summaryrefslogtreecommitdiffstats
path: root/controller-api
diff options
context:
space:
mode:
authorValerij Fredriksen <valerijf@verizonmedia.com>2019-10-31 23:44:50 +0100
committerValerij Fredriksen <valerijf@verizonmedia.com>2019-10-31 23:46:22 +0100
commite5f23fcf991a0510d43d199701be6b4c7c50ed23 (patch)
tree4fac17f107b3a1733960c656fa9272e190bccc5b /controller-api
parent232caa29debc866d83ddc31ca46533b81fe4cab0 (diff)
Limit reads under /configserver/v1 to operators
Diffstat (limited to 'controller-api')
-rw-r--r--controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java10
-rw-r--r--controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java2
2 files changed, 9 insertions, 3 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java
index b310bb69765..04ac3f421de 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/PathGroup.java
@@ -19,9 +19,11 @@ import java.util.Set;
*/
enum PathGroup {
+ /** Paths exclusive to operators (including read), used for system management. */
+ classifiedOperator("/configserver/v1/{*}"),
+
/** Paths used for system management by operators. */
- operator("/configserver/v1/{*}",
- "/controller/v1/{*}",
+ operator("/controller/v1/{*}",
"/flags/v1/{*}",
"/nodes/v2/{*}",
"/orchestrator/v1/{*}",
@@ -229,6 +231,10 @@ enum PathGroup {
return EnumSet.allOf(PathGroup.class);
}
+ static Set<PathGroup> allExcept(PathGroup... pathGroups) {
+ return EnumSet.complementOf(EnumSet.copyOf(List.of(pathGroups)));
+ }
+
/** Returns whether this group matches path in given context */
boolean matches(URI uri, Context context) {
return get(uri).map(p -> {
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java
index db7dd5909b3..e0341d76950 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java
@@ -115,7 +115,7 @@ enum Policy {
/** Read access to all information in select systems. */
classifiedRead(Privilege.grant(Action.read)
- .on(PathGroup.all())
+ .on(PathGroup.allExcept(PathGroup.classifiedOperator))
.in(SystemName.main, SystemName.cd, SystemName.dev)),
/** Read access to public info. */