Merge pull request #13457 from vespa-engine/olaa/hosted-account-athenz-role

Consider hostedAccountant in AthenzRoleFilter
author: Øyvind Grønnesby <oyving@verizonmedia.com> 2020-06-03 12:15:47 +0200
committer: GitHub <noreply@github.com> 2020-06-03 12:15:47 +0200
commit: 790c3bf6985637163e0112764e12e27c8163d54e (patch)
tree: 5a9932340f25132169551968f0aa5bda56901d78 /controller-server/src
parent: 0929684eb4a265bed96c20961a45477b286af032 (diff)
parent: 80800ebb18d08117a493364d64a1362a758cecf7 (diff)
3 files changed, 12 insertions, 3 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java
index 5cd14b3fac5..c8cce94d479 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/AthenzFacade.java
@@ -247,6 +247,10 @@ public class AthenzFacade implements AccessControl {
         return hasAccess("callback", new AthenzResourceName(service.getDomain().getName(), "payment-notification-resource").toResourceNameString(), identity);
     }
 
+    public boolean hasAccountingAccess(AthenzIdentity identity) {
+        return hasAccess("modify", new AthenzResourceName(service.getDomain().getName(), "hosted-accounting-resource").toResourceNameString(), identity);
+    }
+
     /**
      * Used when creating tenancies. As there are no tenancy policies at this point,
      * we cannot use {@link #hasTenantAdminAccess(AthenzIdentity, AthenzDomain)}
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java
index 25ee95e6d80..b9cf5ca4f4d 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilter.java
@@ -125,6 +125,11 @@ public class AthenzRoleFilter extends JsonSecurityRequestFilterBase {
                 roleMemberships.add(Role.paymentProcessor());
         }));
 
+        futures.add(executor.submit(() -> {
+            if (athenz.hasAccountingAccess(identity))
+                roleMemberships.add(Role.hostedAccountant());
+        }));
+
         // Run last request in handler thread to avoid creating extra thread.
         if (athenz.hasSystemFlagsAccess(identity, /*dryrun*/true))
             roleMemberships.add(Role.systemFlagsDryrunner());
diff --git a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilterTest.java b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilterTest.java
index 5e50e80b7a7..3da662ee373 100644
--- a/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilterTest.java
+++ b/controller-server/src/test/java/com/yahoo/vespa/hosted/controller/restapi/filter/AthenzRoleFilterTest.java
@@ -70,13 +70,13 @@ public class AthenzRoleFilterTest {
     public void testTranslations() throws Exception {
 
         // Hosted operators are always members of the hostedOperator role.
-        assertEquals(Set.of(Role.hostedOperator(), Role.systemFlagsDeployer(), Role.systemFlagsDryrunner(), Role.paymentProcessor(), Role.hostedSupporter()),
+        assertEquals(Set.of(Role.hostedOperator(), Role.systemFlagsDeployer(), Role.systemFlagsDryrunner(), Role.paymentProcessor(), Role.hostedAccountant(), Role.hostedSupporter()),
                      filter.roles(HOSTED_OPERATOR, NO_CONTEXT_PATH));
 
-        assertEquals(Set.of(Role.hostedOperator(), Role.systemFlagsDeployer(), Role.systemFlagsDryrunner(), Role.paymentProcessor(), Role.hostedSupporter()),
+        assertEquals(Set.of(Role.hostedOperator(), Role.systemFlagsDeployer(), Role.systemFlagsDryrunner(), Role.paymentProcessor(), Role.hostedAccountant(), Role.hostedSupporter()),
                      filter.roles(HOSTED_OPERATOR, TENANT_CONTEXT_PATH));
 
-        assertEquals(Set.of(Role.hostedOperator(), Role.systemFlagsDeployer(), Role.systemFlagsDryrunner(), Role.paymentProcessor(), Role.hostedSupporter()),
+        assertEquals(Set.of(Role.hostedOperator(), Role.systemFlagsDeployer(), Role.systemFlagsDryrunner(), Role.paymentProcessor(), Role.hostedAccountant(), Role.hostedSupporter()),
                      filter.roles(HOSTED_OPERATOR, APPLICATION_CONTEXT_PATH));
 
         // Tenant admins are members of the athenzTenantAdmin role within their tenant subtree.
author	Øyvind Grønnesby <oyving@verizonmedia.com>	2020-06-03 12:15:47 +0200
committer	GitHub <noreply@github.com>	2020-06-03 12:15:47 +0200
commit	790c3bf6985637163e0112764e12e27c8163d54e (patch)
tree	5a9932340f25132169551968f0aa5bda56901d78 /controller-server/src
parent	0929684eb4a265bed96c20961a45477b286af032 (diff)
parent	80800ebb18d08117a493364d64a1362a758cecf7 (diff)