summaryrefslogtreecommitdiffstats
path: root/controller-api
diff options
context:
space:
mode:
authorBjørn Christian Seime <bjorncs@verizonmedia.com>2019-11-08 14:22:13 +0100
committerBjørn Christian Seime <bjorncs@verizonmedia.com>2019-11-08 14:22:13 +0100
commit0d0e4c109ab23e9db7185ffe690dcab325ac072a (patch)
treebeb83743ea810f4d9eab72ea0be4f13f35e0ecea /controller-api
parent1e44092efcff240afc7c57948dd1d4bad28a2a04 (diff)
Define access control '/system-flags/v1' dry-run
Diffstat (limited to 'controller-api')
-rw-r--r--controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java6
-rw-r--r--controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java11
-rw-r--r--controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java3
-rw-r--r--controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java4
-rw-r--r--controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/role/RoleTest.java15
5 files changed, 30 insertions, 9 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java
index 9db896bbb88..bf89d072b75 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java
@@ -181,7 +181,11 @@ enum PathGroup {
"/zone/v1/{*}"),
/** Paths used for deploying system-wide feature flags. */
- systemFlags("/system-flags/v1/{*}");
+ systemFlagsDeploy("/system-flags/v1/deploy"),
+
+
+ /** Paths used for "dry-running" system-wide feature flags. */
+ systemFlagsDryrun("/system-flags/v1/dryrun");
final List<String> pathSpecs;
final String prefix;
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java
index 51f29626acf..074d3ef7e95 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java
@@ -123,9 +123,14 @@ enum Policy {
.on(PathGroup.publicInfo)
.in(SystemName.all())),
- /** Access to /system-flags/v1. */
- systemFlagsDeployment(Privilege.grant(Action.all())
- .on(PathGroup.systemFlags)
+ /** Access to /system-flags/v1/deploy. */
+ systemFlagsDeploy(Privilege.grant(Action.update)
+ .on(PathGroup.systemFlagsDeploy)
+ .in(SystemName.all())),
+
+ /** Access to /system-flags/v1/dryrun. */
+ systemFlagsDryrun(Privilege.grant(Action.update)
+ .on(PathGroup.systemFlagsDryrun)
.in(SystemName.all()));
private final Set<Privilege> privileges;
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java
index e1497bd686e..b53cf9162e7 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Role.java
@@ -111,6 +111,9 @@ public abstract class Role {
/** Returns the role for system flag deployer */
public static UnboundRole systemFlagsDeployer() { return new UnboundRole(RoleDefinition.systemFlagsDeployer); }
+ /** Returns the role for system flag dryrun */
+ public static UnboundRole systemFlagsDryrunner() { return new UnboundRole(RoleDefinition.systemFlagsDryrunner); }
+
/** Returns the role definition of this bound role. */
public RoleDefinition definition() { return roleDefinition; }
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java
index a261f5c7e8f..67efdc3017d 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java
@@ -115,7 +115,9 @@ public enum RoleDefinition {
Policy.keyManagement,
Policy.developmentDeployment),
- systemFlagsDeployer(hostedOperator, Policy.systemFlagsDeployment);
+ systemFlagsDeployer(Policy.systemFlagsDeploy, Policy.systemFlagsDryrun),
+
+ systemFlagsDryrunner(Policy.systemFlagsDryrun);
private final Set<RoleDefinition> parents;
private final Set<Policy> policies;
diff --git a/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/role/RoleTest.java b/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/role/RoleTest.java
index 6dd815f4f51..d153e218640 100644
--- a/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/role/RoleTest.java
+++ b/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/role/RoleTest.java
@@ -129,10 +129,17 @@ public class RoleTest {
@Test
public void system_flags() {
- URI uri = URI.create("/system-flags/v1/deploy");
+ URI deployUri = URI.create("/system-flags/v1/deploy");
Action action = Action.update;
- assertTrue(mainEnforcer.allows(Role.systemFlagsDeployer(), action, uri));
- assertTrue(mainEnforcer.allows(Role.hostedOperator(), action, uri));
- assertFalse(mainEnforcer.allows(Role.everyone(), action, uri));
+ assertTrue(mainEnforcer.allows(Role.systemFlagsDeployer(), action, deployUri));
+ assertTrue(mainEnforcer.allows(Role.hostedOperator(), action, deployUri));
+ assertFalse(mainEnforcer.allows(Role.systemFlagsDryrunner(), action, deployUri));
+ assertFalse(mainEnforcer.allows(Role.everyone(), action, deployUri));
+
+ URI dryrunUri = URI.create("/system-flags/v1/dryrun");
+ assertTrue(mainEnforcer.allows(Role.systemFlagsDeployer(), action, dryrunUri));
+ assertTrue(mainEnforcer.allows(Role.hostedOperator(), action, dryrunUri));
+ assertTrue(mainEnforcer.allows(Role.systemFlagsDryrunner(), action, dryrunUri));
+ assertFalse(mainEnforcer.allows(Role.everyone(), action, dryrunUri));
}
}