diff options
author | Valerij Fredriksen <valerijf@verizonmedia.com> | 2019-10-31 23:44:50 +0100 |
---|---|---|
committer | Valerij Fredriksen <valerijf@verizonmedia.com> | 2019-10-31 23:46:22 +0100 |
commit | e5f23fcf991a0510d43d199701be6b4c7c50ed23 (patch) | |
tree | 4fac17f107b3a1733960c656fa9272e190bccc5b /controller-api | |
parent | 232caa29debc866d83ddc31ca46533b81fe4cab0 (diff) |
Limit reads under /configserver/v1 to operators
Diffstat (limited to 'controller-api')
-rw-r--r-- | controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java | 10 | ||||
-rw-r--r-- | controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java | 2 |
2 files changed, 9 insertions, 3 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java index b310bb69765..04ac3f421de 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java @@ -19,9 +19,11 @@ import java.util.Set; */ enum PathGroup { + /** Paths exclusive to operators (including read), used for system management. */ + classifiedOperator("/configserver/v1/{*}"), + /** Paths used for system management by operators. */ - operator("/configserver/v1/{*}", - "/controller/v1/{*}", + operator("/controller/v1/{*}", "/flags/v1/{*}", "/nodes/v2/{*}", "/orchestrator/v1/{*}", @@ -229,6 +231,10 @@ enum PathGroup { return EnumSet.allOf(PathGroup.class); } + static Set<PathGroup> allExcept(PathGroup... pathGroups) { + return EnumSet.complementOf(EnumSet.copyOf(List.of(pathGroups))); + } + /** Returns whether this group matches path in given context */ boolean matches(URI uri, Context context) { return get(uri).map(p -> { diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java index db7dd5909b3..e0341d76950 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java @@ -115,7 +115,7 @@ enum Policy { /** Read access to all information in select systems. */ classifiedRead(Privilege.grant(Action.read) - .on(PathGroup.all()) + .on(PathGroup.allExcept(PathGroup.classifiedOperator)) .in(SystemName.main, SystemName.cd, SystemName.dev)), /** Read access to public info. */ |