diff options
author | Martin Polden <mpolden@mpolden.no> | 2020-03-05 14:06:37 +0100 |
---|---|---|
committer | Martin Polden <mpolden@mpolden.no> | 2020-03-05 14:06:37 +0100 |
commit | d06aa3e0bfa0eedde1b8b937d9ca4953add6159f (patch) | |
tree | bf62d2664ba3c261042b5e655763138e9eb36f8d /controller-api | |
parent | 55dd5a7e8db0cbb79802fdf8b059e8c75b6280f9 (diff) |
Remove unused tenantPipeline role
Diffstat (limited to 'controller-api')
6 files changed, 11 insertions, 47 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java index 4c91238453a..4dbb16c48d5 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java @@ -211,18 +211,10 @@ enum PathGroup { this(List.of(), prefix, List.of(pathSpecs)); } - PathGroup(Matcher first, String... pathSpecs) { - this(List.of(first), Optional.empty(), List.of(pathSpecs)); - } - PathGroup(Matcher first, Optional<String> prefix, String... pathSpecs) { this(List.of(first), prefix, List.of(pathSpecs)); } - PathGroup(Matcher first, Matcher second, String... pathSpecs) { - this(List.of(first, second), Optional.empty(), List.of(pathSpecs)); - } - PathGroup(Matcher first, Matcher second, Optional<String> prefix, String... pathSpecs) { this(List.of(first, second), prefix, List.of(pathSpecs)); } diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java index 0e8e3a13f9f..c3705a31517 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java @@ -10,9 +10,11 @@ import java.util.Set; /** * Policies for REST APIs in the controller. A policy is only considered when defined in a {@link Role}. - * A policy describes a set of {@link Privilege}s, which are valid for a set of {@link SystemName}s. - * A policy is evaluated by an {@link Enforcer}, which holds the {@link SystemName} the evaluation is done in. - * A policy is evaluated with a {@link Context}, which may limit it to a specific {@link TenantName} or {@link ApplicationName}. + * + * - A policy describes a set of {@link Privilege}s, which are valid for a set of {@link SystemName}s. + * - A policy is evaluated by an {@link Enforcer}, which holds the {@link SystemName} the evaluation is done in. + * - A policy is evaluated in a {@link Context}, which may limit it to a specific {@link TenantName} or + * {@link ApplicationName}. * * @author mpolden */ @@ -25,8 +27,8 @@ enum Policy { /** Full access to everything. */ supporter(Privilege.grant(Action.read) - .on(PathGroup.all()) - .in(SystemName.all())), + .on(PathGroup.all()) + .in(SystemName.all())), /** Full access to user management for a tenant in select systems. */ tenantManager(Privilege.grant(Action.all()) @@ -98,11 +100,6 @@ enum Policy { .on(PathGroup.developmentDeployment, PathGroup.developmentRestart) .in(SystemName.all())), - /** Full access to application production deployments. */ - productionDeployment(Privilege.grant(Action.all()) - .on(PathGroup.productionDeployment) - .in(SystemName.all())), - /** Read access to all application deployments. */ deploymentRead(Privilege.grant(Action.read) .on(PathGroup.developmentDeployment, PathGroup.productionDeployment) @@ -113,11 +110,6 @@ enum Policy { .on(PathGroup.submission) .in(SystemName.all())), - /** Full access to the additional tasks needed for continuous deployment. */ - deploymentPipeline(Privilege.grant(Action.all()) // TODO remove when everyone is on new pipeline. - .on(PathGroup.buildService, PathGroup.productionRestart) - .in(SystemName.all())), - /** Read access to all information in select systems. */ classifiedRead(Privilege.grant(Action.read) .on(PathGroup.allExcept(PathGroup.classifiedOperator)) diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java index beeb340647c..532088e94aa 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java @@ -42,11 +42,6 @@ public abstract class Role { return new TenantRole(RoleDefinition.athenzTenantAdmin, tenant); } - /** Returns a {@link RoleDefinition#tenantPipeline} for the current system and given tenant and application. */ - public static ApplicationRole tenantPipeline(TenantName tenant, ApplicationName application) { - return new ApplicationRole(RoleDefinition.tenantPipeline, tenant, application); - } - /** Returns a {@link RoleDefinition#reader} for the current system and given tenant. */ public static TenantRole reader(TenantName tenant) { return new TenantRole(RoleDefinition.reader, tenant); diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java index a350cb002b3..af4511b6eae 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java @@ -61,12 +61,6 @@ public enum RoleDefinition { /** Headless — the application specific role identified by deployment keys for production */ headless(Policy.submission), - /** Build and continuous delivery service. */ // TODO replace with buildService, when everyone is on new pipeline. - tenantPipeline(everyone, - Policy.submission, - Policy.deploymentPipeline, - Policy.productionDeployment), - /** Tenant administrator with full access to all child resources. */ athenzTenantAdmin(everyone, Policy.tenantRead, @@ -90,12 +84,8 @@ public enum RoleDefinition { this(Set.of(), policies); } - RoleDefinition(RoleDefinition first, Policy... policies) { - this(Set.of(first), policies); - } - - RoleDefinition(RoleDefinition first, RoleDefinition second, Policy... policies) { - this(Set.of(first, second), policies); + RoleDefinition(RoleDefinition parent, Policy... policies) { + this(Set.of(parent), policies); } RoleDefinition(Set<RoleDefinition> parents, Policy... policies) { diff --git a/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/integration/user/RolesTest.java b/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/integration/user/RolesTest.java index 2e7308e41e1..636825573f1 100644 --- a/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/integration/user/RolesTest.java +++ b/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/integration/user/RolesTest.java @@ -46,11 +46,6 @@ public class RolesTest { } @Test(expected = IllegalArgumentException.class) - public void illegalRole() { - Roles.valueOf(Role.tenantPipeline(TenantName.from("my-tenant"), ApplicationName.from("my-app"))); - } - - @Test(expected = IllegalArgumentException.class) public void illegalRoleValue() { Roles.toRole("my-tenant.awesomePerson"); } diff --git a/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/role/RoleTest.java b/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/role/RoleTest.java index f78ae24df9e..52e0f3c8a8e 100644 --- a/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/role/RoleTest.java +++ b/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/role/RoleTest.java @@ -73,10 +73,10 @@ public class RoleTest { @Test public void build_service_membership() { - Role role = Role.tenantPipeline(TenantName.from("t1"), ApplicationName.from("a1")); + Role role = Role.buildService(TenantName.from("t1"), ApplicationName.from("a1")); assertFalse(publicEnforcer.allows(role, Action.create, URI.create("/not/explicitly/defined"))); assertFalse(publicEnforcer.allows(role, Action.update, URI.create("/application/v4/tenant/t1/application/a1"))); - assertTrue(publicEnforcer.allows(role, Action.create, URI.create("/application/v4/tenant/t1/application/a1/jobreport"))); + assertTrue(publicEnforcer.allows(role, Action.create, URI.create("/application/v4/tenant/t1/application/a1/submit"))); assertFalse("No global read access", publicEnforcer.allows(role, Action.read, URI.create("/controller/v1/foo"))); } |