Introduce ZmsClient.hasHostedOperatorAccess()

author: Bjørn Christian Seime <bjorncs@oath.com> 2018-02-13 17:21:31 +0100
committer: Bjørn Christian Seime <bjorncs@oath.com> 2018-02-13 17:21:31 +0100
commit: 7a3d23a264ab4f3c9325b8bd6cff14caf32f1cbb (patch)
tree: 99ce988f99c5dff97de2b965f876b861b2bd971d /controller-server
parent: 7ee1cd259c8817d8f9f89fcb4d7741fe54fd24da (diff)
3 files changed, 27 insertions, 4 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/ZmsClientImpl.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/ZmsClientImpl.java
index 8b62a93f8d9..f77e16f67ce 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/ZmsClientImpl.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/impl/ZmsClientImpl.java
@@ -102,6 +102,11 @@ public class ZmsClientImpl implements ZmsClient {
         return hasAccess(TenantAction._modify_.name(), tenantResourceString(tenantDomain), identity);
     }
 
+    @Override
+    public boolean hasHostedOperatorAccess(AthenzIdentity identity) {
+        return getOrThrow(() -> hasAccess("modify", service.getDomain() + ":hosted-vespa", identity));
+    }
+
     /**
      * Used when creating tenancies. As there are no tenancy policies at this point,
      * we cannot use {@link #hasTenantAdminAccess(AthenzIdentity, AthenzDomain)}
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/mock/AthenzDbMock.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/mock/AthenzDbMock.java
index 0524cf18568..0a360184da9 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/mock/AthenzDbMock.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/mock/AthenzDbMock.java
@@ -1,13 +1,15 @@
 // Copyright 2017 Yahoo Holdings. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.vespa.hosted.controller.athenz.mock;
 
-import com.yahoo.vespa.hosted.controller.api.identifiers.ApplicationId;
 import com.yahoo.vespa.athenz.api.AthenzDomain;
-import com.yahoo.vespa.hosted.controller.api.integration.athenz.ApplicationAction;
 import com.yahoo.vespa.athenz.api.AthenzIdentity;
+import com.yahoo.vespa.hosted.controller.api.identifiers.ApplicationId;
+import com.yahoo.vespa.hosted.controller.api.integration.athenz.ApplicationAction;
 
+import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.HashSet;
+import java.util.List;
 import java.util.Map;
 import java.util.Set;
 
@@ -17,12 +19,18 @@ import java.util.Set;
 public class AthenzDbMock {
 
     public final Map<AthenzDomain, Domain> domains = new HashMap<>();
+    public final List<AthenzIdentity> hostedOperators = new ArrayList<>();
 
     public AthenzDbMock addDomain(Domain domain) {
         domains.put(domain.name, domain);
         return this;
     }
 
+    public AthenzDbMock addHostedOperator(AthenzIdentity athenzIdentity) {
+        hostedOperators.add(athenzIdentity);
+        return this;
+    }
+
     public static class Domain {
 
         public final AthenzDomain name;
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/mock/ZmsClientMock.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/mock/ZmsClientMock.java
index ba8bfc2405e..3ee2655108a 100644
--- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/mock/ZmsClientMock.java
+++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/athenz/mock/ZmsClientMock.java
@@ -68,17 +68,23 @@ public class ZmsClientMock implements ZmsClient {
         if (application == null) {
             throw zmsException(400, "Application '%s' not found", applicationName);
         }
-        return domain.admins.contains(identity) || application.acl.get(action).contains(identity);
+        return isHostedOperator(identity) || domain.admins.contains(identity) || application.acl.get(action).contains(identity);
     }
 
     @Override
     public boolean hasTenantAdminAccess(AthenzIdentity identity, AthenzDomain tenantDomain) {
         log("hasTenantAdminAccess(principal='%s', tenantDomain='%s')", identity, tenantDomain);
-        return isDomainAdmin(identity, tenantDomain) ||
+        return isHostedOperator(identity) || isDomainAdmin(identity, tenantDomain) ||
                 getDomainOrThrow(tenantDomain, true).tenantAdmins.contains(identity);
     }
 
     @Override
+    public boolean hasHostedOperatorAccess(AthenzIdentity identity) {
+        log("hasHostedOperatorAccess(identity='%s')", identity);
+        return isHostedOperator(identity);
+    }
+
+    @Override
     public boolean isDomainAdmin(AthenzIdentity identity, AthenzDomain domain) {
         log("isDomainAdmin(principal='%s', domain='%s')", identity, domain);
         return getDomainOrThrow(domain, false).admins.contains(identity);
@@ -109,6 +115,10 @@ public class ZmsClientMock implements ZmsClient {
         return domain;
     }
 
+    private boolean isHostedOperator(AthenzIdentity identity) {
+        return athenz.hostedOperators.contains(identity);
+    }
+
     private static ZmsException zmsException(int code, String message, Object... args) {
         return new ZmsException(code, String.format(message, args));
     }
author	Bjørn Christian Seime <bjorncs@oath.com>	2018-02-13 17:21:31 +0100
committer	Bjørn Christian Seime <bjorncs@oath.com>	2018-02-13 17:21:31 +0100
commit	7a3d23a264ab4f3c9325b8bd6cff14caf32f1cbb (patch)
tree	99ce988f99c5dff97de2b965f876b861b2bd971d /controller-server
parent	7ee1cd259c8817d8f9f89fcb4d7741fe54fd24da (diff)