0eedde1b8b937d9ca4953add6159f (patch)
tree	bf62d2664ba3c261042b5e655763138e9eb36f8d /controller-api
parent	55dd5a7e8db0cbb79802fdf8b059e8c75b6280f9 (diff)