diff options
| author | Jon Marius Venstad <jvenstad@yahoo-inc.com> | 2019-04-03 09:47:20 +0200 |
|---|---|---|
| committer | Jon Marius Venstad <venstad@gmail.com> | 2019-04-04 09:48:01 +0200 |
| commit | e9d102a511dd0e5cd2109c8b05cab22b1fa81a45 (patch) | |
| tree | dadc9a14811f8fcbe18cc42a01ef01dbb4dcbdd8 /controller-server | |
| parent | b53723583e186630187871011204f4dce5f54214 (diff) | |
More roles again
Diffstat (limited to 'controller-server')
3 files changed, 26 insertions, 16 deletions
diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/role/Policy.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/role/Policy.java index 6ae68f598f0..719f90b9fa4 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/role/Policy.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/role/Policy.java @@ -39,9 +39,14 @@ public enum Policy { .in(SystemName.main, SystemName.cd, SystemName.dev)), // TODO SystemName.all() /** Full access to tenant information and settings. */ - tenantWrite(Privilege.grant(Action.write()) - .on(PathGroup.tenant) - .in(SystemName.all())), + tenantDelete(Privilege.grant(Action.delete) + .on(PathGroup.tenant) + .in(SystemName.all())), + + /** Full access to tenant information and settings. */ + tenantUpdate(Privilege.grant(Action.update) + .on(PathGroup.tenant) + .in(SystemName.all())), /** Read access to tenant information and settings. */ tenantRead(Privilege.grant(Action.read) diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/role/Role.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/role/Role.java index 09c85a7b392..75f9fa6faa2 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/role/Role.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/role/Role.java @@ -55,12 +55,23 @@ public class Role implements RoleInSystem, RoleInSystemWithTenant, RoleInSystemW Policy.productionDeployment, Policy.submission); - /** Tenant admin with full access to all tenant resources, including the ability to create new applications. */ - public static final RoleInSystemWithTenant tenantAdmin = new Role(applicationAdmin, - Policy.applicationCreate, + /** Application administrator with the additional ability to delete an application. */ + public static final RoleInSystemWithTenantAndApplication applicationOwner = new Role(applicationOperator, + Policy.applicationDelete); + + /** Tenant operator with admin access to all applications under the tenant, as well as the ability to create applications. */ + public static final RoleInSystemWithTenant tenantOperator = new Role(applicationAdmin, + Policy.applicationCreate); + + /** Tenant admin with full access to all tenant resources, except deleting the tenant. */ + public static final RoleInSystemWithTenant tenantAdmin = new Role(tenantOperator, Policy.applicationDelete, Policy.manager, - Policy.tenantWrite); + Policy.tenantUpdate); + + /** Tenant admin with full access to all tenant resources. */ + public static final RoleInSystemWithTenant tenantOwner = new Role(tenantAdmin, + Policy.tenantDelete); /** Build and continuous delivery service. */ // TODO replace with buildService, when everyone is on new pipeline. public static final RoleInSystemWithTenantAndApplication tenantPipeline = new Role(everyone, @@ -70,8 +81,9 @@ public class Role implements RoleInSystem, RoleInSystemWithTenant, RoleInSystemW /** Tenant administrator with full access to all child resources. */ public static final RoleInSystemWithTenant athenzTenantAdmin = new Role(everyone, - Policy.tenantWrite, Policy.tenantRead, + Policy.tenantUpdate, + Policy.tenantDelete, Policy.applicationCreate, Policy.applicationUpdate, Policy.applicationDelete, diff --git a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/role/RoleMembership.java b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/role/RoleMembership.java index d08af973450..8dc43f187e2 100644 --- a/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/role/RoleMembership.java +++ b/controller-server/src/main/java/com/yahoo/vespa/hosted/controller/role/RoleMembership.java @@ -1,18 +1,10 @@ // Copyright 2019 Oath Inc. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.vespa.hosted.controller.role; -import com.google.common.collect.ImmutableMap; -import com.yahoo.config.provision.ApplicationName; -import com.yahoo.config.provision.SystemName; -import com.yahoo.config.provision.TenantName; - import java.net.URI; import java.security.Principal; import java.util.Collections; -import java.util.HashMap; -import java.util.HashSet; import java.util.Map; -import java.util.Objects; import java.util.Optional; import java.util.Set; import java.util.stream.Collectors; @@ -73,6 +65,7 @@ public class RoleMembership { // TODO replace with Set<RoleWithContext> public interface Resolver { RoleMembership membership(Principal user, Optional<String> path); // TODO get rid of path. + } } |